NetNut Shutdown Explained: What Happened and the Best Alternative

NetNut has not announced that it has permanently closed. However, after the FBI seized certain domains associated with NetNut on July 2, 2026, customers facing service interruptions may need an alternative. NodeMaven is a practical NetNut alternative option for teams that need clean residential and mobile IPs, stable sessions, and consistent proxy performance.
The enforcement action followed investigations connecting NetNut traffic to Popa, a residential proxy network found on Android devices, smart TVs, and streaming boxes. Researchers allege that many device owners did not knowingly agree to let third parties route traffic through their internet connections.
NetNut’s parent company, Alarum Technologies, confirmed the domain seizures and said it would cooperate with law enforcement. It has not announced the liquidation or formal closure of NetNut Ltd.
For customers, this creates immediate operational uncertainty. A company may remain registered while its gateways, IP supply, or customer workflows stop working. Teams affected by the disruption should preserve their account records, audit existing integrations, and test a residential proxies replacement option instead of assuming normal service will return quickly.
What happened to NetNut?
The NetNut shutdown story developed over several weeks. It began with technical research into unusually large scraping campaigns and ended with coordinated action by the FBI, Google, Lumen Technologies, and other industry partners.
| Date | Event | Source |
|---|---|---|
| May 2026 | Qurium investigates scraping activity distributed across more than 1.4 million residential IP addresses. | Qurium |
| June 17, 2026 | Synthient conducts a controlled test connecting a NetNut commercial gateway to a device running the Popa SDK. | Synthient |
| June 18, 2026 | Qurium, Synthient, and KrebsOnSecurity publish investigations into the relationship between Popa and NetNut. | KrebsOnSecurity |
| June 23, 2026 | Qurium publishes results from controlled testing of Popa-enabled applications. Researchers recorded 10 million proxy requests and reported that most tested apps did not present meaningful consent notices. | Qurium |
| July 2, 2026 | The FBI seizes domains associated with NetNut. Google says coordinated action reduced the network’s available device pool by millions. | Alarum, Reuters |
Bloomberg reported that the FBI was investigating whether an Alarum subsidiary had a role in connecting home devices to a proxy network without their owners’ consent. The report cited documents and people familiar with the investigation.
At the time of writing, public reporting does not show that NetNut or its executives have been convicted of a crime. The seizure confirms an enforcement action against associated infrastructure, not a final judgment about every allegation.
Why was NetNut’s proxy network targeted?
The investigation centers on two connected questions: where some of NetNut’s residential IPs came from and how customers used them.
Residential proxies route traffic through IP addresses assigned to household or consumer connections. They have legitimate uses, including public web data collection, localization testing, ad verification, and market research. Their value comes from looking like ordinary consumer traffic instead of traffic sent from a datacenter.
The alleged connection between NetNut and Popa
Popa is a family of proxy software that can register a device, maintain an encrypted connection, and relay traffic for a remote customer. Researchers found related components in Android applications, streaming software, VPN tools, and inexpensive TV boxes.
Once enrolled, a device acts as an exit point. A request sent by a proxy customer reaches its destination through the device owner’s home connection, so the target website sees the residential IP rather than the customer’s original address.
Qurium’s investigation identified about 5,000 software samples that implemented variants of the architecture. The samples communicated with approximately 46 controller domains and more than 300 backend servers. Qurium also found historical infrastructure and business connections linking the Popa ecosystem with NetNut and Alarum.
Qurium was careful about the limit of that evidence. It said no single historical observation established attribution on its own. The researchers instead described a pattern of technical and organizational links.
A controlled test connected Popa traffic to NetNut
Synthient produced the clearest public evidence of a direct technical relationship.
On June 17, its researchers sent a specially marked request into NetNut’s commercial gateway at gw.netnut.net:9595. Synthient controlled both the system making the request and the honeypot receiving it. The request arrived from a host running the Popa SDK, complete with the marker /NETNUT_EXT_TRAFFIC_FROM_PROXY.
Based on that test, Synthient assessed with high confidence that at least some Popa-enrolled devices served as exit nodes for NetNut customers. The company also found multiple Popa-related software samples communicating with sdk.netnut.io.
The test supports a connection between the two networks. It does not, by itself, establish what NetNut’s management knew about the installation or consent process on each device.
Device consent became a central concern
Bandwidth-sharing software can operate legitimately when users receive a clear explanation and knowingly agree to participate. The allegations around Popa concern devices whose owners may not have understood that their internet connection would carry traffic for paying proxy customers.
Synthient reported that newer Popa versions contained an optional consent dialog. It did not observe that dialog being presented by any of the more than 20 publishers it examined. Some earlier versions reportedly did not contain the same consent capability.
Qurium reached a similar result in controlled testing. Its researchers installed Android and streaming applications containing Popa components and found that most did not provide a meaningful notice that the device would become part of a residential proxy network. In a later experiment, Qurium recorded 10 million requests passing through test devices.
