NetNut Seized by the FBI: What Happened and What Now
By Nicholas St. Germain —
On July 2, 2026, the FBI - working with IRS Criminal Investigation, Google, Lumen, and Shadowserver - seized hundreds of domains belonging to NetNut, the residential proxy service owned by publicly traded Israeli company Alarum Technologies (NASDAQ: ALAR). NetNut's homepage now shows a seizure banner. Krebs on Security notes the .io domain initially stayed up.
I've run proxy infrastructure since 2017 and spent a good chunk of that time doing anti-abuse work on the side, so I want to walk through what actually happened here, what it means if you were a NetNut customer, and - honestly - whether we're a fit for you or not. We're a competitor, so read this with that in mind. I'll attribute every claim and let you check the sources.
What Happened
The action didn't come out of nowhere. On June 19, three security firms published research linking NetNut to what Google's Threat Intelligence Group tracks as the "Popa" botnet. Two weeks later, on July 2, Google published its own report and the FBI executed the domain seizures the same day.
The headline numbers, per Google's report:
- At least 2 million consumer devices - mostly smart TVs and streaming boxes - running proxy SDK software made up the network.
- In one week in June 2026, 316 distinct threat clusters used suspected NetNut exit nodes. A "threat cluster" is Google's unit for a group of related malicious activity it tracks. The activity included password spraying, credential stuffing, ad fraud, and data scraping.
- Researchers examined more than 20 apps carrying the SDK and found that none showed a consent prompt - which contradicts NetNut's public claims of consensual bandwidth sharing.
Alarum disputes the characterization. Legal counsel Omer Weiss said the company "will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated." Alarum rejects the "botnet" label and denies wrongdoing. ALAR stock dropped sharply on the news.
One framing point: the 316-threat-cluster figure describes people abusing the network, not NetNut's customer base. Plenty of NetNut customers were ordinary businesses doing scraping, ad verification, and price monitoring. If that's you, you didn't do anything wrong. You just lost a supplier.
How the Popa Network Actually Worked
If you've never looked closely at where rotating residential IPs come from, this case is a decent education.
Rotating residential providers need millions of exit IPs, and there's no clean way to buy millions of home IP addresses. So the industry standard became the SDK model: pay app developers to embed a proxy SDK in their apps. Every device that installs the app becomes an exit node, and the developer gets a revenue share. It's cheap supply at enormous scale, which is exactly why the model won.
The whole arrangement rests on one claim: that device owners consented to sharing their bandwidth. That's the line every SDK-based provider uses, and it's the line the Popa research went after directly. Per Google's findings, researchers checked more than 20 apps carrying the SDK and found no consent prompt in any of them. Two million smart TVs and streaming boxes were routing strangers' traffic, and by the researchers' account, their owners had no idea.
From an operator's perspective, the abuse numbers follow naturally from the supply model. When your exits are unattributable consumer devices and your supply chain runs through third-party app developers, you have very limited visibility into what's flowing through the network - and abusers know it. That's how you end up with 316 threat clusters in a single week, per Google's report.
If You Were a NetNut Customer
Practical implications, in rough order of urgency:
Your endpoints and dashboard may move or vanish. Hundreds of domains are seized. The .io domain was still up as of Krebs's reporting, but building on a seized company's surviving domain is not a plan.
The pool is degraded, not dead. Google is careful to call this a "degradation," not a takedown - the usable device pool shrank by millions, but the company still exists and is cooperating with law enforcement rather than fleeing. History says these networks rebuild by reselling competitors' supply: researchers note IPIDEA did exactly that after its own takedown, and NetNut itself grew in IPIDEA's aftermath. Expect IP quality and pool size to be unstable for months either way.
Expect churn everywhere. A few million displaced devices' worth of demand is about to slosh across the remaining rotating-residential providers. Success rates and pricing across the category will wobble while that settles.
A Note for Resellers
A lot of proxy brands are white-labels on top of NetNut infrastructure, and per Proxyway's reporting, those resellers are now scrambling. If you resell proxies and your upstream can't tell you where its IPs come from, understand that you now carry that risk in front of your own customers. "We didn't know" did not protect NetNut's white-labels this month.
The Honest Fork: What to Buy Instead
Here's where I'm supposed to tell you we're the perfect replacement. We're not, for some of you, so let's be precise about which camp you're in.
If you genuinely need rotating residential - millions of IPs, per-request rotation, country and city targeting across the globe - we are not that product. That's the Bright Data and Oxylabs class of provider, and the honest advice is to evaluate the big incumbents on one axis above all: whether they can document where their IPs come from. After this month, "consensual bandwidth sharing" is a claim you should ask a vendor to prove, not a checkbox to skim past.
If your actual workload is static sessions, you were arguably buying the wrong product from NetNut all along, and this is a reasonable moment to fix that. A large slice of residential proxy usage - account management, logged-in scraping, e-commerce and social workflows, anything with a fixed geography - never needed rotation. Rotation actively hurts those workloads: an IP change mid-session is exactly what fraud detection looks for.
For that slice, static ISP proxies are the better product on three counts:
- The math. Rotating residential runs $5-15/GB. A workload that moves 500 GB a month costs