News

Is NetNut Seized? Inside the FBI + Google Takedown of the Popa Botnet

In early July 2026 the FBI, IRS-CI and Google disrupted NetNut, one of the largest residential proxy networks, and linked it to the ~2M-device Popa botnet. Here is the verified, sourced account and what proxy users should do now.

By ProxyRadar Editorial Team

Also in: Русский · বাংলা · Indonesia · Tiếng Việt

Status checked July 12, 2026: A joint FBI and IRS Criminal Investigation seizure notice appeared on netnut.com (and later alarum.io) after a coordinated action disclosed on July 2–3, 2026. Reporting indicates NetNut's primary commercial domain netnut.io remained reachable for a period afterward, so treat "NetNut is gone" as an overstatement and "NetNut has been disrupted and its parent is under law-enforcement pressure" as the accurate description.

NetNut — one of the world's largest commercial residential proxy networks — was hit by a coordinated law-enforcement and industry takedown in early July 2026. According to Google's Threat Intelligence Group (GTIG) and reporting by Krebs on Security, the operation combined a criminal seizure of infrastructure with technical disruption of the underlying botnet. This is a fast-moving story, so the sections below separate what is firmly sourced from what is still contested.

What happened

On and around July 2–3, 2026, Google's Threat Intelligence Group, working with the FBI, the US IRS Criminal Investigation division, Lumen (Black Lotus Labs) and the Shadowserver Foundation, executed a coordinated operation to disrupt NetNut, according to Google's Cloud Threat Intelligence blog and subsequent security reporting.

As part of the action, the FBI seized hundreds of domains connected to the operation. A joint FBI + IRS seizure notice was placed on netnut.com, and a similar notice later appeared on alarum.io. Notably, reporting from Krebs on Security indicated that NetNut's principal customer-facing domain, netnut.io, remained accessible for a time after the seizure notices went up — a detail worth flagging because it shows the disruption was not a clean, instantaneous shutdown of every asset.

This is best described as a coordinated seizure-and-disruption, not a simple outage. Unlike an infrastructure failure, it involved named agencies, a public seizure banner and a technical campaign against the botnet that fed the proxy network.

Who NetNut and Alarum are

NetNut is operated by Alarum Technologies Ltd., a publicly traded Israeli company listed on the Nasdaq under the ticker ALAR. Alarum marketed NetNut as an enterprise-grade residential and rotating proxy provider aimed at data collection, ad verification and brand-protection use cases.

The market reaction was severe. Per a July 8 update from Krebs on Security, Alarum's stock fell roughly 67% over the week, trading around $2.62 per share. A drop of that magnitude in a listed company is itself a strong signal that investors read the action as material rather than routine.

It is important to be precise here: a public seizure notice and a share-price collapse establish that Alarum's NetNut business was targeted and severely disrupted. They do not, on their own, prove the outcome of any future legal proceedings. Report the enforcement action as fact; treat questions of ultimate legal liability as unresolved.

The "Popa" botnet and how devices were infected

The core of the case is the link between NetNut and a botnet that Google and researchers refer to as "Popa." According to GTIG, Popa comprised an estimated ~2 million compromised devices — a mix of Android phones, smart TVs and streaming boxes.

The reported infection path is what makes this different from a legitimate, consent-based proxy pool. According to the reporting, devices were enrolled through trojanized apps, bundled SDKs and Badbox 2.0-style plugins — often without the device owner's knowledge or consent. In other words, the "residential" IP addresses that customers were buying access to frequently belonged to ordinary people whose hardware had been quietly conscripted.

That consent problem is the ethical and legal heart of the story. A proxy network that routes commercial traffic through unwitting victims' devices is categorically different from one built on paid, disclosed opt-in participation.

Scale and impact

Google gave a concrete measure of abuse. In a single week in June 2026, GTIG says it observed 316 distinct threat clusters using suspected NetNut exit nodes. The malicious activity attributed to those clusters spanned password spraying, credential stuffing, ad fraud and large-scale data scraping, with some activity consistent with espionage.

Combine that with the ~2 million-device pool and the picture is of a network whose "residential" legitimacy was, per Google's findings, deeply compromised — both in how the IPs were sourced and in what a large share of the traffic was doing.

Google and FBI mitigations

According to Google, its mitigations went beyond the domain seizures handled by law enforcement:

  • Disabled Google accounts and services that were being used for command-and-control.
  • Updated Google Play Protect to warn users about, and disable, apps found to contain NetNut-associated SDKs.
  • Shared technical intelligence with the FBI, IRS-CI, Lumen, Shadowserver and other partners to widen the disruption.

