NetNut Alternative After the FBI Seizure: The Proxy Supply That Can't Be Taken Down (2026)

Knowledge Base
Evgeny Fomenko

Key Takeaway: The FBI seized NetNut on July 2, 2026 because its “residential” supply was the Popa botnet of roughly two million infected consumer devices, the same consumer-SDK sourcing model Google dismantled at IPIDEA in January. Replacing it with another residential pool sourced the same way keeps the seizure risk and only changes the logo. The durable NetNut alternative is a different model: mobile proxies drawn from real, consenting devices, with every request logged and attributable, so there is no third-party botnet for a takedown to seize.

On July 2, 2026, the FBI took down one of the best-known residential proxy providers on the market. If you were routing traffic through NetNut, the useful lesson isn’t “find another residential network” — it’s understanding why this one was seizable in the first place, and choosing a replacement that structurally can’t be.

What happened to NetNut (July 2, 2026)

On July 2, 2026, the FBI — together with Google’s Threat Intelligence Group and IRS Criminal Investigation, with technical support from Lumen’s Black Lotus Labs and the Shadowserver Foundation — disrupted NetNut and seized hundreds of the domains behind it (KrebsOnSecurity , BleepingComputer , SecurityWeek ). NetNut was a residential proxy network, and the addresses it resold ran on the Popa botnet: roughly two million infected devices.

This was not a billing outage or a temporary DDoS. Google disabled the command-and-control accounts that operated the network and shipped a Google Play Protect update that disables apps carrying NetNut’s SDK on Android devices (Infosecurity Magazine ). The exit infrastructure customers were paying for was dismantled at the source, not throttled at a dashboard.

Why it was taken down

The two million devices in the Popa botnet were not servers in a data center. They were smart TVs, streaming boxes, and Android phones belonging to ordinary people, enrolled through software development kits (SDKs) bundled into apps with little or no meaningful consent from the device owners (The Hacker News , Malwarebytes ). The “residential IP” a NetNut customer rented was, in a large share of cases, the home internet connection of someone who never agreed to sell it.

Supply sourced that way attracts exactly the traffic you would expect. In a single week of June 2026, Google counted 316 distinct threat clusters routing through NetNut exit nodes, with password spraying, content scraping, ad fraud, and account takeover among the documented uses (SecurityWeek ). From a law-enforcement standpoint, a proxy pool assembled out of unwitting consumer devices is a botnet, and it gets treated as one.

What it means if you were a NetNut customer

Service was interrupted. Alarum Technologies (NASDAQ: ALAR), NetNut’s parent company, suspended traffic and warned in a public filing of a material adverse effect on its operations, its financial results, and its ability to serve customers; its shares fell on the news (Alarum press release , Calcalist ). No one has announced a permanent closure, but the service your workload depended on stopped, without notice.

So you need a replacement. The trap is treating this as a like-for-like shopping problem: pick the next residential network , swap the credentials, move on. The more important question is whether the replacement you choose has the same failure mode built into it.

Stranded by the NetNut takedown?
If your workload lost its proxy supply overnight, the fastest fix is a short conversation, not another signup form. Tell us what you were running on NetNut and we will scope a mobile replacement on a supply that can’t be seized. Email [email protected] now!
Talk to us on Telegram

This is a supply-chain failure, not bad luck

It is tempting to read the takedown as NetNut’s problem alone: one operator that cut corners and got caught. That reading is comforting and wrong. The vulnerability is in the model, not the brand.

When a proxy network sources “residential” IPs from consumer devices enrolled through embedded SDKs, its entire supply is other people’s hardware, aggregated at scale without the owners’ informed participation. That supply has two properties that matter to you as a buyer. It attracts abuse, which brings scrutiny. And it can be dismantled in a single coordinated action — domain seizures, C2 takedowns, and a platform-level app purge — precisely because there is a physical botnet to dismantle.

This has now happened twice in 2026. NetNut is the second large residential network to fall this year. On January 28, Google disrupted IPIDEA, one of the largest residential proxy operations in the world: 13 associated brands, including 360Proxy, 922Proxy, ABC Proxy, IP2World, LunaProxy, and PIA S5, running across an estimated nine million devices, with more than 550 threat groups observed using the network in a single week, all on the same consumer-SDK sourcing model (Google Cloud Threat Intelligence , The Hacker News ).

Timeline of two 2026 residential proxy takedowns: Google disrupting IPIDEA on January 28 and the FBI seizing NetNut on July 2, both sourced from consumer devices via SDKs.

