On July 2, 2026, the FBI, IRS Criminal Investigation, Google, Lumen, and Shadowserver executed a coordinated seizure of NetNut's domain infrastructure. NetNut's parent company, publicly-traded Israeli firm Alarum Technologies (NASDAQ: ALAR), had been linked by security researchers at Qurium, Synthient, Nokia Deepfield, and Spur to the Popa botnet, a network of at least 2 million compromised smart TVs, streaming boxes, and Android devices (Google Cloud Blog, July 2026). Google's Threat Intelligence Group documented 316 distinct threat clusters routing through NetNut exit nodes in a single week of June 2026.
Quick Summary TLDR
Quick Summary TLDR
- 1NetNut was seized July 2, 2026 after the FBI, Google, and multiple security firms linked it to the Popa botnet (2M+ compromised devices, 316 threat clusters in one week).
- 2Its SDK was pushed into consumer apps and smart TV firmware without meaningful consent: no visible popup, no opt-in flow. Every pre-2026 'netnut alternative' article is outdated.
- 3VoidMob's rotating tier uses an ISO 27001 and ISO 27701 certified SDK network with explicit opt-in consent, from $3.99/GB.
- 4VoidMob's dedicated tier runs on proprietary in-house mobile hardware with real SIMs and no SDK at all, from $69/month with unlimited data.
New customers cannot buy NetNut in 2026. The netnut.com homepage displays an FBI seizure banner. Every "netnut alternative" article written before July 2026 treats NetNut as a legitimate benchmark; the seizure and the underlying botnet findings changed that assumption entirely. This comparison covers what replaces NetNut in 2026, framed around what actually matters after the takedown: ethical IP sourcing that survives legal scrutiny.
What Happened to NetNut in July 2026
The takedown followed roughly two weeks of security industry reporting. In mid-June 2026, Qurium, Synthient, Nokia Deepfield, and Spur independently connected the Popa botnet to NetNut's proxy infrastructure through controlled tests. Synthient's method was direct: traffic routed into NetNut's commercial gateway came out through a device the firm had separately enrolled in Popa. Google's Threat Intelligence Group aligned its own findings with the researchers' public reports.
On July 2, 2026, Google disabled NetNut's command-and-control accounts and services on its own infrastructure. The FBI and IRS Criminal Investigation seized hundreds of domains tied to the network. Google Play Protect was updated to warn users and disable apps containing the compromised SDKs (BleepingComputer, July 2026).
Alarum Technologies confirmed the seizure through legal counsel and stated it would cooperate with investigators, while disputing the botnet characterization. The company has historically marketed its product as consented bandwidth sharing. Security researchers and Google's own reporting maintain the underlying evidence: NetNut's device pool was largely built through SDKs bundled into consumer apps and smart TV firmware without meaningful user consent (The Hacker News, July 2026).
For anyone with active NetNut integrations, the practical situation is straightforward: netnut.com is dark, API endpoints return connection errors, and Google Play Protect is actively flagging affected apps.
Why NetNut's Model Failed: The Consent Flow Gap
Understanding why NetNut was seized matters because it changes what buyers should verify when picking a replacement.
The core issue was the consent flow at the SDK level. NetNut's mobile IP supply came from an SDK embedded into consumer applications and smart TV firmware. In practice, this meant users installing a free streaming app or setting up a cheap Android TV box had no visible notice that their bandwidth was being resold to a proxy network. No first-launch popup asking "do you agree to share your idle bandwidth?" No consent screen at all. Any language around bandwidth sharing that did exist was buried inside a terms-of-service document that most users never open. Security researchers analyzing the network found proxy SDKs bundled into consumer streaming apps and smart TV firmware without proper user disclosure.
Compare this to how an ethically-consented SDK actually works. When a developer integrates an ethical proxy SDK into their app, the SDK triggers an explicit consent dialog on first launch: a clear popup that says the app can share the device's idle bandwidth in exchange for some benefit (an ad-free experience, unlocked premium features), with an accept-or-decline choice, and the ability to revoke consent later in the app settings. That is the difference between a legal Peer-to-Business model and a botnet monetized as a commercial proxy service.
NetNut skipped the popup. That is what Google, the FBI, and the security research community treated as the disqualifying signal, and it is what led directly to the seizure.
