NetNut Seized by the FBI: What Happened and What It Means for Your Proxies

On July 2, 2026, the FBI and Google seized NetNut's domains over the Popa botnet — about 2 million hijacked smart TVs sold as residential IPs. What happened, what it means for NetNut customers, and how to vet your next provider.

On July 2, 2026, the FBI seized the domains of NetNut, one of the five largest residential proxy providers, in a joint action with Google. Investigators allege that a substantial share of the IP addresses NetNut sold as "residential" came from the Popa botnet — a network of roughly 2 million hijacked smart-TV devices whose owners never agreed to share their bandwidth. NetNut's dashboards and gateways went dark the same day, and its parent company Alarum (NASDAQ: ALAR) says it is cooperating with investigators. If you were a NetNut customer, your proxies stopped working with no migration window, your account data is now part of an active investigation, and your next provider deserves harder questions than your last one got.

What Happened to NetNut?

Here is the timeline as reported at the time of writing. Details are still emerging, so treat the specifics below as a snapshot of public reporting rather than a final account.

  • July 2, 2026: NetNut's public domains began displaying a federal seizure notice. Customer dashboards, documentation, and the proxy gateways themselves became unreachable within hours. There was no advance notice to customers — domain seizures never come with one.
  • The same day: Google confirmed its role in the operation, which targeted the infrastructure of the Popa botnet that allegedly fed NetNut's residential pool. Smart-TV devices are a Google concern for an obvious reason: a large share of the world's televisions run Android TV and Google TV.
  • The following days: Alarum, NetNut's publicly traded parent company, stated that it is cooperating with investigators. It has not announced a restoration timeline, and given that the allegation concerns the origin of the product itself, most observers do not expect a simple relaunch.

For the most detailed public reporting so far, see KrebsOnSecurity's investigation and BleepingComputer's coverage of the takedown.

What Is the Popa Botnet?

Popa is a botnet built from roughly 2 million smart-TV devices. According to the reporting, the devices were compromised through malicious applications and firmware-level implants, then quietly enrolled as exit nodes: their home internet connections were resold to proxy customers as "residential IPs" while the owners watched television, unaware their bandwidth was carrying someone else's traffic.

Smart TVs are close to ideal for this. They are always on or in standby, they sit behind genuine household IP addresses that anti-bot systems trust, they run no antivirus, and almost nobody audits what their TV is doing on the network. A hijacked TV can serve proxy traffic for years without anyone noticing.

The uncomfortable part for proxy buyers: in a provider's dashboard, a botnet-sourced IP and a consent-based IP look identical. Same country, same ISP name, same response time. The only place the difference exists is in how that device joined the pool — which is exactly the question most buyers never asked.

What This Means If You Were a NetNut Customer

Your service is gone, effective immediately

Seizures take infrastructure offline the moment they execute. Scrapers, SERP monitors, price trackers, and QA pipelines that pointed at NetNut's gateways started failing on July 2 with connection errors, not a deprecation notice. Your first priority is a working replacement; we compared the realistic options in Best NetNut Alternatives in 2026.

Your remaining balance is probably unrecoverable

Unused traffic and prepaid commitments are, for now, frozen along with everything else. If you paid by card recently, ask your bank about the chargeback window. If you are on an annual contract with meaningful money outstanding, that is a conversation for counsel, not for a support ticket that no one is answering.

Your account data is now evidence

Whatever NetNut held about you — registration details, payment records, usage logs, and potentially the targets your traffic touched — is presumably in investigators' hands as part of the case. Customers are not the target of the action, but if you operate in a regulated industry, your vendor just became part of a federal investigation, and your compliance team should hear it from you first.

Expect vendor-risk questions

Procurement and security teams will reasonably ask how this vendor was selected and what due diligence was done. The honest answer for most of the industry is "we compared prices and pool sizes." That answer is about to stop being acceptable — which is, on balance, a good thing.

How to Vet Any Proxy Provider Before You Buy

The lesson from NetNut is not "pick a bigger brand" — NetNut was a top-five brand. The lesson is that sourcing is the product, and you should evaluate it the way you would evaluate any other supply chain:

What to checkWhat good looks likeRed flag
IP sourcingA named, described consent flow: which apps or SDK partners supply bandwidth, and what peers get in return"Proprietary network" with no further detail
Consent evidenceOpt-in screenshots or documentation available on requestDeflection, or surprise at the question
Corporate identityA registered company, a named jurisdiction, functioning legal termsAnonymous operators and no reachable legal entity
Price sanityPricing that could plausibly compensate real peersBandwidth priced far below what acquiring it honestly costs
Abuse handlingA published acceptable-use policy that is visibly enforced"Anything goes" marketing

We wrote up the full question list — and how consent-based sourcing actually works mechanically — in Ethically Sourced Residential Proxies: Why Consent Matters After the Popa Botnet.

Where to Go From Here

If you need a replacement this week, start with the alternatives comparison — it covers five providers with July 2026 prices, including ours. If you have already decided on ProxyHat, the migration guide maps NetNut's endpoints, sticky sessions, and geo-targeting flags to their ProxyHat equivalents step by step.

In the interest of the same transparency we are asking the industry for: ProxyHat sells consent-based residential traffic starting at $10 for 1 GB (down to $3.60/GB at 500 GB), and purchased traffic never expires — see pricing. Whoever you pick, ask the sourcing questions first. After this week, no provider gets to act surprised by them.

Key takeaways:

  • The FBI and Google seized NetNut's domains on July 2, 2026, alleging its residential pool was fed by the Popa botnet — roughly 2 million hijacked smart TVs.
  • NetNut customers lost service with zero notice, likely lost remaining balances, and their account data is now part of an investigation.
  • Botnet IPs and consent-based IPs look identical in a dashboard; the difference only exists in sourcing, so sourcing is what you must vet.
  • Ask any provider where its IPs come from, what peers agreed to, and what they are paid — and treat non-answers as answers.

Frequently Asked Questions

Is it illegal to have been a NetNut customer?

No charges have been reported against NetNut customers, and using residential proxies is legal in most jurisdictions. The concern is different: traffic routed through devices whose owners never consented raises compliance and reputational questions, so regulated companies should document the incident and review it with counsel.

Will NetNut come back online?

Unknown. Its domains display a federal seizure notice, its gateways are unreachable, and parent company Alarum has not announced a restoration timeline. Even if service returns, most compliance teams will treat a seized vendor as failed due diligence.

Were all NetNut IPs sourced from the Popa botnet?

Public reporting focuses on the Popa botnet's roughly 2 million hijacked smart-TV devices as a major source of NetNut's residential pool. Whether other parts of the pool were sourced legitimately is not yet clear — and from a buyer's dashboard the two were indistinguishable, which is the core problem.

How do I check whether my proxy provider is ethically sourced?

Ask where the IPs come from, what device owners see when they opt in, what they are paid, and how they opt out. A provider with a consent-based pool can answer with specifics; refusal or vague talk of a "proprietary network" is a red flag.

Ready to get started?

Access 50M+ residential IPs across 148+ countries with AI-powered filtering.

View PricingResidential Proxies
← Back to Blog