When the FBI Knocks on Your Proxy Provider's Door
My Thoughts on the NetNut Takedown and What It Means for Us in Web Scraping
If you tried to log in to netnut.io recently, you probably noticed something unusual. Instead of the usual dashboard, there was an FBI seizure banner staring back at you.
On July 2nd, the FBI, together with several industry partners, seized hundreds of domains tied to NetNut. For those who don’t know, NetNut is a large residential proxy service run by Alarum Technologies, a company that’s even listed on NASDAQ. The seized domains included netnut.com, proxyjet.io, and divinetworks.com.
This didn’t come out of nowhere. Let me walk you through how we got here, because the timeline is important to understand what happened.
How the takedown happened
It all started on June 19th, when three security firms published reports showing that NetNut’s residential proxy network was actually powering a botnet called Popa. The software was running on everyday devices like smart TVs and streaming boxes. Qurium, one of the security firms, stumbled onto this while looking into some denial-of-service attacks and traced the control servers back to pirated streaming apps. Then Brian Krebs made the story public, and about two weeks later, the authorities stepped in.
The takedown was a team effort: Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and others all played a part. This is where things get interesting from a technical perspective, because taking down a proxy network is nothing like just unplugging a server.
Residential proxy networks are built to be decentralized. The exit nodes are actually millions of consumer devices scattered all over the world. Google estimated that NetNut had at least 2 million devices in its network. Obviously, you can’t just go and seize someone’s smart TV. What you can do is target the things those devices rely on to function as part of a commercial proxy service.
First, there’s the command and control layer. Google shut down the accounts and services that NetNut was using to control the malware. What I found interesting is that this C2 infrastructure was actually running on Google’s own services. This technique, called ‘living off trusted services,’ lets malicious traffic blend in with normal cloud traffic. Without command and control, there’s no way to route customer traffic through those devices.
Next is the enrollment pipeline. Google Play Protect began warning users and disabling apps that included NetNut SDKs, and it will keep blocking any new installs. If a proxy network can’t add new devices, it starts to shrink over time, since devices get reset, replaced, or just go offline.
Then there’s the commercial front door. By seizing the main domains, the FBI basically shut down NetNut’s storefront and made it impossible to bring in new customers at scale.
All of this together, according to Google, cut down the number of available devices by millions and seriously hurt NetNut’s business.
What makes this case different
I’ve seen proxy networks get taken down before, but NetNut is different. This wasn’t some anonymous group hiding on the dark web. NetNut was run by a company listed on NASDAQ, with investor relations, quarterly reports, and even a legal team that put out a statement saying they were aware of the seizure and cooperating with investigators.
It must be said that Alarum has rejected the accusations, disputing their accuracy. On the commercial and official side, NetNut has always presented itself exclusively as a legitimate proxy provider for enterprise data collection, without ever declaring any kinship with the clandestine Popa botnet. In its communications following the seizure, the company stated that neither Alarum nor NetNut had been formally contacted by the FBI or any other governmental authority in connection with these matters, while temporarily suspending data traffic through the affected network services in order to investigate the incident and assess the infrastructure involved. Markets, however, delivered their own verdict quickly: Alarum’s stock crashed by more than 70% at the end of last week, bringing its market cap down roughly 96% from its 2024 peak, and the company itself warned that prolonged disruptions are expected to have a material adverse effect on its operations and financial results.
It’s important to be clear about which part of NetNut’s network is involved here, because NetNut wasn’t just selling one type of proxy. They offered rotating residential proxies, static ISP proxies, mobile proxies, and regular datacenter proxies. Datacenter IPs are the least controversial, since they come from cloud and hosting providers with clear ownership. The takedown focused on the residential side, where NetNut actually used two very different sourcing models.
On one side there are the ISP proxies, sourced through DiviNetworks, the company NetNut originally grew out of. This is an above-board arrangement: as Spur documented in its research on how proxy providers co-opt entire networks, DiviNetworks recruits ISP partners with a straightforward revenue-stream pitch, terminates a GRE tunnel on the partner’s edge router, installs software on a VM inside the partner network, and uses policy-based routing to steer a slice of traffic through that VM and back out through NetNut’s infrastructure. From the partner’s perspective, a small amount of traffic is diverted; from NetNut’s perspective, selected egress from the partner’s public IP space becomes a commercial proxy product. The ISPs sign an agreement and get paid. You can argue about whether their subscribers know, but at least the contractual chain is in daylight.
The other side is the residential proxy pool, and this is where the Popa botnet comes into play. Researchers found that NetNut built this network by distributing SDKs for devices like smart TVs and streaming boxes. Synthient looked at over 20 real Popa publishers and didn’t see any of them asking users for consent. This is the part of the network that led to the takedown. When you have two million devices enrolled without real consent, that’s not a legitimate proxy network; it’s a botnet with a billing system, at least from a law enforcement point of view.
But the fact that divinetworks.com was seized along with the other domains tells me that investigators aren’t making a clear distinction between the different parts of the business. Even providers who think their sourcing is clean should take note.