An ethical mobile proxy provider in 2026 needs to demonstrate three things:
- Explicit opt-in consent from every device owner contributing bandwidth, delivered through a visible first-launch dialog, with revocable acceptance
- Independent security audits by recognized third-party firms
- Published compliance certifications aligned with GDPR, CCPA, and app store guidelines
Providers that cannot document all three are the ones most likely to end up on the next FBI seizure list.
VoidMob's Two-Tier Ethical Architecture
VoidMob covers both the rotating and dedicated ends of the mobile proxy market with two distinct sourcing models, both designed to hold up under legal review.
Shared and Rotating Tier: Ethically-Consented SDK Network
Mobile IPs on VoidMob's rotating tier come from an ethically-consented SDK network operating on a Peer-to-Business model. End users of participating apps see the explicit consent dialog described above, opt in knowingly in exchange for value from the app (ad-free experience, premium features), and can revoke consent at any time.
The SDK network carries ISO 27001 and ISO 27701 certifications, plus independent security audits from NCC Group and Halborn. It is compatible with Google Play and Apple App Store guidelines and aligned with GDPR and CCPA requirements. This is the exact opposite of NetNut's model: transparent developer relationships, published audits, and documented user consent flows.
The pool covers 11M+ mobile IPs across global carriers with rotating sessions, sticky sessions, and geo-targeting by country and carrier. Protocol support covers HTTP, HTTPS, and SOCKS5. Rotating pricing starts at $3.99/GB (1GB) and scales down with volume to $2.50/GB at 100GB, with custom pricing above 250GB.
Dedicated Tier: Proprietary In-House Hardware
The dedicated tier is the ultimate ethical answer because there is no SDK at all. VoidMob operates real mobile device hardware in-house: actual SIM cards in actual modems and mobile devices, sourced directly from mobile carriers. No SDK. No consent chain to verify. VoidMob owns and controls the entire IP source and exit path.
This is a stronger integrity claim than any SDK-sourced provider can make. It also unlocks technical capabilities that shared pools cannot offer:
- Configurable p0f TCP/IP fingerprinting per port, matched to the OS the client claims to be
- Carrier-native DNS resolution to eliminate DNS ASN mismatch
- Long sticky sessions of hours to days without IP contamination from other users
- Full protocol stack: HTTP, HTTPS, SOCKS5, VLESS over Xray with REALITY transport, OpenVPN, and UDP
- MCP support for AI agent scraping workflows
Dedicated pricing starts at $69/month with unlimited data.
Feature Comparison
| Feature | NetNut (Pre-Seizure) | VoidMob |
|---|---|---|
| Status (2026) | Seized July 2, 2026 | Active |
| Mobile IP Pool | 5M+ claimed | 11M+ (rotating) plus dedicated in-house hardware |
| Country Coverage | 100 claimed | Global |
| Architecture | Single proxy pool | Rotating + Dedicated |
| Protocols | HTTP, HTTPS, SOCKS5 | HTTP, HTTPS, SOCKS5, VLESS over Xray REALITY, OpenVPN, UDP |
| p0f TCP/IP Matching | Not documented | Yes |
| Carrier-Native DNS | Not documented | Yes |
| MCP Support | No | Yes |
| SDK Consent Flow | Hidden or absent; buried in ToS | Explicit first-launch opt-in popup, revocable |
| Independent Audits | None published | NCC Group, Halborn |
| Compliance Certifications | ISO 27001 | ISO 27001, ISO 27701, ISO 22301, ISO 20000 |
| App Store Compatibility | Banned by Google Play Protect (July 2026) | Compatible with Google Play and Apple App Store |
Pricing Comparison
NetNut's historical pricing tiers ran from $99/month (Starter, 13GB, $7.60/GB) up to $4,500/month (Master, 1TB, $4.50/GB), with Advanced at $250/month (34GB, $7.35/GB) and Professional at $1,999/month (340GB, $5.88/GB). These prices are no longer purchasable since the July 2 seizure.
VoidMob's rotating tier starts at $3.99/GB (1GB entry) and scales down to $2.50/GB at 100GB, which undercuts NetNut's per-GB rate at every tier including the largest 1TB plan. Custom pricing applies above 250GB.
