Servizi
Contattaci

NetNut Takedown: What Buyers Need to Know

Gulbahar Karatas
Gulbahar Karatas
aggiornato il 9 lug. 2026

On July 2, 2026, the FBI seized hundreds of domains associated with NetNut, a residential proxy network run by Nasdaq-listed Alarum Technologies. Researchers and Google allege that at least part of NetNut’s exit-node pool overlapped with Popa, a residential-proxy botnet estimated by Google to have at least 2 million devices. Alarum disputes the allegations and, as of its July 3 disclosure, said that neither it nor NetNut had been formally contacted by the FBI or any other governmental or regulatory authority.

The buyer-relevant point is this: Google assessed with high confidence that several popular residential proxy brands were white-labeling NetNut’s network.1 Customers of those white-label brands may have been using NetNut capacity without realizing it.

That makes proxy sourcing a supply-chain issue. As we explain in our ethical web data benchmark, buyers should evaluate not only how they use scraped data but also whether the infrastructure used to collect it relies on informed consent, user value, clear opt-out, and controls to prevent abuse.

What was seized, and by whom

Visitors to NetNut on July 2 found a federal seizure banner on the company’s site.2 The banner carried the marks of both the FBI and the Internal Revenue Service’s Criminal Investigation division. IRS-CI’s presence is notable, as it may indicate that investigators are also examining the operation’s financial aspects, though no public charges have been announced.

The operation was coordinated with Google, Lumen, the Shadowserver Foundation, and other industry partners. Public reporting listed netnut.com, proxyjet.io, and divinetworks.com among the seized domains.

Google separately disabled accounts and services allegedly used for command-and-control, shared technical intelligence with platform providers, law enforcement, and research firms, and updated Play Protect to warn users and disable Android apps known to incorporate NetNut SDKs.

Alarum later disclosed that additional NetNut-associated domains had also been seized. The company said the disruption was affecting a portion of its services and, shortly afterward, temporarily paused traffic through the relevant network services while it investigated the incident.3

What researchers allege

In mid-June, several security research teams published overlapping findings, including Synthient4 Qurium Media Foundation, Spur, and Nokia Deepfield. The core allegation is that at least some NetNut exit traffic was linked to Popa, an Android proxyware SDK distributed through consumer applications, including IPTV apps, streaming utilities, and tools aimed at smart TV and Android streaming box owners.

Synthient examined more than twenty Popa publishers and reported that, in its sample set, none showed users a meaningful consent prompt explaining that installing the app would enroll their device as a proxy node.

Researchers have also tied Popa to the Vo1d botnet, which targets Android TV boxes. Google says it identified NetNut botnet plugin components associated with large-scale botnets such as Badbox 2.0.

Alarum has rejected the findings, telling KrebsOnSecurity that the Synthient and Qurium reports contained “demonstrably inaccurate assertions and flawed deductions rather than verified facts”.5

NetNut has said it maintains notice and consent mechanisms, customer due diligence, KYC checks, misuse monitoring, and measures intended to detect and mitigate suspicious or unauthorized activity.

As of Alarum’s July 3 disclosure, the company said neither it nor NetNut had been formally contacted by the FBI or any other governmental or regulatory authority. The allegations above are based on independent research and have not been tested in court.

Why federal agencies took an interest

During a single week in June 2026, Google’s analysts observed 316 distinct threat clusters, including criminal and espionage groups, routing traffic through suspected NetNut exit nodes.

This follows from how residential proxies work. Residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers, allowing attackers to mask malicious activity behind consumer IP addresses. A datacenter IP is easier to classify; a residential IP often is not. That asymmetry is the product, and it has value both to a retailer checking competitor pricing and to an intrusion team seeking to hide its origin.

