Life after NetNut: Buyer’s guide for teams in the middle of migration

Comments: 0

What the FBI takedown changed, what proxies actually cost now, and how to pick a provider that won't disappear next.

Disclosure. This research is produced by Proxy-Seller, a residential proxy vendor, and therefore a participant in the market this report describes, measured by the same method as everyone else. We sent 500,000+ requests through each provider’s pool and measured their prices. All hard data is verifiable from the cited public sources.

Get 500 GB of residential traffic free for your first month, your NetNut rate locked for 12 months, and no prepayment beyond the current month. Run it against your real targets.

The short version

  • NetNut is gone and is not coming back. On July 2, 2026, Google, the FBI, IRS Criminal Investigation, Lumen, and Shadowserver took down the “Popa” botnet associated with NetNut’s residential network. At least 2 million devices, most of them smart TVs and streaming boxes running proxy SDKs without their owners’ consent, powered the NetNut network. The FBI seized netnut.com, netnut.io, and hundreds of related domains. Any prepaid balance is very likely lost.
  • Based on public data, the seizure took domains, but not customer data. No primary source reports servers, customer records, or logs being captured, and Alarum (NetNut’s parent) stated the FBI had not formally contacted it. (Read Section 2 on what that means and where the residual risk sits.)
  • This was the third takedown in six months. IPIDEA in January, 9proxy in June, and NetNut in July. Law enforcement is targeting the ethics behind residential proxy sourcing. Mind that when you pick a replacement, you are also picking your exposure to the next takedown.
  • Prices vary enormously. Identical gigabytes range from $0.88 to $7.00 at entry (an 8× gap), spreading up to 18× at volume (from $0.27 to $4.90 per GB). After the takedown, SOAX advertised a $0.35 tier to explicitly win NetNut's former customers. However, it's an Enterprise plan for emerging markets only. Their US buyer still starts at $5.00. The market floor, which had always been GeoNode's flat ladder, didn't move.
  • Advertised pool sizes are marketing numbers. The biggest claims delivered no more than the modest ones: Oxylabs' advertised 175M and SOAX's 155M produced 222K and 193K unique US IPs in our runs, roughly what Proxy-Seller delivered (196K) from a claim a quarter of the size (47M). GeoNode advertises a modest 2.5M, but that is a concurrent-online figure, not a total-pool claim, so it isn't directly comparable.
  • Nobody sells “Port 25 open” residential off the shelf. Four major providers block SMTP outright (IPRoyal and Webshare permanently; Bright Data due to anti-spam policy; DataImpulse), four provide it only after KYC/compliance review (SOAX, Oxylabs, Decodo, Proxy-Seller), and GeoNode is unstated.
  • You have leverage right now. At least three providers are running direct outreach to former NetNut customers, and one has cut prices 25%. Providers want your traffic this month more than they will want it in the autumn. Our migration offer is at the end of Section 8.

1. What happened to NetNut?

If you only saw the seizure banner…

On June 18, security researcher Brian Krebs publicly connected a botnet called “Popa” to NetNut and its parent company, Alarum Technologies, a firm listed on NASDAQ under the ticker ALAR. Two weeks later, on July 2, Google’s Threat Intelligence Group, working with the FBI, IRS-CI, Lumen, and Shadowserver, dismantled the botnet.

Google estimates it spanned at least 2 million devices. The FBI and IRS seized NetNut’s domains: netnut.com, netnut.io, divinetworks.com, and the sister brand proxyjet.io, plus hundreds of others. By July 7, netnut.io itself was offline. NetNut has stopped operating as a business.

Alarum’s stock lost 51.5% in a single trading session on July 6, closing at $3.08. Within a day, two shareholder law firms had opened securities-fraud investigations, and Alarum’s own SEC filing warned of a possible “material adverse effect” on its operations. This was a top-tier residential provider with a public parent company, and it did not survive contact with law enforcement.

Why it shapes your next move

Google’s stated reason: NetNut “populates its botnet by distributing SDKs for devices commonly found in homes, such as smart TVs and streaming boxes.” In plain terms, the residential IPs you were routing through belonged to people who never agreed to share them. Researchers at Synthient examined more than 20 apps that included these SDKs and found that none displayed a consent prompt to users. The SDKs were found in roughly 42% of the LG smart TV apps examined and 25% of the Samsung apps.

Bright Data was caught on the identical sourcing model two weeks earlier. Its SDK shipped inside free CTV apps reaching LG, Samsung, and Roku sets. The difference is that Bright Data showed a consent screen. However, researchers found the screen understates it: Petflix (Roku) promises "occasional" use of the device, while the SDK's config allows up to 200 GB of traffic per month.

