In early July 2026, Google Threat Intelligence Group disclosed a coordinated operation with the FBI, Lumen, and other agencies targeting the NetNut residential proxy network, referred to by Google as Popa. Google claimed the network encompassed at least 2 million home devices, and during a single week in June 2026 observed 316 threat clusters using suspected NetNut exit nodes. Alarum/NetNut subsequently announced that the FBI had seized certain NetNut-related domains.
At first glance, this looks like a routine cybersecurity operation: residential proxies, malicious SDKs, C2 infrastructure, Google Play Protect, law enforcement domain seizures. But if you browse NetNut’s own product catalog, you see a face much closer to the AI industry. Its scrapers catalog lists ChatGPT Scraper, Perplexity Scraper, Google AI Mode Scraper, Gemini Scraper, and Copilot Scraper on the same shelf.
That makes the question interesting: why does something that looks like an SEO/GEO data service appear in the same news chain as the FBI, Google, residential proxy networks, and malicious traffic infrastructure? The answer is that AI search has given birth to its own rank-tracking market, and the underlying demand is not merely about whether a brand gets mentioned. It is also about who can gain stable access to the real model entry points: ChatGPT, Perplexity, Google AI Mode, and the like.
For over a decade, the metric that mattered most to brands and SEO teams was where their website ranked in Google search results. Today, the logic of competitive positioning has shifted. Decision-makers now need to answer an entirely new set of questions: when a prospective customer asks ChatGPT what the best project management software is, does the model mention our brand? When Perplexity produces a side-by-side comparison, does it cite our white paper or a competitor’s blog post? When Google AI Mode bundles generative answers, local business cards, and shopping recommendations together, does our page still appear in the user’s decision path?
This is the real backdrop against which AI answer scraping has emerged. This category is not an ordinary web crawler with a fashionable new name, nor is it simply using a large language model to read HTML. After internet traffic entry points migrated from traditional blue-link SERPs to generative answers, the market was forced to fill an observability gap by building its own instrumentation infrastructure. In other words, the essence of AI answer scraping is not scraping web pages; it is auditing machine-generated answers. Looking one layer deeper, what it sells is not just SEO data, but stable access to real model traffic.
Conventional crawlers aim to pull existing static web pages from the internet back to local storage. Answer scraping, by contrast, reproduces the exact interface an AI engine renders to a real user at a specific moment, on a specific device, in a specific geographic location, and even under a specific account state. Specialized service providers such as cloro.dev are already selling real AI Mode UI responses, specifically extracting the sources, citations, place cards, and shopping cards embedded within them. This is because the high-value data that AI search provides often exists only in the final rendered user interface (UI). The official programmatic APIs not only carry a different cost structure, but their output also frequently exhibits behavioral differences from the interface an ordinary user sees.
This gap has turned answer observability from a purely technical engineering task into a new form of market measurement. The metrics by which brands gauge their own visibility are being reconfigured: from traditional search rankings, impressions, and click-through rates to mention probability, citation presence, recommendation tone, and Share of Voice within competitive framing.
If we pull the lens back, it becomes clear that this new method of observation did not appear out of nowhere. There is a coherent evolutionary path in both technology and demand behind it. Each generation emerged to solve the technical bottlenecks of the observability interface of its time:
First generation: Traditional Web Scraping. From the 2000s through roughly 2015, businesses needed to turn scattered information on the internet into structured data. This generation solved the cost of manually copying web pages, and its dominant form was the HTML parser and crawler framework. As more web pages adopted JavaScript dynamic rendering, login walls, and anti-crawling defenses, static parsing alone quickly became inadequate. Today, tools like Firecrawl have packaged this layer into Markdown output interfaces purpose-built for large language models or retrieval-augmented generation (RAG) workflows.
Second generation: SERP Scraping / SEO Data API. As search engines became the absolute traffic gateway, businesses urgently needed to monitor their own rankings on Google. Since search engines rarely offer a complete official SERP API, service providers like SerpApi and DataForSEO emerged. They reverse-engineer the highly dynamic, personalized Google search results page, including organic results, ads, maps, shopping cards, People Also Ask modules, and other functional widgets, and convert it into stable JSON data, forming the underlying foundation for all SEO rank-tracking tools and sentiment-analysis products.
Third generation: Anti-bot / Proxy / Browser Automation. As website defense strategies escalated, the bottleneck shifted from how to parse to how to access. Between 2018 and 2025, residential proxy IPs, automated CAPTCHA solving, browser fingerprint simulation, and headless browser cluster management such as Browserbase evolved into an independent product layer. This layer does not promise to deliver specific business data directly; instead, it promises to maintain the success rate of automated access against heavily defended websites through technical countermeasures.
