CyberSecurity

FBI Seizes NetNut Proxy Platform, Popa Botnet Infrastructure Dismantled

Published

on

FBI Takes Down NetNut Proxy Network

The FBI has seized hundreds of domains linked to NetNut, a residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action, announced today, comes roughly two weeks after security researchers tied NetNut to the Popa botnet — a sprawling network of at least two million compromised devices.

Visitors to NetNut’s homepage now see a seizure banner from the FBI and the Internal Revenue Service Criminal Investigation division. The notice credits Google, Lumen, Shadowserver, and other industry partners for their help dismantling the infrastructure.

The Popa Botnet Connection

On June 19, three separate security firms published findings linking NetNut to the Popa botnet. Their research showed that NetNut distributes software for common household devices — smart TVs and streaming boxes — turning them into always-on residential proxy nodes. These nodes are then rented to customers, who use them to relay abusive traffic: mass content scraping, advertising fraud, and account takeover attacks.

The Google Threat Intelligence Group (GTIG) published a blog post today detailing how NetNut’s proxy network is widely resold and white-labeled by third-party providers. Cybercriminals heavily seek out these services to hide the source of their malicious traffic. In a single week during June 2026, GTIG observed 316 distinct clusters of threat actors using suspected NetNut exit nodes, including both criminal and espionage groups.

“These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks,” GTIG wrote.

How NetNut Exposed Home Networks

Google’s analysis highlighted a dangerous side effect: when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means attackers can access other private devices on the same home network, effectively exposing them to internet threats. Google disabled accounts and services used by NetNut for malware command and control, and shared technical intelligence on NetNut’s software development kits (SDKs) with platform providers, law enforcement, and research firms.

Alarum Technologies Responds

Omer Weiss, legal counsel for NetNut parent Alarum Technologies, confirmed the company is aware of the seizure and cooperating with investigators. “Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” Weiss said in a written statement.

Benjamin Brundage, founder of proxy tracking service Synthient, said the domain seizures appear to have disrupted both the Popa botnet and the NetNut proxy network that rides on top of it. “I think this takedown is going to have a big impact, because NetNut gained significant popularity after the IPIDEA takedown,” he said.

Ripple Effects Across the Cybercrime Ecosystem

Brundage noted that NetNut’s apparent demise is a major blow to the cybercrime community, which was already reeling from legal actions by Google earlier this year that seized infrastructure for IPIDEA, NetNut’s biggest competitor. “NetNut has been incredibly common among resellers, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte, all of it,” he said.

The takedown may also reduce the impact of large distributed denial-of-service botnets built on poorly configured residential proxy services. In January, Synthient revealed how cybercriminals built the world’s largest DDoS botnet (Kimwolf) by tunneling through IPIDEA proxy connections into TV box owners’ local networks.

Google Warns of Resilient Proxy Networks

Google reckons today’s actions have caused “significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions.” But the company warns that proxy networks can rebuild themselves by reselling other proxy services, as IPIDEA has done. “Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet,” the GTIG report concludes.

“While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient,” Google wrote. “We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers.”

What This Means for Consumers

KrebsOnSecurity has repeatedly warned that most no-name TV streaming boxes sold on major e-commerce websites either come pre-installed with residential proxy software or require installing proxy SDKs to use the device for streaming pirated content. Google’s advice is straightforward: stick to name-brand TVs from reputable manufacturers, and be sparing with the apps you install.

The sketchy TV boxes commandeered by the Popa botnet all run unofficial Android operating systems outside Google’s Official Play Protect store. Google says consumers can check whether a device is built with the official Android TV OS and Play Protect certification by following instructions on its support site.

Even people without streaming boxes can find their smart TVs enrolled in proxy networks. A report from proxy tracking company Spur last month found 42 percent of apps available for LG’s webOS operating system include SDKs that turn the TV into an always-on proxy node. More than a quarter of apps for Samsung’s Tizen OS had similar components.

The FBI’s NetNut seizure sends a clear message, but the battle against residential proxy networks is far from over. As Google noted, these networks are fluid and interconnected — taking down one operator often means others simply buy capacity from competitors. For now, the Popa botnet has been dealt a serious blow. But the ecosystem will adapt.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version