Skip to content
feed: live
>_ 0dayNews
threat intel
Analysis

Flare finds carders still hunting clean IPs post-NetNut

Flare's read of 2,889 underground posts finds carders scrambling for 'clean' residential IPs two weeks after the FBI's NetNut seizure disrupted supply.

Flare finds carders still hunting clean IPs post-NetNut
Photo: Andrés Ramírez / Wikimedia Commons · GFDL 1.2
kilobaud Dave "Kilobaud" Ferris · Published · 4 min read

Flare’s research team put out a report on Thursday, covered the same day by BleepingComputer, that reads the underground carding market the way an entomologist reads an anthill — through 2,889 posts and roughly 545 discussion threads across the last two years. The single-sentence finding is not surprising. Carders are still spending most of their time on the same question they were spending it on a decade ago: where do you get an IP address that a fraud-detection model won’t immediately flag.

Analysis, not incident reporting. What follows is a reading of an underground-forum study and its context, not a claim about a specific new intrusion.

The news hook

The Flare piece landed two weeks after the FBI seized hundreds of NetNut domains on July 2 and Google’s Threat Intelligence Group cut the linked Popa botnet’s usable pool by, as Google put it at the time, “millions” of relays. NetNut had been the household-name residential-proxy service for that side of the market — sold nominally for price-monitoring and ad-verification, used, per the government’s filings, for a great deal else. Popa was the compromised-device layer under it, roughly two million home routers and IoT boxes, according to Google’s figures.

Two weeks later, the underground is doing what the underground always does after a takedown, which is shopping. Flare’s read of the forum posts describes a market in the awkward middle: the old vendor is unavailable, the replacements are being audited in public by their prospective customers, and the guides being reposted most often carry titles like “Getting the Cleanest Possible IPs for Carding.” That is a normal state. It is also a reminder that the demand side of the residential-proxy market is not what the FBI seized; the demand side is a background condition of the internet economy.

What “clean” means in the guides

The technical checklist Flare pulls out of the posts is not a secret and it is not exploitation content — it is what any competent fraud-model builder already knows their adversary is doing. The underground writeups instruct buyers to match the proxy IP’s approximate location with the billing ZIP code, the device time zone, the operating-system language, and the browser configuration presented by an antidetect browser. In other words: buy the proxy, buy the fingerprint, buy the behavioral simulation, and try to make the combination sit inside the noise that a real user would generate.

None of that is a new attack class. It is what carding has been, in different tooling and different lingo, for as long as card-not-present fraud has been a category. What has changed over the last few years is the price and the packaging. Antidetect browsers are commodity software. Fingerprint bundles are sold as inventory. Residential proxy access was, until three weeks ago, a subscription product at a public URL from a Nasdaq-listed parent.

The FBI took the URL. It did not take the demand.

The gatekeeper problem, again

There is a story security writing has been telling for years about the “underground economy” as though it were a shadow of the legitimate one — same shape, opposite sign. The Flare data is the ordinary reminder that the shape is more particular than that. What the forums are debating in July 2026 is the same thing they were debating in July 2016: which supplier is trustworthy, which supplier is a plant, which residential range has already been burned by the fraud vendors. The gatekeepers of the proxy market are the operators who can convincingly claim their pool is fresh, and their credibility with buyers rises and falls on the same signals a legitimate B2B vendor’s would — uptime, responsive support, honest churn reporting on their IP pool. That is the small, awkward observation the takedowns rarely change: enforcement disrupts a specific operator, and the customer base migrates to the next operator who can pass audit.

The FBI action on NetNut was a large disruption of one particular operator with a specific dual-use posture. The Infoblox writeup on the “Lurking Lizard” 230-domain fake-7-Zip campaign a week later described a smaller, older operator running the same business model out of drop-catch domains. Flare’s post-mortem sits between the two: the customers of the first are audition-testing candidates who look a lot like the second. The same mistake, different decade — the mistake being that treating the residential proxy market as a series of individual companies to be prosecuted keeps missing the fact that it is a market, and markets route around the seizure of a single supplier.

What defenders should take from it

Two practical readings, both boring, both worth restating:

  • The IP reputation feed you were relying on to catch NetNut traffic is now the IP reputation feed that has to catch the successor. Whichever operator inherits the demand is going to spend the next few months trying not to be visible to the same industry blocklists. Assume your feed has a lag against the replacement. Compensate with the device-fingerprint and behavioral signals — the parts the underground guides say are hardest to fake at scale — rather than depending on the IP layer alone.
  • The billing-ZIP-to-IP-geo check the guides tell buyers to satisfy is also the check most retail fraud teams already run. That is why it is in the guides. If your fraud model is not weighting it, the underground is a few years ahead of you. If it is, you are approximately even. The escalation from here is on the fingerprint and behavior side, and there is a large body of published research on both — Ku Leuven’s work on extension-linkability from earlier this week is a recent example of the sort of signal defenders can be pulling from.

The Flare report is a snapshot of a normal week in an unhealthy market. It is worth reading not because it changes any specific defense but because it is a reminder that the market is patient, well-organized, and staffed. Enforcement is a punctuation mark in that market’s ongoing sentence, not an ending to it.

Sources

Found this useful? Share it.