Fourth generation: AI Answer Scraping and GEO/LLM Visibility Analytics. During the inflection period from 2024 to 2026, the entry points fundamentally changed. The rollout of Google AI Overviews, the official nationwide launch of AI Mode in the US in May 2025, and OpenAI’s release of ChatGPT Search caused a leap in how users make decisions. Brands could no longer rely solely on traditional ranking reports to sense user attrition, which directly gave rise to a data acquisition layer targeting AI answer interfaces and the upper-layer GEO analytics dashboards.
The crux of this generation is that traditional single-point rank monitoring collapses in the face of the highly stateful and stochastic nature of AI-generated results. Traditional search engines provide webmasters with official native monitoring tools like Google Search Console (GSC), but large language model providers currently offer no equivalent. Businesses cannot directly see core metrics such as prompt frequency or impression volume. The market must rely on third-party measurement tools that fill this gap through simulation and sampling.
In today’s market, many products flying the flag of AI crawling or AI scraping are often lumped together. In reality, from bottom-layer data transport to top-layer strategic decision-making, this industry has already differentiated into four functional tiers:
Layer 1: Proxy & Web Access Infrastructure. This is the deepest hard-friction countermeasure layer. Representative service providers include Bright Data, Oxylabs, Infatica, and NetNut. They rely on massive residential IP pools and web unblocking technology to provide covert, highly resilient network channels for upstream automated activity. This cohort of traditional proxy providers is now rapidly moving up the stack, packaging ChatGPT scraping and Google AI Mode scraping directly as standardized services.
Layer 2: AI Answer Scraper & SERP API. This layer directly serves
developers by providing structured AI answer data. Beyond products like
DataForSEO AI
Overview, which adds an ai_overview field to
traditional SERP data, service providers focused on answer UI scraping,
such as cloro.dev, can
directly output citation links, follow-up prompts, recommendation cards,
and model metadata from the real interactive interfaces of ChatGPT,
Gemini, Perplexity, and Copilot.
Layer 3: GEO / AI Visibility Analytics. This layer does not target programmers; it targets brand, marketing, and SEO teams. Representative products include Profound, OtterlyAI, Peec AI, Gumshoe, and Goodie. They call scraping capabilities at the bottom layer, but what they present in the user interface is brand mention rate, citation weight, sentiment tendency, competitive comparison, and content improvement strategies across different AI platforms. Profound notably emphasizes that its data is collected from real consumer browsing experiences rather than official model APIs, using this to substantiate analytical fidelity.
Layer 4: Browser Automation & AI Web Data Layer. Represented by Browserbase and Firecrawl, this is the data supply base for AI agents and RAG systems. Its primary role is to enable AI to fluidly use any ordinary web page, or to translate ordinary web pages into Markdown with minimal friction for model comprehension. This layer does not provide answer analysis targeted at ChatGPT or Perplexity itself.
To present the flow of the entire technology stack more clearly, the industry structure can be simplified into a vertical architecture:
In this architecture, the bottom-layer infrastructure eliminates network countermeasure friction, while the top-layer analysis tools translate scraped raw text into actionable recommendations that brands can directly adopt.
When evaluating tools in practice, we need to disentangle three easily conflated concepts: AI extraction (using AI to extract data from web pages), AI web scraping (scraping web pages for AI to use as context), and AI answer scraping (treating an AI engine’s answer interface as the scraping target). Only the third belongs to the answer auditing domain discussed here.
The most market-ready demand for AI answer scraping is GEO: brands want to know whether ChatGPT, Perplexity, and Google AI Mode mention them, who gets cited, and whether the tone is favorable. This demand is real and sufficient to sustain a cohort of dashboard companies.
But the larger demand sits one layer beneath: real model traffic. That is, turning a consumer-facing model product into an input-output pipeline that can be continuously called, batch-sampled, logged, and rerouted around failures.
In compliant brand monitoring, this takes a mild form. Tools need to repeatedly sample a set of prompts across different regions, devices, and time points to understand a brand’s stable position within AI answers. In model distillation and capability extraction scenarios, it takes an aggressively adversarial form: operators need to launch millions or even tens of millions of interactions against frontier models in a short window and organize the outputs into trainable data.
Anthropic’s distillation attack report, published in February 2026, describes this layer of infrastructure in concrete detail. It says that three labs, DeepSeek, Moonshot, and MiniMax, used approximately 24,000 fraudulent accounts to generate over 16 million interactions with Claude. Anthropic further stated that these activities used fraudulent accounts and proxy services to access Claude at scale while evading detection. The most critical word in the report is not token but hydra cluster: a set of continuously rotating fraudulent accounts that distribute traffic across Anthropic’s API and third-party cloud platforms. Anthropic said that one proxy network simultaneously managed over 20,000 fraudulent accounts, blending distillation traffic with other customer requests to increase detection difficulty.
This reframes the question from someone spent extra tokens asking lots of questions to someone is building model access infrastructure. Accounts, proxies, sessions, geographic locations, API paths, third-party cloud platforms, traffic blending, and post-ban replacement mechanisms together form the supply chain of model access.