The dedicated tier from $69/month with unlimited data eliminates per-GB accounting entirely for teams running sustained workflows. For price intelligence at scale, ad verification programs, or SEO monitoring across regions, the fixed monthly cost against unlimited bandwidth changes the operational math substantially compared to per-GB models.
| Plan Tier | NetNut (Pre-Seizure) | VoidMob |
|---|---|---|
| Entry | $99/month, 13GB, $7.60/GB | $3.99/GB, 1GB entry |
| Mid | $250/month, 34GB, $7.35/GB | $250 for 100GB ($2.50/GB) |
| High Volume | $1,999/month, 340GB, $5.88/GB | Custom pricing above 250GB |
| Enterprise | $4,500/month, 1TB, $4.50/GB | Custom pricing above 250GB |
| Dedicated | Not offered | From $69/month, unlimited data |
Protocol Depth: The Dedicated Tier Advantage
Every provider in this space supports HTTP and SOCKS5. In 2026, that is not enough for legitimate access on DPI-heavy or censored regional networks. Standard SOCKS5 and HTTP CONNECT carry recognisable protocol-level signatures at the network layer, which is why bot-management and DPI systems treat them as low-trust traffic (FingerprintJS, 2025).
VoidMob's dedicated tier adds three transports that no NetNut-class provider offers:
VLESS over Xray with REALITY transport. Presents a legitimate TLS 1.3 handshake to a real domain, so traffic reads as ordinary HTTPS rather than as a distinct proxy protocol. Built for reliable connectivity through deep-packet-inspection filtering on restrictive networks.
OpenVPN. Standard VPN transport for setups already standardised on it.
UDP. Real UDP relay (not TCP-only SOCKS5), which enables workflows that require UDP-based protocols (real-time voice, QUIC, gaming, some P2P). True UDP support is a strong indicator of exclusive device control on the provider side.
Combined with configurable p0f TCP/IP fingerprinting per port and carrier-native DNS resolution, the dedicated tier is designed for coherence across all layers detection systems check: IP class, TCP fingerprint, TLS handshake, and DNS ASN all aligning to a real mobile device profile.
For scraping pipelines running as autonomous AI agents, VoidMob's MCP (Model Context Protocol) support means Claude, ChatGPT, Cursor, and Gemini agents can route requests through the mobile infrastructure through the standard protocol they already use, without custom adapter code.
How to Migrate Off NetNut
For teams affected by the seizure, the practical migration path has four steps.
1. Confirm exposure. Identify every integration point that touches NetNut infrastructure. Backend proxy configurations, SDK dependencies in mobile apps, third-party services that resold NetNut as a source, and any managed services that used NetNut IPs behind the scenes. For Android apps, check the codebase and APK manifests for any proxy SDK references.
2. Follow Google Play Protect guidance. Devices with apps containing NetNut-linked SDKs are receiving active warnings. If your organization distributes apps via sideloading or enterprise MDM, scan the APK library against Google's updated malware definitions.
3. Swap proxy endpoints. For scraping and automation workflows, replace NetNut gateway hostnames (now unresolvable) with the new provider's endpoints. Standard HTTP and SOCKS5 integrations require only changing the gateway hostname, port, and credentials. For more advanced protocol options (VLESS, OpenVPN), the new provider's dashboard should generate config files on activation.
4. Re-evaluate consent exposure. Review whether any business processes relied on data collected through IPs that turn out to have been sourced from compromised consumer devices. Depending on jurisdiction and use case, this may be worth discussing with legal counsel. Moving to a provider with documented consent flows, published third-party audits, and international compliance certifications is the baseline going forward.
Intended use
Ethical mobile proxies are for legitimate work: price and market intelligence, ad verification, brand protection, SEO monitoring, and accessing content on restrictive networks. They are not appropriate for fraud, credential abuse, engagement manipulation, or any activity that violates a target platform's Terms of Service.
FAQ
1What happened to NetNut in 2026?
On July 2, 2026, the FBI, IRS Criminal Investigation, Google, Lumen, and Shadowserver executed a coordinated seizure of NetNut's domain infrastructure after security researchers linked NetNut's parent company (Alarum Technologies, NASDAQ: ALAR) to the Popa botnet of at least 2 million compromised smart TVs, streaming boxes, and Android devices. NetNut is not available to new customers, and existing endpoints return connection errors.