Two takedowns, roughly six months apart, same root cause. If your next provider sources its addresses the same way — an SDK or “consent” network riding on devices it does not own — you have not removed the risk. You have re-bought it under a different logo, and the takedown clock is already running where you cannot see it.

What to actually look for in a replacement

The selection criteria that matter are the ones that survive an enforcement action, not the ones on a feature-comparison page. Five questions separate a durable supply from a deferred outage.

  1. Provenance. Where do the IPs physically come from, and who owns and operates the devices they run on? “Residential” describes the address, not the device or the consent behind it.
  2. Seizability. Could the whole supply be disrupted by one warrant, one C2 takedown, or one platform app-purge? If the answer is yes, uptime becomes a question of when, not if.
  3. Traceability. Is every request logged and attributable — which client, which port, at what time, to which destination? A provider that can answer that question precisely is one that does not need to vanish to protect itself. iProxy.online has written openly about why we keep logs and don’t pretend otherwise ; the logged fields are exactly the ones above.
  4. Detectability. How does the address present to the target — as one home-ISP line that can be blocklisted with no collateral damage, or as a high-trust mobile carrier IP that cannot?
  5. Legal durability. Is the model built to withstand scrutiny, or to stay one step ahead of it until it does not? Legal safety is a first-class design constraint for supply that is meant to last.

None of these is answered by the word “ethical” printed on a landing page. Every one of them is answered by the sourcing model underneath it.

Residential vs mobile proxies — why the model is the difference

Residential and mobile proxies are usually shelved side by side as the two “real-IP” alternatives to datacenter proxies. For the specific risk that just took down NetNut, they are not the same class of thing.

Where the IPs come from

A residential proxy routes through IP addresses assigned to consumer devices on home internet connections — and, in the networks that just fell, those devices were enrolled through SDKs their owners never knowingly agreed to. A mobile proxy through iProxy.online routes through a real Android phone with a real SIM card, operated with the full knowledge and consent of whoever controls it — your own device, or a dedicated fleet run under contract. The address comes from the mobile carrier’s own pool; the device is a known, consenting endpoint, not a stranger’s television quietly recruited by an app.

Diagram comparing two proxy supply models: a residential pool built from consumer devices enrolled via SDK that becomes a seizable botnet, versus a mobile supply of real consenting devices with nothing for a takedown to seize.

That single difference in provenance is the entire argument. Everything downstream — blocking resistance, traceability, seizure exposure — follows from who owns the hardware the traffic actually leaves from.

Why mobile is harder to block

A mobile carrier IP is not one household’s fixed line. It is a carrier-grade address drawn from a pool the operator rotates across its subscriber base, on an autonomous system (ASN) that anti-fraud systems recognize as a mobile carrier. Block that address or its range and you risk blocking the real subscribers who cycle onto it next. So detection systems treat mobile carrier ASNs as the highest-trust class of IP and are slow to ban them outright — the opposite of a datacenter address, which an ASN lookup flags on sight, or a single home-ISP line, which can be added to a blocklist with almost no collateral damage. It is the same practical property the whole industry is chasing, reached through provenance rather than pool size: an address a target site is reluctant to block.

Why this removes the seizure risk

Here is the part that changed on July 2. If your supply is real devices operated with consent, there is no botnet inside it — nothing assembled out of infected hardware for a coordinated takedown to seize, and nothing for Play Protect to disable. The failure that ended NetNut and IPIDEA requires a covert device network to exist in the first place. Take that out of the model and the failure goes with it. Your supply does not evaporate because someone dismantled a botnet it quietly depended on, because there is no such botnet to dismantle.

iProxy vs a typical residential alternative

Criterion Typical residential proxy iProxy (mobile)
Where IPs come from Consumer devices enrolled via SDKs or “consent” networks Real Android devices with real SIMs, operated with consent — your own or a managed fleet
Seizure exposure Whole pool can be disrupted if the botnet/SDK supply is taken down No third-party-device botnet to seize
Blocking resistance Home-ISP addresses, easier to fingerprint and blocklist at scale Mobile carrier IPs on high-trust carrier ASNs — costly to block without hitting real subscribers
Traceability Varies, often opaque Every request logged and attributable — client, port, time, destination
Migration Config change (host, port, credentials) Guided setup for your case — a different model, not a like-for-like swap

The comparison is not about who has more IPs or a better uptime figure, numbers we will not invent to win a table. It is about which model still exists after a bad week. A residential pool sourced from consumer-device SDKs sits one enforcement action away from the NetNut outcome. A mobile supply built on consenting, controllable devices has nothing for that action to seize.