The FBI and IRS-CI side of the operation focused on the domain seizures and the public seizure notices. This division of labor — platform mitigations from Google, criminal-process seizures from the government — mirrors how modern proxy and botnet takedowns tend to be run.

What it means for proxy buyers

If you buy residential proxies, the NetNut action carries a few concrete lessons rather than panic.

First, "residential" is not a guarantee of consent. Google explicitly warned that the residential-proxy ecosystem is resilient because operators rebuild by reselling competitors' capacity, and stated that "many popular residential proxy brands are in fact whitelabeling the NetNut botnet." That is a general warning about the ecosystem — it is not an accusation against any specific named brand, and you should not treat it as one without a source that names that brand.

Second, due diligence on sourcing matters. Ask a provider how residential devices join the network, what users consent to, how they are compensated and how they opt out. A vendor that cannot answer clearly is a risk regardless of its marketing.

Third, if you were a NetNut customer, treat this as a reliability and compliance event: preserve invoices and correspondence, rotate any reused credentials and API keys, and do not assume that access which still works today is stable or advisable to keep using.

What to do now: legitimate alternatives

The constructive move is migrating to providers that can speak credibly to consent and sourcing. We are not recommending that anyone buy NetNut.

Disclosure: ProxyUniverse is a commercial partner of this publication. It aggregates residential, mobile and dedicated IPv4 products from multiple brands in one panel. A commercial mention is not proof of any provider's sourcing practices, and — importantly — Google's whitelabeling warning is a reason to verify sourcing for any residential vendor, including through a reseller. Test a small workload first, confirm protocols, geolocation, ASN accuracy and session behavior, and request evidence about how the underlying pool is built before committing budget.

If you run browser profiles alongside proxies, keep that layer separate while you migrate; the Dolphin Anty overview covers it. For broader selection criteria, see our cheap residential proxies guide. NetNut is also a network we track directly on our NetNut provider page and status page.

Connection to the IPIDEA takedown wave

The NetNut action does not stand alone. It builds on the January 2026 disruption of the IPIDEA residential-proxy network, a Google-led civil and technical operation that named a cluster of whitelabel brands. Google framed the ecosystem as resilient precisely because operators recycle each other's capacity, which is why a second major network was disrupted just months after the first.

We have covered the IPIDEA wave in detail, including the brands Google linked to that network:

Read together, the IPIDEA and NetNut actions describe a sustained 2026 campaign against botnet-fed residential proxy supply.

FAQ

Is NetNut down or seized?

The FBI and IRS-CI placed a seizure notice on netnut.com (and later alarum.io) in early July 2026, and the network was disrupted alongside the Popa botnet. However, reporting indicated the commercial domain netnut.io stayed reachable for a period, so "fully offline everywhere" is not accurate. The accurate statement is that NetNut was seized and disrupted and its parent came under law-enforcement pressure.

Who runs NetNut?

NetNut is operated by Alarum Technologies Ltd. (Nasdaq: ALAR), an Israeli publicly traded company whose stock fell roughly 67% in the week of the action, to about $2.62 per share per Krebs on Security.

What is the Popa botnet?

According to Google's Threat Intelligence Group, Popa was a botnet of an estimated ~2 million compromised devices — Android phones, smart TVs and streaming boxes — enrolled via trojanized apps, bundled SDKs and Badbox 2.0-style plugins, frequently without user consent, and used to supply NetNut exit nodes.

Did Google name specific safe or unsafe competitors?

Google issued a general warning that many residential proxy brands whitelabel the NetNut botnet, and that the ecosystem rebuilds by reselling capacity. It did not, in the material cited here, brand a specific named competitor as malicious, and neither do we.

What should NetNut customers do?

Treat it as a reliability and compliance event: preserve payment records, rotate reused credentials and API keys, do not rely on any access that still works, and evaluate legitimate alternatives with clear consent and sourcing practices.

Sources

Update log

  • July 2–3, 2026: Google/FBI/IRS-CI/Lumen/Shadowserver disclose the coordinated NetNut disruption; FBI+IRS seizure notice appears on netnut.com.
  • Week of July 2: Alarum (ALAR) stock falls ~67%, to about $2.62; seizure notice later appears on alarum.io; netnut.io reported still reachable for a time.
  • July 8: Krebs on Security update details the botnet ("Popa," ~2M devices) and the stock impact.

Related guides

NetNut Seized: FBI + Google Takedown of Popa Botnet | ProxyRadar