How was the network reportedly used?
Proxy traffic is not inherently malicious. A residential or mobile proxy can support lawful web research or allow a company to check what customers see in another region. The problem is that the same infrastructure can hide the source of abusive activity.
Google reported that it observed 316 threat clusters using suspected NetNut exit nodes during one week in June 2026. According to Google, cybercriminal and espionage groups used the network to conceal their origin, access victim environments and infrastructure, and conduct password-spraying attacks.
Separate investigations connected Popa traffic to advertising fraud, account takeover activity, and mass scraping. Google also said it disabled accounts and services used for NetNut-related malware command and control and shared infrastructure intelligence with law enforcement and industry partners.
KrebsOnSecurity also reported that Popa averaged between 1.5 million and 2.5 million distinct IP addresses per day, citing Chris Formosa of Lumen’s Black Lotus Labs. Because proxy resellers could offer the same underlying addresses under other brands, the network’s reach extended beyond customers who purchased directly from NetNut.
This does not mean every NetNut customer used proxies unlawfully or that every device in its advertised pool came from Popa. The public evidence concerns parts of the network and specific observed traffic. Broader conclusions will depend on what investigators and the courts establish.
Is NetNut permanently closed?
NetNut has not announced that it is permanently closed. What is confirmed is that the FBI seized domains associated with the company, while Google and other partners disrupted infrastructure supporting its proxy network.
A domain seizure can prevent customers from reaching gateways and other services without formally closing the company behind them, making users look for a NetNut alternative. As of July 3, 2026, no public announcement states that NetNut Ltd. has been dissolved, liquidated, or ordered to stop all operations.
The investigation could still produce further legal or operational consequences. For now, it is accurate to describe NetNut as severely disrupted, but not confirmed as permanently closed.
What should current NetNut customers do?
Teams running NetNut in production should treat the disruption as an ongoing incident. A dashboard that loads does not prove that the same gateways, locations, or exit-node supply remain available.
Start with these steps:
- Export invoices, usage records, support conversations, and current configuration details.
- Identify every application that contains a NetNut hostname, port, username, or password.
- Rotate credentials stored in scripts, browsers, automation platforms, and team password managers.
- Record which workflows use rotating IPs and which depend on a persistent session.
- Test a NetNut replacement on a small share of traffic.
- Compare successful responses and session stability.
- Remove old credentials and allowlist entries once the migration is complete.
Why choose NodeMaven as a NetNut alternative?
NodeMaven is a practical replacement for NetNut customers who need to restore access to high-quality proxies. You can start with a 750 MB trial for $3.50, test performance on your actual destinations, and scale only after the setup works.
Choose the right proxy for your workflow
| If you need | Choose | Why it fits |
|---|---|---|
| Rotating IPs for scraping, automation, or localized testing | Residential proxies | 30M+ filtered residential IPs with country, city, ZIP, and ISP targeting |
| Carrier IPs for mobile platforms and account workflows | Mobile proxies | 295K+ 4G, 5G, and LTE IPs with controlled rotation |
| One consistent and static IP for long-running sessions | ISP proxies | Static residential IPs with unlimited traffic and a quality guarantee |
What makes switching easier?
- Residential and mobile proxies use one traffic balance, so you do not need separate plans for each pool.
- Unused traffic rolls over instead of expiring at the end of the month.
- Eligible plans earn cashback that can be reused as proxy credit.
- The quality guarantee provides $1 in bonus traffic when a proxy fails to perform.
- HTTP and SOCKS5 support makes NodeMaven compatible with most scraping, automation, and account-management tools.
- Proxy specialists are available 24/7 through live chat, Telegram, and email to help recreate targeting and session settings.
NodeMaven reports a 95% clean-IP rate, a 99.54% average success rate, and response times below 0.6 seconds for its residential network.
NodeMaven also offers enterprise plans for high-volume proxy workloads. Teams migrating large NetNut packages can request custom pricing, capacity planning, and setup assistance through NodeMaven’s 24/7 live chat. This allows enterprise customers to test the service first, then move to a package matched to their traffic and location requirements.
Review the complete NodeMaven vs. NetNut comparison for more details.
How to migrate from NetNut to NodeMaven
Most integrations do not require a complete rebuild. The main work is replacing the gateway and credentials, then recreating the location and session behavior expected by each job.
- Create a NodeMaven account and choose residential, mobile, or ISP proxies.
- Generate HTTP or SOCKS5 credentials in the dashboard, or copy ISP proxy credentials.
- Recreate the required country, city, ZIP, or ISP targeting.
- Replace the NetNut hostname, port, username, and password in a staging environment.
- Test authentication, response rates, location accuracy, and session persistence.
- Move production traffic in stages while monitoring failed requests and retries.
NodeMaven’s residential and mobile setup guide lists the current gateway, port ranges, and username parameters. Also check our guidelines on API access and integration guides for different tools and anti-detect browsers.




