We use affiliate links. They let us sustain ourselves at no cost to you.

The FBI & Google Disrupt NetNut’s Residential Proxy Network

The provider has lost multiple public-facing and infrastructure domains, reportedly shedding “millions of IPs” in the process.

Adam Dubois

On July 2, 2026, Google published a blog post about disrupting the residential proxy network of NetNut, a proxy and web scraping infrastructure provider from Israel.

Google’s measures included: 1) disabling accounts associated with NetNut’s control infrastructure; 2) flagging NetNut’s SDK in Play Protect; and 3) sharing intelligence with other platform providers, intelligence teams, and authorities about the SDK. 

On the same day, the FBI and the IRS seized netnut.com, NetNut’s sister brand proxyjet.io, and divinetworks.com; the latter was used to supply the provider with ISP (static residential) proxy servers through direct contracts with internet service providers. According to Krebs, the takedown of NetNut’s main .io domain is in progress. 

The actions of Google and the FBI reportedly took down “millions of IPs off its proxy network”. They have also caused significant reputational damage and are likely to impede the company’s business operations. Google already took similar measures against another proxy network, IPidea, in January. 

This disruption follows multiple investigations of NetNut’s proxy service made in short succession by Spur, Synthient, Nokia Deepfield, and more. Research by Qurium undeniably linked the botnet, which has been running since 2020, to NetNut’s infrastructure. Popa recruited proxies through IPTV, streaming, and utility apps without requesting consent properly or at all.

Analysts also noted NetNut’s inadequate know-your-customer measures, which allowed users to buy and operate its proxy networks even without providing a real name. This was exacerbated by the widespread reselling of NetNut’s infrastructure – Google had high confidence that many popular residential proxy brands were in fact whitelabeling the company.

Downstream resellers were even less likely to ensure proper safeguards. According to said source, Google’s Threat Intelligence Group observed 316 distinct threat clusters using NetNut’s proxies in a single week. 

NetNut’s parent company Alarum released a statement saying that it was “made aware of the seizure of certain domains associated with NetNut by the FBI. Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.”

Takeaways

The accelerating pace of intervention by platforms and authorities sends a clear message that proxy servers can no longer fly under the radar. Providers should prioritize properly governing the sourcing and use of their proxy networks, even if the market may tempt them to take shortcuts. 

Google’s conclusions underline this imperative: “What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers.”

However, we find it worrying that even NetNut’s DiviNetworks took a hit. This arm of the business approached ISPs directly and used their resources with full acknowledgement. It shows that businesses won’t be able to go over the heads of affected consumers, and that proper use of proxy servers still matters a lot, no matter how they were acquired.