This isn’t just a one-off event; it’s part of a bigger pattern
If this all sounds familiar, it’s because we’ve seen it before, and not long ago. The NetNut takedown follows right after Google’s disruption of the IPIDEA proxy network back in January 2026. At the time, IPIDEA was one of the biggest residential proxy operations out there, and NetNut’s main competitor.
Google’s post-mortem on IPIDEA included what I think is the key point here: when their own botnet starts to fall apart, proxy operators just buy capacity from competitors and become resellers. The proxy industry is tightly connected, and Google is pretty confident that a lot of popular residential proxy brands were actually just reselling NetNut’s botnet.
If you buy residential proxies from a brand you haven’t really checked out, pay attention. The IP pool behind your provider’s logo might be NetNut’s, or IPIDEA’s, or whoever is next in line.
The timing here is no accident. Bot traffic is exploding, especially with AI agents and LLM-based crawlers on the rise. In all my years doing this work, I’ve never seen web scraping infrastructure get this much attention from regulators and platforms. We’re in a real bind: we need more scraping and automation than ever, which means more proxies, but at the same time, there’s a real push for transparency about how these networks are built and used, so we can tell the good actors from the bad.
The lesson from NetNut is that just being transparent about where your IPs come from isn’t enough. You also need to know who is actually using your network. Alarum said they did KYC and due diligence on NetNut’s customers, but Spur found that NetNut didn’t really require corporate verification or real know-your-customer checks before selling proxy access. Down the line, resellers and white labelers usually didn’t do any KYC at all. Anyone who knew where to look could buy access with just a burner email and a few dollars in crypto. The result? In just one week in June 2026, Google saw 316 different threat groups using NetNut exit nodes, including cybercriminals and espionage actors.
What this means if you were a customer
Let’s be honest: losing a proxy provider isn’t really a technical problem. If you’re running a serious scraping setup, switching providers just means changing your endpoint. And if you’ve set up any kind of automatic fallback system, which you really should have, your pipelines probably won’t even notice the downtime.
The real headache is legal and compliance risk, especially if you’re working in a highly regulated industry.
Take financial markets, for example: I’ve worked in this space myself. Web scraping is a key part of what’s called alternative data: things like scraped prices, app usage stats, satellite images, and transaction data. Investment funds use these to get an edge on listed companies, alongside the usual financial statements and market data.
Anyone who has tried to sell web-scraped data to an investment manager knows what comes next: the due diligence questionnaire. I’ve been through this process, and it’s not a formality. The standard DDQ used in the industry, published by FISD’s Alternative Data Council, dedicates an entire appendix to web scraping and explicitly asks vendors whether they use proxies, whether those proxies are anonymizing, whether the proxy providers include information sufficient for scraped websites to contact the company, whether data is collected from pages behind logins or CAPTCHAs, and whether the vendor or its service providers have received cease and desist orders, subpoenas, or been subject to investigations in the past five years.
Now imagine you’re a data vendor facing that last question, and your proxy provider’s homepage is showing an FBI seizure banner. Telling a hedge fund that your infrastructure supplier is under federal investigation is not going to help you close any deals. In this business, your compliance is only as strong as the weakest link in your supply chain. Proxies are definitely part of that chain, whether your legal team knows it or not.
How I Think About Choosing Proxy Providers After NetNut
The reality is that residential and mobile proxies have always been the most controversial part of the proxy world. Unlike datacenter IPs or ISP deals, residential proxies need real people to agree to run a proxy on their devices in exchange for something, maybe money if they’re in a bandwidth-sharing program, or a free app, since developers get paid by proxy providers for every install.
Most people don’t realize how widespread this is. Spur scanned over 6,000 LG and Samsung smart TV apps and found that more than 2,000 of them had residential proxy SDKs inside. That means about a third of smart TV apps are quietly acting as proxy infrastructure. The real difference between legitimate and abusive setups comes down to consent and disclosure. Some providers, like Bright Data, Massive, and Oxylabs, at least spell out the arrangement in their terms of service, as Spur pointed out. For example, you can check Bright Data's peer program directly on bright-sdk.com, where you can find the certifications and compliance that they obtained.
Some providers have shown they’re willing to take a hit to keep their networks clean. For example, Bright Data has publicly shared that they dropped SDK partners who wouldn’t digitally sign their apps or who served ads leading to shady websites. These partners made up over 10% of their residential peer network, so it wasn’t a small decision. On the You might be skeptical about companies promoting their own good behavior, but I think this is the right direction: sourcing based on real standards, not just growth at any cost. They’re also founding members of the Alliance for Responsible Data Collection, together with other players like Sequentum and Common Crawl.
So here’s what I take away from all this. After what happened with IPIDEA in January and NetNut in July, picking a proxy provider based only on price isn’t just about quality anymore; it’s about risk. You need to ask the same questions the security researchers asked NetNut: How do you source your IPs, and can you prove consent? Who can actually buy access to your network, and what does your KYC process look like, even for your resellers? And what happens, both in contracts and technically, when abuse is found?
If your provider can’t answer these questions, someone else will, maybe with a seizure banner.