On top of that, Google states that “many popular residential proxy brands are in fact whitelabeling the NetNut botnet.” Neither Google nor Krebs has publicly named those brands. Some providers courting you right now may have been reselling the exact network that was just seized.

2. Does the FBI have your data? What is public?

If you were a NetNut customer, this is probably your most uncomfortable question, so here is the state of public knowledge as of July 10.

What was actually seized per every domain?

The FBI and IRS transferred DNS control of NetNut’s domains to government nameservers (netnut.io now points to fbi.seized.gov infrastructure). Krebs, Google GTIG, BleepingComputer, and SecurityWeek have not reported on seizure of servers, customer databases, query logs, or payment records. Google’s own actions included only deactivating Google accounts and services that the botnet used for command-and-control. Note that a domain seizure, by itself, captures the domain, not the data behind it.

Alarum’s comment

In its July 3 SEC filing, Alarum stated that neither it nor NetNut “has been formally contacted by the FBI or any other governmental or regulatory authority,” that it will cooperate fully with law enforcement, and that it paused traffic through affected services while it investigates. Nothing about customer data was said publicly.

Precedents

In past US takedowns, consequences for customers depended on whether the government obtained backend data. When it did, Genesis Market (2023), where authorities had user records, about 120 users were arrested across 17 countries; Anom (2021), where the FBI ran the service outright, 800+ customers were pursued. When the action dismantled infrastructure without a customer database (RSOCKS, 2022), no mass action against buyers followed. The 911 S5 case (2024) involved the seizure of 70+ servers and the prosecution of customers when their traffic was linked to a specific type of fraud.

Where does that leave you?

No public data indicates that the government holds NetNut’s customer records today. But the investigation is open, and Alarum still holds its own business records, which can be subpoenaed. The FBI’s public advisory on residential proxy botnets is addressed to the owners of infected devices, not to proxy customers, and does not list web scraping among the criminal uses it describes. Plainly: routine scraping through NetNut is nowhere to be found in the public record as a target of this action.

What to do now?

If you were on NetNut, here’s this week's checklist:

  • Rotate every credential and API key that ever touched NetNut endpoints
  • Export and archive invoices, contracts, and usage logs (they prove routine commercial use)
  • Attempt chargeback on prepaid balance now, while the card window is open
  • Inventory what data flowed through the network
  • If your use case was near the gray zone, talk to counsel before responding to any outreach, including from providers claiming to run "ex-NetNut infrastructure."

3. Third takedown in six months

IPIDEA, 9proxy, and NetNut were taken down; Bright Data escaped with a public teardown of its SDK supply chain. NetNut is the fourth enforcement shock in six months. They were all triggered by the same thing: how the pool was sourced.


When

What

Why it matters to you

Jan 2026

 Google disrupts the IPIDEA botnet 

 Took roughly a dozen reseller brands offline at once — brands that all ran on the same seized backend

~Jun 2026

9proxy shuts down quietly

Customers were left hanging with their prepaid packages gone

Jun 2026

Bright Data residential incident

The market started connecting the dots

Jul 2, 2026

NetNut seized by the FBI

You are reading this report

Provider risk is now part of your total cost. A cheap rate from a provider that gets seized in March is the most expensive rate you can buy.

4. What residential proxies cost right now

Here is the market you are walking into, based on our ongoing tracking of published rate cards (current as of July 10, 2026).

Price gap


Cheapest (/GB)

Most expensive (/GB)

 Gap

At entry (1–3GB)

$0.88 (GeoNode, flat)

 $7.00 (IPRoyal, Webshare)

 Lowest rate at volume

 $0.27 (GeoNode, at 1TB)

$4.90 (IPRoyal)

18×


The highest rates vs industry floor didn’t change, but a couple of providers have repriced or issued major discounts in the last four weeks. The market hasn’t collectively repriced, but the direction is in your favor.

Market’s response after the takedown

  • SOAX rebuilt its entire pricing structure around Tier 2 and 3, explicitly to win migrating NetNut customers. Entry is now down to $0.35/GB in the emerging-market tiers on the Enterprise plan.
  • ProxyScrape made the only actual price cut so far: residential −25%, plus a $190/month unlimited plan at 100 Mbps. (Resellers are outside this report’s provider comparisons, but this re-pricing move is a market fact.)
  • GeoNode positioned as near-wholesale with a flat ladder: $0.88/GB at entry falling to $0.27 at 1TB (the same rate in every country) and publicly attacked industry markups.
  • Oxylabs and Bright Data made no price changes. Their pitch is trust: ethical-sourcing programs and enterprise references.
  • NetNut itself cut static-residential prices 15% in late June, then raised them back on July 6, one day before its domains were seized.