2What is the best NetNut alternative in 2026?
For rotating mobile proxies with ethical sourcing, VoidMob's shared tier uses an ISO 27001 and ISO 27701 certified SDK network with explicit opt-in consent, starting at $3.99/GB. For hardened workflows requiring session persistence, session coherence, or protocol depth beyond HTTP and SOCKS5, VoidMob's dedicated tier runs on proprietary in-house mobile hardware from $69/month with unlimited data.
3Is NetNut coming back?
Unlikely in its current form. Domain seizures by FBI-led coalitions involving Google and Lumen typically result in permanent shutdowns of the seized infrastructure. Alarum Technologies faces ongoing investigation. Google has stated its actions caused significant degradation to NetNut's network and business operations.
4How do I check if my apps use the NetNut SDK?
Google Play Protect is now actively warning end users and disabling apps that contain the compromised SDKs. For Android developers, review dependencies and APK manifests for any proxy SDK integrations. Google has shared technical data with the security community to help identify affected code, and Google Play Protect flags installed apps on user devices directly.
5What is an ethically-sourced mobile proxy provider?
A provider whose IP supply comes from documented opt-in consent from device owners, delivered through a visible first-launch popup in the participating app, backed by independent third-party security audits and international compliance certifications (ISO 27001, ISO 27701, SOC 2, or equivalents). The consent must be revocable, and the SDK must be compatible with major app store guidelines rather than hidden inside sideloaded apps or firmware.
6What is a legal alternative to NetNut for mobile proxies?
Ethically-sourced mobile proxy providers using audited opt-in SDKs with explicit consent flows are the working replacement class. VoidMob covers both rotating mobile through an ISO-certified SDK network with published audits and dedicated mobile through proprietary in-house hardware with no SDK dependency at all.
7How does VoidMob's dedicated tier differ from the rotating tier?
Rotating uses an ISO 27001 and ISO 27701 certified SDK network with explicit opt-in consent, 11M+ mobile IPs, and standard HTTP, HTTPS, SOCKS5 protocol support. Dedicated runs on VoidMob's own mobile device hardware with real SIMs, no SDK at all. Dedicated adds configurable p0f TCP/IP fingerprinting, carrier-native DNS, VLESS over Xray REALITY, OpenVPN, UDP transport, and MCP support for AI agent workflows.
8Can existing NetNut API integrations work with VoidMob?
Standard HTTP and SOCKS5 proxy integrations require only changing the gateway hostname, port, and credentials. More advanced protocol options like VLESS and OpenVPN require config updates, which VoidMob's dashboard generates on activation.
Wrapping Up
Every "alternative to NetNut" article written before July 2026 treated NetNut as a legitimate benchmark. The FBI seizure and the underlying Popa botnet evidence changed that assumption entirely. The differentiator in the mobile proxy market in 2026 is no longer speed, pool size, or price alone. It is whether the IP source can survive legal scrutiny, and the concrete test for that is whether users saw a visible opt-in popup before their bandwidth was used.
VoidMob covers the ethical replacement path with a two-tier architecture. Rotating mobile through an ISO 27001 and ISO 27701 certified SDK network with explicit user consent, audited by NCC Group and Halborn. Dedicated mobile on proprietary in-house hardware with real SIMs, no SDK, and full protocol depth including VLESS over Xray REALITY, OpenVPN, UDP, plus configurable p0f TCP/IP fingerprinting, carrier-native DNS, and MCP support for AI agent workflows.
Rotating starts at $3.99/GB. Dedicated starts at $69/month with unlimited data. Both undercut NetNut's historical pricing at every tier, with the added assurance that the IP source is ethically documented and legally defensible.
Ethical mobile proxies that survive legal scrutiny
Rotating from $3.99/GB on an ISO-certified consented SDK network, or dedicated in-house hardware from $69/month with unlimited data. No hidden SDK, no consent chain to audit.
For a broader look at the current mobile proxy landscape, the 2026 mobile proxies for web scraping comparison covers the wider provider set, and the Bright Data alternative comparison covers the parallel consolidation event triggered by Bright Data's April 2026 mobile sunset.
