News

2026 Proxy Shutdowns: The Full Timeline & Takedown Tracker

A dated, sourced tracker of the 2026 residential-proxy crackdown — the January IPIDEA disruption, the July FBI + Google NetNut seizure, and 9Proxy's purchase pause — with a per-brand status table linking to every one of our reports.

By ProxyRadar Editorial Team

Also in: Русский · বাংলা · Indonesia · Tiếng Việt

Updated July 15, 2026. 2026 has been the worst year on record for residential-proxy supply. Two major networks — IPIDEA (disrupted by Google in January) and NetNut (seized by the FBI and Google in July) — were taken down within six months of each other, dragging a long list of whitelabel and reseller brands offline with them, while 9Proxy separately paused new purchases. This page is our living hub-and-spoke tracker: a dated timeline, a per-brand status table, and a link to every dedicated report we have published. Every factual claim below is attributed to a named source.

Krebs on Security report headlined
Krebs on Security, July 2, 2026: the FBI + IRS-CI seizure banner that replaced NetNut's homepage, alongside Google, Lumen and Shadowserver logos.

The two-wave pattern of 2026

The crackdown was not one event but two coordinated actions with the same logic. Google's Threat Intelligence Group (GTIG) has repeatedly explained why the residential-proxy ecosystem is so resilient: operators rebuild by reselling and whitelabeling each other's capacity, so disrupting one network does not remove the underlying supply — it just reshuffles which brand sells it. That is exactly why a second major network fell only months after the first.

  • Wave one — January 2026, IPIDEA. A Google-led civil and technical operation disrupted the IPIDEA residential-proxy network and named a cluster of associated whitelabel brands.
  • Wave two — July 2026, NetNut. A coordinated FBI, IRS-CI and Google action seized NetNut's infrastructure and disrupted the botnet feeding it.
  • Separate event — July 2026, 9Proxy. 9Proxy paused new purchases after an outage. We treat this as an unconfirmed access/purchase disruption, not a seizure, and keep it clearly distinct from the two takedowns.

The 2026 proxy takedown timeline

January 2026 — Google disrupts the IPIDEA network

Google's Threat Intelligence Group announced a disruption of the IPIDEA residential-proxy network, a civil and technical operation that named a group of whitelabel and reseller brands built on the same upstream supply. In the weeks that followed, a cluster of IPIDEA-ecosystem brands went dark, became unstable, or quietly changed behavior.

Google Threat Intelligence Group blog announcing the continued disruption of malicious residential proxy networks
Google's GTIG framed the campaign as ongoing: disrupting one network is not enough because operators recycle each other's capacity.

The IPIDEA-linked brands we investigated individually, each with its own verified status report:

June 28, 2026 — 9Proxy outage begins

Separately from the botnet takedowns, 9Proxy suffered a widespread outage starting around June 28: website, desktop app and proxy sessions failed together. This is a reliability event with an unconfirmed cause, not a law-enforcement action — see the distinction in our 9Proxy status report.

July 2–3, 2026 — FBI + Google seize NetNut

According to Google's Cloud Threat Intelligence blog and reporting by Krebs on Security, Google's GTIG, the FBI, the IRS Criminal Investigation division, Lumen (Black Lotus Labs) and the Shadowserver Foundation executed a coordinated operation against NetNut. The FBI seized hundreds of domains, and a joint FBI + IRS seizure notice was placed on netnut.com (later alarum.io).

Google Threat Intelligence Group blog
Google's July 3 GTIG post ties NetNut to the ~2M-device Popa botnet and warns that many residential proxy brands whitelabel it.

NetNut is operated by Alarum Technologies Ltd. (Nasdaq: ALAR); per Krebs, Alarum's stock fell roughly 67% in the week of the action. Google linked NetNut to the "Popa" botnet — an estimated ~2 million compromised devices (Android phones, smart TVs, streaming boxes) enrolled via trojanized apps and SDKs, often without consent. Crucially, GTIG warned that "many popular residential proxy brands are in fact whitelabeling the NetNut botnet," a general ecosystem warning rather than an accusation against any specific named brand. Full account: Is NetNut seized?

July 10–15, 2026 — 9Proxy site back, purchases still paused

9Proxy's public site returned and reads operational on our monitor, but its pricing page still shows a "New Purchases Are Temporarily Paused" banner. We continue to describe this as an unconfirmed outage with sales paused — not a seizure.

9Proxy pricing page still showing the
9Proxy sits in the same nervous market as the takedowns, which is why 'was 9proxy seized' trends — but the evidence shows a purchase pause, not a takedown.

Per-brand status table

Each row links to our dedicated, sourced report. Statuses are as reported and attributed; treat vendor-level details as claims where noted.