You are effectively choosing between two kinds of offers: challengers competing on price and transparency, and incumbents competing on stability and sourcing claims, neither of which answers the questions you’re interested in: pool quality (next section), technical fit (Section 6), and sourcing risk (Section 7).

What the same gigabyte costs at your volume

This table shows premium/Tier-1 residential traffic and compares prices at the volumes that a mid-market team like yours buys. NetNut’s historical range is included so you can locate your old rate.


Provider

At 1–3GB

 At ~100GB

Best volume rate

Proxy-Seller

$3.50

$2.20

$1.30

GeoNode

$0.88

$0.88

$0.27

DataImpulse

$1.00

$0.80

$0.80

SOAX 

$5.00

$2.20

$0.85

Decodo

$4.00

$2.75

$2.00

Bright Data

$4.00

~$3.00

$2.50

Oxylabs

$6.00

~$4.00

$2.50

IPRoyal

$7.00

~$4.90

$4.90

Webshare

$7.00

 ~$1.12 (largest annual commit — prepaid)

 NetNut (historical) 

$1.59 entry

up to $14.40

Get 500 GB of residential traffic free for your first month, your old NetNut rate locked for 12 months after that, and no prepayment beyond the current month. See terms and details.

First, identical GB packages cost between $0.88 and $7.00 (an 8× gap). In a normal commodity market, prices converge; datacenter proxies, for example, cluster tightly at $0.38–0.62/GB across every provider. Residential is doing the opposite because providers are pricing based on how their pools are sourced and who bears the risk.

Second, how a provider forms their discount tells you what they want from you. SOAX’s price falls by 83% from entry to the floor (from $5.00 to $0.85), indicating a company buying volume customers. IPRoyal falls by only 30% (from $7.00 to $4.90), and it's a company that doesn’t chase volume and instead prices for its pool quality (more on that in the next section). Bright Data, Oxylabs, and Decodo sit in the middle. If a provider’s volume discount looks too steep to be sustainable, ask yourself what corners they cut to make that math work.

5. How big are the pools really?

We routed 500,000 live requests through each provider’s residential pool during tests lasting approximately 10-16 hours. The tests showed how many unique residential IPs each has and what they physically are (verifiable via IPinfo Max).

Our own network is in every table below, measured the same way.

Capacity and quality

The numbers you see below are the result of a single ~500K-request US measurement per provider, which lasted, on average, 10-16 hours.

Provider

 Unique US IPs observed 

 True residential 

 Pre-flagged as proxy 

 Mobile share 

 Advertised (global) 

Decodo

255K

99.6%

80%

7.6%

115M

 NetNut (historical) 

250K

99.0%

92%

6.6%

85M

Oxylabs

222K

99.5%

78%

6.8%

175M

Webshare 

221K 

~99%

80%

4.7%

80M

Proxy-Seller

196K

99.5%

78%

5.2%

47M

SOAX 

193K 

~99%

93%

5.0%

155M

DataImpulse

117K

99.2%

68%

6.3%

90M

GeoNode

94K

~99%

94%

2.6%

2.5M

IPRoyal

68K

99.7%

97%

10.6%

32M

Legend: “True residential” = physically home-ISP IPs, not hosting/datacenter. “Pre-flagged as proxy” = the share IPinfo already catalogs as a known commercial proxy.

  • Nobody dominates the market. The largest measured pool is about 4× the smallest, not the 70× the advertised pools imply. On a level playing field, the top four sit within touching distance of each other. So size won't make this decision for you; every provider’s pool is big enough for most workloads. What differs is what's inside: how much of the pool anti-bot systems already recognize, and how honest the advertised number is. On both, Proxy-Seller leads: tied with Oxylabs for the cleanest flag rate among premium pools (78%), and delivering the same measured pool as the giants from a claim a quarter of their size.
  • Physical quality is a solved problem among measured providers. Every measured pool is 99%+ true residential, with hosting/datacenter contamination at 0.8% or less; the newly measured SOAX (0.1% hosting) and GeoNode (0.4%) are as physically clean as the premium pools.
  • Pools differ largely in detectability. “Pre-flagged as proxy” is the share of a pool that IPinfo, one of the intelligence feeds anti-bot systems buy, already recognizes as a commercial residential proxy. IPRoyal’s pool is 97% pre-flagged, and the discount challengers land nearly as high: SOAX 93%, GeoNode 94%; DataImpulse’s 68% remains the least cataloged. Which you want depends on your targets: if they consume proxy-reputation feeds, a heavily flagged pool is easier to block; if they don’t, the flag rate is irrelevant.
Note: These flag rates reflect IPinfo’s catalog. Cloudflare, DataDome, and other anti-bot vendors maintain their own detection databases.