The Alibaba-related controversy reported by Reuters in June is a larger-scale version of the same issue. According to an Anthropic letter seen by Reuters, Anthropic alleged that operators associated with Alibaba and Alibaba Qwen generated over 28.8 million interactions with Claude between April 22 and June 5, 2026, using nearly 25,000 fraudulent accounts. A necessary caveat: this is an allegation in an Anthropic letter, reported by Reuters. It is neither a court finding nor a third-party publicly disclosed technical review conclusion.
Even treating it only as an unverified but numerically clear case, it sufficiently illustrates why this market is suddenly expanding. If a frontier model’s capabilities can be extracted through tens of millions of real interactions, then the scarce resource is not just compute and tokens. What is scarce is who can reliably access real model entry points, and who can turn those entry points into orchestrated traffic.
This is precisely why the NetNut/FBI incident that opened this piece deserves to be placed here: it exposes that layer of infrastructure. We cannot say that NetNut was used in the cases Anthropic described, nor does any public material prove such a link. But the position occupied by products like NetNut, Bright Data, Oxylabs, and cloro is exactly the same layer: packaging an AI answer surface that would otherwise be difficult to access programmatically into interfaces that can be called at scale. Legitimate customers buy it for brand visibility monitoring; adversarial customers may buy similar capabilities for account evasion, batch sampling, or model extraction. Different use cases, similar underlying demand.
Model companies typically frame their commercial relationship in API terms: developers pay, the platform returns results per token. This framing holds in normal development scenarios, but it fails to explain why real model traffic has become a business in its own right.
The reason is that users actually engage with product entry points like ChatGPT, Claude, Perplexity, and Google AI Overviews, not bare models. These entry points have login states, regional differences, account risk controls, rate limits, frontend interfaces, and product terms of service. An API can return text, but it does not necessarily return the cards, citations, follow-up prompts, local results, and recommendation placements that an ordinary user sees in the interface.
This pushes the cost from tokens to entry points. What a brand monitoring tool needs to answer is: what would a real user see in a given region, on a given device, at a given point in time? Achieving that requires repeated sampling, cross-region sampling, and recording of surface, model version, citation sources, and answer variations. A single screenshot has no decision-making value; stable observation does.
In malicious distillation and account evasion scenarios, the entry-point cost becomes even more conspicuous. What the operator cares about is not just prompts but also account inventory, session state, proxy routing, browser fingerprints, failure retries, output archiving, deduplication, traffic blending, and post-ban replacement. The hydra cluster that Anthropic described is essentially the product of wiring these pieces into a self-healing access system.
This also explains why proxy providers and scraping companies are moving up the stack. NetNut lists ChatGPT, Perplexity, Google AI Mode, Gemini, and Copilot in its scrapers catalog. Bright Data documents support for structured prompt responses from ChatGPT, Perplexity, Gemini, and Google AI Mode. cloro emphasizes that it captures real AI Mode UI responses. What they sell is reliable access to model product entry points; IP addresses are only one layer of the material.
In this sense, AI answer scraping has already exceeded the scope of an SEO tool. It is the earliest visible form of a model access market. SEO/GEO is the legitimate, explainable, enterprise-friendly entry point; distillation attacks and account evasion expose the risk boundary of the same access layer. Both push toward the same conclusion: the model entry point has itself become an asset.
The bottom-layer capability of scraping a ChatGPT page will become increasingly commoditized. What will truly endure are two types of products that are harder to substitute.
The first is legitimate observability products. They will turn AI search into a trusted dashboard: public prompt design, disclosed regional and device methodology, repeated sampling, answer drift handling, and differentiation among mention, citation, recommendation, and competitor co-mention. A good GEO tool cannot just give an AI visibility score; it must tell the customer where that score comes from, why it changed, and which sources altered the model’s answers.
The second is platform defense products. AI labs need to identify hydra clusters, proxy resale, fraudulent accounts, multi-path access, model distillation prompt patterns, and anomalous output harvesting behavior. Security teams used to watch for credential stuffing and bot traffic; now they also have to watch for whether model capabilities are being systematically extracted through normal product entry points.
These two directions appear to be opposites, but they are driven by the same reality: model entry points have become assets. Brands need to observe them, attackers want to exploit them at scale, and platforms must control them. The Google/FBI action against NetNut shows that residential proxy and scraper infrastructure has grown large enough to enter law enforcement’s field of view. Anthropic’s distillation report shows that access to frontier models carries sufficient economic value for someone to build industrialized access pipelines.
Thus, AI answer scraping is not the destination. It is merely the earliest product form to surface in this larger market. The real market is the access, measurement, and defense of real model traffic. Whoever can turn model behavior into stable observable data, and whoever can prevent model behavior from being extracted at scale, is defining the new infrastructure of the AI search era.