Brand Wave / event Reported date Our report
PIA S5 Proxy IPIDEA-linked disruption Jan 2026 Report
922 S5 Proxy IPIDEA-linked disruption Jan 2026 Report
ABCProxy IPIDEA-linked disruption Jan 2026 Report
Cherry Proxy IPIDEA-linked disruption Jan 2026 Report
Luna Proxy IPIDEA-linked disruption Jan 2026 Report
IP2World IPIDEA-linked disruption Jan 2026 Report
PYProxy IPIDEA-linked disruption Jan 2026 Report
360Proxy IPIDEA-linked disruption Jan 2026 Report
Tab Proxy IPIDEA-linked disruption Jan 2026 Report
NetNut FBI + Google seizure (Popa botnet) Jul 2–3, 2026 Report
9Proxy Outage + purchase pause (unconfirmed, not a seizure) Jun–Jul 2026 Report

What this means for buyers

The lesson of 2026 is not "proxies are dead" — it is that "residential" is not a guarantee of consent or stability. Two patterns stand out.

First, supply is shared. Because networks whitelabel and resell each other, a brand you have never heard of can be routing through the same upstream that just got seized. When one network falls, correlated brands wobble together — which is why our timeline reads like a chain reaction rather than isolated failures.

Second, botnet-fed supply carries legal and ethical risk. The NetNut case turned on the "Popa" botnet — devices conscripted without their owners' consent. Routing your commercial traffic through unwitting victims' hardware is categorically different from using a paid, disclosed, opt-in pool.

  • Ask how the residential pool is sourced. How do devices join? What do users consent to? How are they compensated, and how do they opt out? A vendor that cannot answer clearly is a risk regardless of marketing.
  • Prefer disclosed, opt-in supply over the cheapest per-GB rate from an opaque brand.
  • Verify live health, not just marketing. Check a provider's current status on our network status board before you commit budget.
  • Keep a funded fallback so a single takedown or outage never stops your operation. Diversify across networks.
  • Separate your browser-profile layer from your proxy layer during any migration; the Dolphin Anty overview covers that.

Alternatives after a takedown

Disclosure: ProxyUniverse is a commercial partner we promote; the link below is affiliate. A commercial mention is not proof of any provider's sourcing, and Google's whitelabel warning is a reason to verify sourcing for any residential vendor, including via a reseller.

If you were affected by any brand above, the constructive move is migrating to providers that can speak credibly to consent and sourcing, and keeping the ability to switch quickly. ProxyUniverse aggregates residential, mobile and pay-per-GB products from multiple networks in one dashboard, which is useful precisely because it lets you move off a failing network fast. Test a small workload first, confirm protocols, geolocation and ASN accuracy, and request sourcing evidence before scaling. For a full ranked list built for exactly this situation, see our 9Proxy alternatives guide and the cheap residential proxies guide.

FAQ

What happened to residential proxies in 2026?

Two major networks were disrupted: IPIDEA (Google, January) and NetNut (FBI + Google, July). Because brands whitelabel and resell each other's capacity, many associated brands went dark or unstable. 9Proxy separately paused new purchases after an outage.

Was 9Proxy seized or shut down?

No. There is no seizure notice or agency action tied to 9Proxy. It is an unconfirmed outage with new purchases paused — a different category from the NetNut seizure. See our 9Proxy report.

What is the Popa botnet?

According to Google's GTIG, Popa was a botnet of an estimated ~2 million compromised devices used to supply NetNut exit nodes, enrolled via trojanized apps and SDKs, frequently without user consent. Details: NetNut seizure report.

Which proxy brands were affected by the IPIDEA disruption?

The brands we investigated include PIA S5, 922, ABCProxy, Cherry Proxy, Luna Proxy, IP2World, PYProxy, 360Proxy and Tab Proxy — each has a dedicated report linked in the table above.

How do I avoid buying a compromised residential network?

Ask how the pool is sourced and consented, prefer disclosed opt-in supply, verify live health on our status board, and keep a diversified, funded fallback.

Sources

Update log

  • January 2026: Google discloses the IPIDEA residential-proxy disruption; associated brands go dark.
  • June 28, 2026: 9Proxy outage begins (separate, unconfirmed cause).
  • July 2–3, 2026: FBI + IRS-CI + Google seize NetNut; seizure notice on netnut.com.
  • July 8, 2026: Krebs details the Popa botnet (~2M devices) and Alarum's ~67% stock drop.
  • July 10–15, 2026: 9Proxy site back but purchases still paused.

Related guides

2026 Proxy Shutdowns: Full Timeline & Takedown Tracker | ProxyRadar