6. Technical fit: which provider is most compatible with your setup?

The technical compatibility table shows data from provider documentation, verified in July 2026.

Provider

Port 25 (SMTP)

SOCKS5 / UDP

Sticky session max

Geo-targeting

Trial

Proxy-Seller 

Provided after KYC + use-case review

Yes

Sticky "for the full duration of your task"

 Country, state, city, ISP (220+ locations)

$1.99 · 3 days · full access; 24h refund window

SOAX

Closed; unlock via ID + use-case review

Yes / yes

60 min (username params)

Country, region, city, ISP

$1.99 · 3 days · 400MB

Oxylabs

Non-80/443 needs compliance review

Yes / beta

24h (sticky entry ports)

 Country, state, city, ZIP, ASN, coords

Free 3–7 days (KYC)

Bright Data

Blocked (anti-spam)

Yes / Not stated

No fixed max; 5-min idle timeout

 Country, state, city, ZIP (US), ASN, OS

Free, no card (strict KYC)

Decodo

Blocked by default; via compliance request

Yes / Not stated

24h (username params)

Continent→city, ZIP (US), ASN

3 days · 100MB free

IPRoyal

Permanently blocked, no exceptions

Yes / TCP only

7 days (username params)

Country, state, city, ISP; no ZIP/ASN

3 days · 100MB (discretionary, card required)

 DataImpulse 

Blocked

Yes / UDP after review + KYC

120 min (port + param)

Country free; state/city/ZIP/ASN at 2× rate

None; $5/5GB intro

Webshare

Permanently blocked

Yes / Not stated

Not quantified in docs

Country, city only

None for residential; 2-day refund

GeoNode

Not stated

Yes / Not stated

No hard max stated

Country, state, city, ASN/ISP

Free API tier; residential trial

  • The “Port 25 open” NetNut alternative barely exists off the shelf. Port 25 is blocked or gated industry-wide: IPRoyal blocks it permanently; Bright Data, Webshare, and DataImpulse block it by default; Proxy-Seller, SOAX, Decodo, and Oxylabs open ports only after a compliance review of your use case.
  • Session length is a real differentiator. If your workflow depends on long sticky sessions, the range runs from 60 minutes (SOAX) to as long as you need (Proxy-Seller).
  • Syntax is similar; budget for the differences. Every provider here uses username-parameter session control, so the migration is parameter mapping rather than an architectural rewrite, but geo parameters and entry-port schemes differ enough that “days, not hours” of engineering remains the right budget.

7. Sourcing: what each provider has answered in public

You will get polished answers in every sales call. So here is what each provider has already publicly committed to: self-published claims, independent reporting, or nothing.

Provider

Named IP source

Public consent flow

Own network or resold

Buyer verification

Proxy-Seller

SDK + consent flow

DPA/SCC + IP-provenance docs on request

Own pool + standard reseller program

KYC (SumSub) for restricted targets/ports; not at signup

Bright Data

Bright SDK + EarnApp (own, documented)

Yes, opt-in and idle-device conditions published

Own

Mandatory human-reviewed KYC, businesses only

IPRoyal

Pawns.app (own paid opt-in app)

Yes, users paid for opted-in bandwidth

Own residential pool

KYC published; optional at signup

Oxylabs

Honeygain (exclusive supply contract)

Via Honeygain's paid opt-in

Partner-sourced

KYC policy published

SOAX

Unnamed "peers"; ethics page, no named source

No public flow

Own; also supplies whitelabels

Strong published KYC (ID verification)

Decodo

Unnamed providers + paid P2P

No public flow

Historically resold, now mixed

KYC/KYB published

Webshare

Unnamed third-party suppliers

No public flow

Operates under Oxylabs

No KYC at signup; checks only on suspicion

 DataImpulse 

Not self-published (analyst: own TraffMonetizer app)

No public flow

Own pool + formal reseller program

KYC for resellers only

GeoNode

Repocket (own app, removed from Google Play, Nov 2025)

Partial

Self-claims own

KYC published (ID + use-case review)

See sources below*

8. Where teams like yours are going

If you were on NetNut's rotating-residential entry tier (~$1.59/GB), the clear pick is Proxy-Seller. $2.20 at ~100GB, $1.30 floor, and none of it country-gated, so the same card applies to the US. Based on measured data, 196K unique US IPs, which is the same size class as the market leaders, but with 99.5% true residential, a tied-for-lowest pre-flagged premium pool (78%), no sticky-session cap, SOCKS5, Port 25 after KYC, and a $1.99 trial.