Sizing a NetNut replacement for real volume?
Skip the self-serve funnel. Tell us your targets, geographies, and request volume, and we will map a dedicated mobile configuration to them, one built on real, consenting devices rather than a seizable pool. Start at [email protected] .
Message CEO

How to move off NetNut

Honesty first, because the alternative pitches landing in your inbox are quietly dishonest about it. Moving from one pure residential provider to another is a credentials swap: change the host, the port, and the username, and you are done. Moving to iProxy is not that, and pretending otherwise would be selling you the same risk with better copy.

Mobile is a different class of supply. You are not renting a slice of an opaque pool; you are running dedicated mobile endpoints on real devices. Setup is a short, deliberate process rather than a find-and-replace in a config file, and that is the point. You are changing your risk model, not your logo.

In practice it looks like this: a short conversation about your actual use case — volume, target geographies, and the platforms you work against, whether that is large-scale data collection or account operations — then we map a configuration to it and get you access. There is no self-serve funnel to squeeze an enterprise workload through, by design. If your traffic matters enough that an unannounced takedown is a real problem, it matters enough for a real setup.

The fastest way to scope the move is to tell us what you were running on NetNut. Email [email protected] or message CEO on Telegram , and we will size a replacement for your volume.

Ready to change your risk model, not just your logo?
Moving off NetNut is a short, guided setup rather than a credentials swap, because you are moving to a different class of supply. Send us what you were running and we will size the replacement. Email [email protected] today!
Scope your migration

Move to a supply you can’t lose

NetNut did not fail because it was careless. It failed because its supply was a botnet, and botnets get seized. The safest NetNut alternative is not a better-marketed version of the same model. It is a supply with nothing to seize: mobile proxies on real, consenting devices, with every request logged and attributable.

If that is the kind of durability your workload needs, let’s talk on your schedule rather than an enforcement agency’s. Email [email protected] or reach CEO on Telegram to discuss a supply that can’t be seized.

Frequently Asked Questions

Is NetNut shut down for good?
The FBI seized hundreds of NetNut domains on July 2, 2026, and its parent Alarum Technologies suspended traffic while warning of a material adverse effect on its business. No permanent closure has been officially announced, but customer service was interrupted without notice. If you ran production traffic through it, treat it as down and plan a move.
Is NetNut safe to keep using?
Its supply was tied to the Popa botnet of roughly two million infected devices, and Google shipped a Play Protect update to disable apps carrying its SDK. Beyond the reliability problem, that is not a supply you want your traffic associated with. The safer path is a replacement built on a different sourcing model, not another consumer-device network.
What is the safest NetNut alternative?
Not another residential pool sourced the same way, because it carries the same seizure risk. The durable option is a mobile-proxy model whose IPs come from real, consenting devices, so there is no third-party botnet to seize. To scope one for your workload, email [email protected] or message @iproxy_online_support on Telegram.
Was my traffic or data compromised in the NetNut seizure?
That question is for NetNut and Alarum, and you should ask them directly. What the incident shows is why a traceable provider matters: with clear logging of which client made which request, when, and to which destination, questions like this have answers. Opaque supply leaves you unable to prove anything either way.
Do I need to change my code to migrate to iProxy?
Not a literal host-and-port swap, because mobile is a different class of supply than a residential pool. In practice it is a short setup mapped to your use case rather than a find-and-replace in a config file. Tell us your volume and targets and we will scope the configuration with you.
Residential vs mobile proxy: what is the difference for me?
Residential proxies route through consumer home devices, often enrolled through SDKs; mobile proxies route through real phones on carrier networks. The practical differences are provenance, blocking resistance, and supply risk. Mobile carrier IPs sit on high-trust carrier ASNs, and the supply is not a seizable botnet.
Why was NetNut taken down?
Its residential IPs ran on the Popa botnet: roughly two million smart TVs, streaming boxes, and Android devices enrolled via SDK with little or no consent. Hundreds of threat clusters used that pool for abuse such as password spraying and ad fraud, which drew a coordinated FBI and Google action. The takedown seized domains, disabled command-and-control accounts, and disabled the SDK apps.
Can law enforcement seize my proxy provider and cut my service?
Yes, if the provider’s supply is a botnet of infected third-party devices, as the NetNut and IPIDEA takedowns showed in 2026. With a mobile model built on real, consenting devices there is no such botnet to seize, so that specific failure mode does not apply. That is the core reason to choose supply by its sourcing model rather than its marketing.