The FBI Seized NetNut. Here's What Happened and What It Means If You Buy Proxies

On July 2, 2026, netnut.com started serving an FBI seizure banner. IRS-CI, DOJ and FBI seals on top, Shadowserver, Lumen and Google logos next to them. Within hours X split into two loud camps: one cheering that NetNut got taken down and Bright Data is next, one mocking the FBI for grabbing "the wrong domain" because netnut.io is still up and selling.
Each camp is half right. We benchmark residential proxies and we covered a rumored seizure four days ago, so we pulled the archives, read the banner, and checked the primary sources.
The detail everyone is arguing about, settled
We opened the Wayback Machine history for netnut.com. It was never NetNut's operational site. For years it sat parked and listed for sale: the August 2024 capture reads "NetNut.com is for sale," and through 2025 it served an "Atom" domain-marketplace page. NetNut the company runs on netnut.io, registered in 2017, and that storefront was live and taking orders when we checked tonight.

So the "they seized the wrong domain" camp has a point. The .com that got the banner was not the front door.
The other camp is wrong anyway, and the banner explains why.
What the banner says
Seizure banners are legal documents, and this one chose its words. The domain was seized "against the NetNut residential proxy platform, its administrators, and its subscribers." A second paragraph credits Google, Lumen's Black Lotus Labs and the Shadowserver Foundation with disrupting other domains and infrastructure used by the platform "in separate and independent operations pursuant to civil action and violations of terms of service."
The FBI names the platform itself as the target, not a stray domain. The visible .com seizure is one piece of a larger action whose other pieces hit different infrastructure. netnut.io staying online tells you nothing about whether the machinery behind it took damage.
What took the damage
Google's Threat Intelligence Group ran the operation with the FBI and Lumen, and its writeup has the numbers. The NetNut network runs on at least 2 million consumer devices, most of them smart TVs and streaming boxes that shipped or side-loaded NetNut SDKs, turning a family's living room into someone else's exit node. In one June week, GTIG counted 316 threat clusters using suspected NetNut exit nodes, criminal and espionage both.
Google's own list of what it did: it disabled the accounts NetNut used for command and control, warned users through Android Play Protect and killed apps carrying the SDKs, and handed the SDK and C2 intelligence to law enforcement and platform providers. It puts the result at a device pool smaller by millions. None of that depends on which storefront domain is up.
The seized .com was parked, the operational .io is up, and the network still lost millions of exit nodes. All three hold at once, and that is the part both viral takes drop.
The whitelabeling problem
Google's report has one line every proxy buyer should read: it holds "high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet." Krebs on Security names Live Proxies as one reseller and notes another major provider began buying competitor capacity, becoming a reseller itself. No full list is public.

The banner names "subscribers" twice. Enforcement language usually stops at operators; this one reaches past the platform to the people buying from it. What that means for an ordinary customer is unclear, and it may mean nothing. But if you buy residential capacity in bulk, whose network your provider resells stopped being an academic question today.
How this differs from 9Proxy
Four days ago we investigated whether 9Proxy's outage was a law enforcement seizure. The evidence said no: a plain 404, an untouched registry, no agency on record. Some readers asked how we could be sure. NetNut is the contrast. A real action leaves a paper trail, agency seals on a banner, a named operation, Google and Lumen publishing technical reports the same day, a device pool measurably smaller. An outage leaves a 404 and silence. The 9Proxy breakdown is here: Did 9Proxy Get Shut Down? What the Evidence Actually Shows.
The two might still connect. Security firms tied NetNut to the Popa botnet on June 19. 9Proxy went dark June 28. The seizure landed July 2. A smaller brand reselling capacity from a network under pressure would go dark with an "unexpected issue" it cannot explain. That is a hypothesis. No public document links 9Proxy to NetNut, and we will not pretend one does.
What a buyer can do
A "provider" with a polished dashboard can be a thin shell over someone else's pool, and the pricing page will never show you that. Google just told you some of those pools are a seized botnet. So:
- Ask your provider whether they source from third-party networks, and which ones. A provider running its own pool answers in one sentence.
- Judge exits by behavior, not marketing: the abuse history of the IPs, session stability, whether the pool composition shifts overnight.
- Read a sudden unexplained outage at your provider as a supply-chain signal, not just downtime.
That middle point is our job. Our benchmarks probe each provider's real exits every 15 minutes and score what comes back, including the share of exit IPs with no abuse history, measured from outside with no provider input. A benchmark cannot prove where a pool comes from. It shows you how the pool behaves. That outside view is worth more tonight than it was this morning.
What we don't know yet
Whether Alarum Technologies, NetNut's publicly traded parent (NASDAQ: ALAR), faces charges or has said anything beyond keeping netnut.io online. Whether netnut.io stays up. Which brands sit on the whitelabel list beyond the one Krebs named. Whether "subscribers" on the banner turns into action against buyers. Whether 9Proxy's timing was coincidence. When any of it changes, we will update this post and say what changed.
Need to move off NetNut? See our benchmarked NetNut alternatives — residential providers ranked by live measured performance, no paid placement.
Sources: the seizure banner on netnut.com and the live netnut.io storefront (both verified by us, July 2, 2026); Wayback Machine captures of netnut.com, 2024-2026; Google Threat Intelligence Group, "Google's Continued Disruption of Malicious Residential Proxy Networks" (July 2026); Krebs on Security, "FBI Seizes NetNut Proxy Platform, Popa Botnet" (July 2, 2026); The Hacker News; Cybernews. Status as of July 2, 2026, evening UTC.