Get 500 GB of residential traffic free for your first month, your NetNut rate locked for 12 months, and no prepayment beyond the current month. Run it against your real targets; if the pool doesn't perform, you've spent nothing and lost no leverage.

The alternatives, briefly:

  • DataImpulse: cheapest measured at volume ($0.80–1.00), but the least-residential pool (68%).
  • Decodo: solid mid-market ($2.00 floor), EWDCI member, 24h sessions.
  • SOAX: the $0.35 rate is only applicable to the Enterprise plan (emerging-country-only); a US buyer starts at $5.00/GB, and the $0.85 floor requires a $3,000/mo commitment. Real, clean pool, but the marketing runs ahead of the measured product (among the widest claim-to-delivery gaps in the report, and "ethical sourcing" is aspirational, not certified).
  • GeoNode: genuinely cheap for the US (flat rate went from $0.88 to $0.27 at 1TB), but the second smallest measured pool and independently weak on hard anti-bot targets (ProxyLook: 8.5% ban rate, 78% on Amazon vs 89.9% average).
  • Webshare (Oxylabs-owned): now sells per-GB residential rates, but its lowest rate (~$1.12) requires the largest annual prepayment, and there is no residential trial.

If you were on NetNut's premium/static tiers ($4.50–14.40/GB), IPRoyal is the usual quality pick (99.7% true residential, 7-day sticky sessions) at $4.90–7.00. Still, at 97% pre-flagged, nearly its entire pool is already cataloged by IPinfo as proxy. So against any target that buys those feeds, it is the easiest premium pool to block.

Proxy-Seller is the strongest fit for most ex-NetNut static buyers. It matches IPRoyal on purity (99.5% true residential), leaving 22% of the pool un-catalogued versus IPRoyal's 3%, carries no sticky-session ceiling at all (hold an IP for the full duration of your task, versus IPRoyal's 7-day cap), and, for the genuinely static use cases NetNut's ISP tier covered, offers a dedicated ISP line sourced straight from Local Internet Registries with clean, documented provenance, at a US-flat rate rather than IPRoyal's $4.90–7.00.

Oxylabs and Bright Data round out the tier with the enterprise wrapper (strict KYC, granular geo) at $2.50–4.00 floors.

9. What happens next

The takedowns are not over. IPIDEA, 9proxy, and NetNut were all triggered by the same thing: how the pool was sourced. The next large provider running on non-consensual or undocumented supply faces the same scrutiny, and the timeline is tight.

The cheapest gigabyte is no longer the smart buy. A rate that looks great today is worthless if the provider is seized by spring. The question you should be asking now is “who can still prove, on paper, where every IP came from and that its owner agreed to share it."

What to demand from any provider before you sign

Treat anything missing as a red flag:

  • Consent-based sourcing they can document, including the consent flow and per-IP provenance, even if the supply partner is disclosed only under review
  • Documented user or LIR agreements behind every allocation
  • KYC at the account level (a provider that doesn't know its own customers is the one that attracts law enforcement)
  • DPA and SCC paperwork available on request, plus per-IP provenance records for a compliance review
  • Recognized certifications

Where do we stand? Every Proxy-Seller allocation is backed by official residential user agreements and documented LIR agreements obtained with informed consent; per-IP provenance records, DPA, and SCC documentation are available on request; account-level KYC runs via SumSub. Separately, on security: ISO/IEC 27001:2022 and ISO 9001 certified; GDPR, CCPA, and ePrivacy Directive compliant; SOC 2 in progress

If a provider you're weighing can't produce the same list, the gap is your answer. Migrate with Proxy-Seller: lp.proxy-seller.com/netnut-migration

Methodology & notes

Pricing was obtained from the published rate cards (current July 10, 2026). Pool figures from live 500,000-request US benchmarks per provider, enriched via IPinfo Max; Proxy-Seller measured by the identical method. Enforcement facts verified against Google GTIG, KrebsOnSecurity, BleepingComputer, SecurityWeek, and Alarum's SEC filings.

Sources

Comments:

0 comments