The market has grown accordingly. Nokia Deepfield’s Craig Labovitz wrote that analysts estimate the residential proxy market has grown from a sub-$100 million industry five years ago to a $2 billion to $3 billion business today, driven largely by AI companies’ demand for residential IPs to crawl and harvest training data.
6

Alarum reported $11.7 million in first-quarter 2026 revenue, up 64% year over year, and said the growth was driven mainly by strong demand for proxy solutions and new-product sales.7 Labovitz has also warned that residential proxy infrastructure now rivals some of the world’s largest transit and content networks in aggregate upstream capacity.

Non perderti i nostri benchmark e approfondimenti basati sui dati. Il pulsante apre Google; selezionare AIMultiple conferma che desideri vedere AIMultiple più spesso nei risultati di ricerca di Google.
GoogleAggiungi come fonte preferita

The reseller exposure

This is the part most relevant to buyers. Google’s Threat Intelligence Group noted that NetNut operated a reseller program permitting white-labeling of its network and assessed with high confidence that many popular residential proxy brands were white-labeling NetNut’s botnet.

NetNut is also the second major residential proxy network disrupted this year, following Google’s January action against IPIDEA. Synthient founder Benjamin Brundage told KrebsOnSecurity that NetNut gained significant popularity after the IPIDEA takedown and that NetNut was extremely common among resellers, comparable to IPIDEA in terms of traffic, quality, size, and price per gigabyte.

Two consequences follow. First, if resellers migrated from IPIDEA to NetNut once, they may migrate again; the next upstream should not be assumed cleaner without proof of sourcing. Second, a reseller cannot fully answer questions about IP sourcing if it does not source the IPs itself. It buys access to a network and applies its own branding.

For a customer, this narrows the practical difference between “my provider was seized” and “my provider’s upstream was seized.” Both can cause the same outage, and both can route traffic to nodes whose owners may not have knowingly consented.

Alarum’s own disclosures show the scale of the risk: after additional seizures, it warned that prolonged disruption was likely to have a material adverse effect on operations, financial results, and its ability to provide certain services to customers.

The company then temporarily paused traffic through affected network services, saying service availability would be significantly reduced during that period. Downstream white-label customers inherited that risk without necessarily knowing whose network they had been using.

What to expect next

Law enforcement has now demonstrated willingness to pursue residential proxy infrastructure associated with a publicly traded company, not only anonymous botnet operators. IRS-CI’s involvement may signal scrutiny of financial flows, although no charges have been announced. Google’s Play Protect update also raises the cost of rebuilding a device pool by warning users and disabling apps known to incorporate NetNut SDKs.

For buyers, the durable lesson is not which brand to choose next. It is the provenance of a vendor’s IP addresses, arguably its most important property, that many vendors will not discuss unless asked directly.

Cita questa ricerca

Scegli il formato adatto a dove pubblicherai. Incollare la versione con link nel tuo CMS preserva il backlink.

Gulbahar Karatas (2026) - "NetNut Takedown: What Buyers Need to Know". Pubblicato online su AIMultiple.com. Consultato il 9 Luglio 2026, da: https://aimultiple.com/netnut-shutdown [Risorsa online]

Karatas, G. (2026, 9 Luglio). NetNut Takedown: What Buyers Need to Know. AIMultiple. https://aimultiple.com/netnut-shutdown

@misc{karatas2026,
  author = {Karatas, Gulbahar},
  title  = {{NetNut Takedown: What Buyers Need to Know}},
  year   = {2026},
  month  = jul,
  howpublished    = {\url{https://aimultiple.com/netnut-shutdown}},
  note   = {AIMultiple. Consultato il 9 Luglio 2026}
}
Gulbahar Karatas
Gulbahar Karatas
Analista di settore
Gülbahar è un analista di settore di AIMultiple specializzato nella raccolta di dati web, nelle applicazioni dei dati web e nella sicurezza delle applicazioni.
Visualizza il profilo completo

Sii il primo a commentare

Il tuo indirizzo email non verrà pubblicato. Tutti i campi sono obbligatori. I commenti vengono lasciati nella loro lingua originale.

0/450