NetNut Seized by the FBI: What Happened and What Now

By Nicholas St. Germain —

On July 2, 2026, the FBI - working with IRS Criminal Investigation, Google, Lumen, and Shadowserver - seized hundreds of domains belonging to NetNut, the residential proxy service owned by publicly traded Israeli company Alarum Technologies (NASDAQ: ALAR). NetNut's homepage now shows a seizure banner. Krebs on Security notes the .io domain initially stayed up.

I've run proxy infrastructure since 2017 and spent a good chunk of that time doing anti-abuse work on the side, so I want to walk through what actually happened here, what it means if you were a NetNut customer, and - honestly - whether we're a fit for you or not. We're a competitor, so read this with that in mind. I'll attribute every claim and let you check the sources.

What Happened

The action didn't come out of nowhere. On June 19, three security firms published research linking NetNut to what Google's Threat Intelligence Group tracks as the "Popa" botnet. Two weeks later, on July 2, Google published its own report and the FBI executed the domain seizures the same day.

The headline numbers, per Google's report:

  • At least 2 million consumer devices - mostly smart TVs and streaming boxes - running proxy SDK software made up the network.
  • In one week in June 2026, 316 distinct threat clusters used suspected NetNut exit nodes. A "threat cluster" is Google's unit for a group of related malicious activity it tracks. The activity included password spraying, credential stuffing, ad fraud, and data scraping.
  • Researchers examined more than 20 apps carrying the SDK and found that none showed a consent prompt - which contradicts NetNut's public claims of consensual bandwidth sharing.

Alarum disputes the characterization. Legal counsel Omer Weiss said the company "will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated." Alarum rejects the "botnet" label and denies wrongdoing. ALAR stock dropped sharply on the news.

One framing point: the 316-threat-cluster figure describes people abusing the network, not NetNut's customer base. Plenty of NetNut customers were ordinary businesses doing scraping, ad verification, and price monitoring. If that's you, you didn't do anything wrong. You just lost a supplier.

How the Popa Network Actually Worked

If you've never looked closely at where rotating residential IPs come from, this case is a decent education.

Rotating residential providers need millions of exit IPs, and there's no clean way to buy millions of home IP addresses. So the industry standard became the SDK model: pay app developers to embed a proxy SDK in their apps. Every device that installs the app becomes an exit node, and the developer gets a revenue share. It's cheap supply at enormous scale, which is exactly why the model won.

The whole arrangement rests on one claim: that device owners consented to sharing their bandwidth. That's the line every SDK-based provider uses, and it's the line the Popa research went after directly. Per Google's findings, researchers checked more than 20 apps carrying the SDK and found no consent prompt in any of them. Two million smart TVs and streaming boxes were routing strangers' traffic, and by the researchers' account, their owners had no idea.

From an operator's perspective, the abuse numbers follow naturally from the supply model. When your exits are unattributable consumer devices and your supply chain runs through third-party app developers, you have very limited visibility into what's flowing through the network - and abusers know it. That's how you end up with 316 threat clusters in a single week, per Google's report.

If You Were a NetNut Customer

Practical implications, in rough order of urgency:

Your endpoints and dashboard may move or vanish. Hundreds of domains are seized. The .io domain was still up as of Krebs's reporting, but building on a seized company's surviving domain is not a plan.

The pool is degraded, not dead. Google is careful to call this a "degradation," not a takedown - the usable device pool shrank by millions, but the company still exists and is cooperating with law enforcement rather than fleeing. History says these networks rebuild by reselling competitors' supply: researchers note IPIDEA did exactly that after its own takedown, and NetNut itself grew in IPIDEA's aftermath. Expect IP quality and pool size to be unstable for months either way.

Expect churn everywhere. A few million displaced devices' worth of demand is about to slosh across the remaining rotating-residential providers. Success rates and pricing across the category will wobble while that settles.

A Note for Resellers

A lot of proxy brands are white-labels on top of NetNut infrastructure, and per Proxyway's reporting, those resellers are now scrambling. If you resell proxies and your upstream can't tell you where its IPs come from, understand that you now carry that risk in front of your own customers. "We didn't know" did not protect NetNut's white-labels this month.

The Honest Fork: What to Buy Instead

Here's where I'm supposed to tell you we're the perfect replacement. We're not, for some of you, so let's be precise about which camp you're in.

If you genuinely need rotating residential - millions of IPs, per-request rotation, country and city targeting across the globe - we are not that product. That's the Bright Data and Oxylabs class of provider, and the honest advice is to evaluate the big incumbents on one axis above all: whether they can document where their IPs come from. After this month, "consensual bandwidth sharing" is a claim you should ask a vendor to prove, not a checkbox to skim past.

If your actual workload is static sessions, you were arguably buying the wrong product from NetNut all along, and this is a reasonable moment to fix that. A large slice of residential proxy usage - account management, logged-in scraping, e-commerce and social workflows, anything with a fixed geography - never needed rotation. Rotation actively hurts those workloads: an IP change mid-session is exactly what fraud detection looks for.

For that slice, static ISP proxies are the better product on three counts:

  1. The math. Rotating residential runs $5-15/GB. A workload that moves 500 GB a month costs
,500-7,500 on per-GB billing. Twenty-five static ISP proxies at .50/IP is $62.50 a month, with unlimited bandwidth. The gap gets wider the more data you move.
  • Session stability. Your IPs stay assigned to you for the life of the subscription. No sticky-session windows, no mid-job rotation, no fraud-detection triggers from a shifting exit.
  • Sourcing you can audit. Which brings me to the part of this story I actually care about.
  • To be equally clear about the limits: we don't offer rotation, per-GB plans, IP whitelisting, or non-US geos. Our network is US-focused, with username/password auth over HTTP/HTTPS. If your workload needs 50 countries, we'll tell you to go elsewhere.

    How We Source IPs, and Why It Matters Now

    Stat Proxies leases entire IP blocks directly from their owners. We control the routing and announcements for every range we sell. No SDKs, no consumer devices, no "bandwidth sharing" apps anywhere in our supply chain. If a customer or a researcher wants to trace where one of our IPs comes from, the chain is documented and auditable end to end.

    That's not a marketing posture we adopted this week. I've spent four years on the other side of this problem, recovering and shutting down an estimated 750,000 to 1,000,000 hijacked IPv4 addresses - address space stolen through forged records and malicious BGP announcements, often ending up in exactly the kind of gray-market proxy supply this case put on the front page. Cleanly sourced address space is more expensive and slower to acquire than SDK supply. It's also the reason the FBI has never needed to explain our supply chain for us.

    The Popa case is what supply-chain risk looks like when it lands: your provider's domains seized on a Wednesday, your infrastructure story suddenly a federal matter, your reseller contracts worth whatever the .io domain is worth. The fix isn't to pick a luckier vendor. It's to pick one whose supply you can verify.

    Where to Go From Here

    If you're a displaced NetNut customer trying to figure out whether static ISP fits your workload, we wrote an honest fit check - including the cases where we'll tell you no - on our NetNut alternative page. If you already know you need static sessions, ISP proxy plans start at .50/IP/month with unlimited bandwidth, and provisioning is automated - you'll have working endpoints in about 30 seconds.

    Sources: Krebs on Security, The Hacker News, Proxyway, Infosecurity Magazine, Alarum Technologies statement.