On July 2, 2026, the FBI seized hundreds of domains associated with NetNut, a residential proxy network run by Nasdaq-listed Alarum Technologies. Researchers and Google allege that at least part of NetNut’s exit-node pool overlapped with Popa, a residential-proxy botnet estimated by Google to have at least 2 million devices. Alarum disputes the allegations and, as of its July 3 disclosure, said that neither it nor NetNut had been formally contacted by the FBI or any other governmental or regulatory authority.
The buyer-relevant point is this: Google assessed with high confidence that several popular residential proxy brands were white-labeling NetNut’s network.1 Customers of those white-label brands may have been using NetNut capacity without realizing it.
That makes proxy sourcing a supply-chain issue. As we explain in our ethical web data benchmark, buyers should evaluate not only how they use scraped data but also whether the infrastructure used to collect it relies on informed consent, user value, clear opt-out, and controls to prevent abuse.
What was seized, and by whom
Visitors to NetNut on July 2 found a federal seizure banner on the company’s site.2 The banner carried the marks of both the FBI and the Internal Revenue Service’s Criminal Investigation division. IRS-CI’s presence is notable, as it may indicate that investigators are also examining the operation’s financial aspects, though no public charges have been announced.
The operation was coordinated with Google, Lumen, the Shadowserver Foundation, and other industry partners. Public reporting listed netnut.com, proxyjet.io, and divinetworks.com among the seized domains.
Google separately disabled accounts and services allegedly used for command-and-control, shared technical intelligence with platform providers, law enforcement, and research firms, and updated Play Protect to warn users and disable Android apps known to incorporate NetNut SDKs.
Alarum later disclosed that additional NetNut-associated domains had also been seized. The company said the disruption was affecting a portion of its services and, shortly afterward, temporarily paused traffic through the relevant network services while it investigated the incident.3
What researchers allege
In mid-June, several security research teams published overlapping findings, including Synthient4 Qurium Media Foundation, Spur, and Nokia Deepfield. The core allegation is that at least some NetNut exit traffic was linked to Popa, an Android proxyware SDK distributed through consumer applications, including IPTV apps, streaming utilities, and tools aimed at smart TV and Android streaming box owners.
Synthient examined more than twenty Popa publishers and reported that, in its sample set, none showed users a meaningful consent prompt explaining that installing the app would enroll their device as a proxy node.
Researchers have also tied Popa to the Vo1d botnet, which targets Android TV boxes. Google says it identified NetNut botnet plugin components associated with large-scale botnets such as Badbox 2.0.
Alarum has rejected the findings, telling KrebsOnSecurity that the Synthient and Qurium reports contained “demonstrably inaccurate assertions and flawed deductions rather than verified facts”.5
NetNut has said it maintains notice and consent mechanisms, customer due diligence, KYC checks, misuse monitoring, and measures intended to detect and mitigate suspicious or unauthorized activity.
As of Alarum’s July 3 disclosure, the company said neither it nor NetNut had been formally contacted by the FBI or any other governmental or regulatory authority. The allegations above are based on independent research and have not been tested in court.
Why federal agencies took an interest
During a single week in June 2026, Google’s analysts observed 316 distinct threat clusters, including criminal and espionage groups, routing traffic through suspected NetNut exit nodes.
This follows from how residential proxies work. Residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers, allowing attackers to mask malicious activity behind consumer IP addresses. A datacenter IP is easier to classify; a residential IP often is not. That asymmetry is the product, and it has value both to a retailer checking competitor pricing and to an intrusion team seeking to hide its origin.
The market has grown accordingly. Nokia Deepfield’s Craig Labovitz wrote that analysts estimate the residential proxy market has grown from a sub-$100 million industry five years ago to a $2 billion to $3 billion business today, driven largely by AI companies’ demand for residential IPs to crawl and harvest training data.
6
Alarum reported $11.7 million in first-quarter 2026 revenue, up 64% year over year, and said the growth was driven mainly by strong demand for proxy solutions and new-product sales.7 Labovitz has also warned that residential proxy infrastructure now rivals some of the world’s largest transit and content networks in aggregate upstream capacity.
The reseller exposure
This is the part most relevant to buyers. Google’s Threat Intelligence Group noted that NetNut operated a reseller program permitting white-labeling of its network and assessed with high confidence that many popular residential proxy brands were white-labeling NetNut’s botnet.
NetNut is also the second major residential proxy network disrupted this year, following Google’s January action against IPIDEA. Synthient founder Benjamin Brundage told KrebsOnSecurity that NetNut gained significant popularity after the IPIDEA takedown and that NetNut was extremely common among resellers, comparable to IPIDEA in terms of traffic, quality, size, and price per gigabyte.
Two consequences follow. First, if resellers migrated from IPIDEA to NetNut once, they may migrate again; the next upstream should not be assumed cleaner without proof of sourcing. Second, a reseller cannot fully answer questions about IP sourcing if it does not source the IPs itself. It buys access to a network and applies its own branding.
For a customer, this narrows the practical difference between “my provider was seized” and “my provider’s upstream was seized.” Both can cause the same outage, and both can route traffic to nodes whose owners may not have knowingly consented.
Alarum’s own disclosures show the scale of the risk: after additional seizures, it warned that prolonged disruption was likely to have a material adverse effect on operations, financial results, and its ability to provide certain services to customers.
The company then temporarily paused traffic through affected network services, saying service availability would be significantly reduced during that period. Downstream white-label customers inherited that risk without necessarily knowing whose network they had been using.
What to expect next
Law enforcement has now demonstrated willingness to pursue residential proxy infrastructure associated with a publicly traded company, not only anonymous botnet operators. IRS-CI’s involvement may signal scrutiny of financial flows, although no charges have been announced. Google’s Play Protect update also raises the cost of rebuilding a device pool by warning users and disabling apps known to incorporate NetNut SDKs.
For buyers, the durable lesson is not which brand to choose next. It is the provenance of a vendor’s IP addresses, arguably its most important property, that many vendors will not discuss unless asked directly.
Cite esta pesquisa
Escolha o formato adequado ao local onde você vai publicar. Colar a versão com link no seu CMS preserva o backlink.
@misc{karatas2026,
author = {Karatas, Gulbahar},
title = {{NetNut Takedown: What Buyers Need to Know}},
year = {2026},
month = jul,
howpublished = {\url{https://aimultiple.com/netnut-shutdown}},
note = {AIMultiple. Acessado em 9 Julho 2026}
}
Seja o primeiro a comentar
Seu endereço de e-mail não será publicado. Todos os campos são obrigatórios. Os comentários são deixados em seu idioma original.