Seizing a residential proxy service takes down the storefront. It does not take back the stock. On July 2, 2026, the FBI and the Internal Revenue Service Criminal Investigation division, working with Google, Lumen, and Shadowserver, seized hundreds of domains tied to NetNut, a large residential proxy service, and replaced its site with a seizure notice. That is good news, and most of the coverage read that way. The part that matters more for anyone defending a login page: the roughly two million hacked devices that made NetNut useful are still hacked.
What the July 2 seizure covered
NetNut sold access to residential internet connections. An attacker who buys a residential proxy routes traffic through a real home broadband line, so a login attempt or a scraping run looks like it came from an ordinary consumer instead of a data center. That is the whole value of the service: it launders the source of the traffic.
The takedown hit the infrastructure that sold and coordinated that access. Agents seized hundreds of NetNut domains and the backend that ran them, and Google disabled the accounts and apps tied to the operation. The service is run by Alarum Technologies (NASDAQ: ALAR), an Israeli firm listed on a United States exchange, whose legal counsel said it would cooperate with law enforcement. Researchers connect NetNut to a botnet tracked as Popa. Alarum rejects the botnet label and says its software does consensual bandwidth sharing, so treat operator intent as an open question rather than a settled fact. What is not in dispute is the supply.
Google's own framing is the tell. Its Threat Intelligence Group described the action as degrading the network rather than killing it, cutting the pool of usable devices by millions. Degrading, not killing. Hold onto that word.
The two million devices are the part that did not change
A residential proxy network is only as valuable as the number of real homes it can route through. NetNut's supply was roughly two million compromised devices: smart TVs, streaming boxes, and off-brand Android TV hardware, many of them enrolled with little or no consent from the people who own them. Some shipped with the proxy code already on cheap gear. Others picked it up through apps that promised to pay for spare bandwidth.
None of those devices got patched on July 2. A domain seizure changes what the operator can sell and coordinate. It does nothing to the television in someone's living room that is still running the malware. Those devices will keep beaconing out, and the demand that rented them does not evaporate. It moves. We have watched this exact shape before with router botnets, where the forgotten device on the network keeps scanning for the next operator long after any headline has faded.
Why blocking proxy IP ranges was never the control
Here is the detail that did not make most of the takedown coverage, and it is the one defenders should sit with. Google assessed with high confidence that many well-known residential proxy brands are quietly reselling the same NetNut supply under their own names. If you were blocking one proxy vendor's address ranges, you were not blocking the pool. You were blocking one label on it.
We made the same argument in June, when researchers first tied the Popa botnet to NetNut: a hacked home IP address is not evidence of a safe request. The takedown is the proof. In a single week in June, Google counted 316 separate attacker groups routing password-guessing and other activity through NetNut exit nodes. Those groups did not rely on the service because it was cheap. They relied on it because residential addresses defeat the reputation and geolocation checks that many fraud and login defenses still lean on.
An address that belongs to a broadband subscriber carries a good reputation by default. When two million of those addresses are for rent, that reputation stops being a signal at all. It was true the day before the seizure and it is true the day after.
Treat residential IPs as untrusted by default
The seizure is worth something. It raises the cost of running this particular service, and it gives two million device owners a reason to look at what their smart TV is doing at night. But it does not change the work on your side, and reading it as a reason to relax the login defenses you already run would be a mistake.
For anyone protecting accounts or an authentication endpoint, the concrete steps:
- Stop using a residential IP address, its geolocation, or its reputation score as a trust signal on its own. It can feed a risk score. It cannot be the deciding vote.
- Detect on behavior instead: the velocity of attempts against one account, one client touching many accounts, impossible travel between sessions, and sudden shifts in device or browser fingerprint on a known account.
- Assume credential-stuffing traffic will look residential and geographically normal. Rate-limit and challenge on the pattern, not the source address.
- Keep multi-factor authentication on every account that matters. It is the control that holds when the attacker's source looks perfectly ordinary. Watch for the password-spray runs that quietly probe for the accounts that lack it.
Enforcement takedowns are good, and we should want more of them. They are also not remediation. We saw the same lesson when police scrubbed the SocGholish malware from thousands of sites and the way in stayed open. The infrastructure changes. The technique does not. NetNut's storefront is gone. The two million devices, and the 316 groups that were happy to pay for them, are already looking for the next one. Build the detection that does not care which name is on the door.