The Federal Bureau of Investigation (FBI) and Google, in collaboration with industry partners, seized hundreds of domains associated with NetNut on July 2, 2026. NetNut, a residential proxy service operated by Alarum Technologies, was found to power the Popa botnet, compromising at least two million home devices for various cybercrimes. This coordinated action aims to significantly degrade the infrastructure used by cybercriminals and espionage groups.
Coordinated Law Enforcement Action Targets Malicious Proxy Service
On July 2, 2026, a significant international effort led by the Federal Bureau of Investigation (FBI) and Google successfully disrupted NetNut, a prominent residential proxy network. This action targeted the infrastructure of the Popa botnet, which leveraged millions of compromised home devices globally. The operation involved crucial support from the Internal Revenue Service Criminal Investigation (IRS-CI), Lumen Technologies, and the Shadowserver Foundation.
NetNut's Operations and Botnet Connections Uncovered
NetNut, a residential proxy service, is a subsidiary of the publicly-traded Israeli company Alarum Technologies, listed on NASDAQ as ALAR. Security researchers, including those from Synthient and Qurium, initially published findings on June 19, 2026, connecting NetNut to the Popa botnet. This botnet reportedly compromised at least two million devices, including smart TVs and streaming boxes, turning them into proxy nodes without the owners' explicit consent. These devices were then rented out to relay abusive internet traffic, facilitating activities such as mass content scraping, advertising fraud, and account takeover attempts. The Google Threat Intelligence Group (GTIG) observed 316 distinct clusters of threat actors utilizing suspected NetNut exit nodes in a single week during June 2026, including both cybercriminal and espionage groups.
Industry Partners Mobilize Against Cybercrime Infrastructure
The coordinated takedown saw NetNut's homepage replaced with a seizure banner from the FBI and IRS-CI. Google played a pivotal role, disabling accounts and services NetNut used for malware command and control (C2) operations, which violated Google's terms of service. The company also shared technical intelligence regarding NetNut's Software Development Kits (SDKs) and backend infrastructure with law enforcement and research firms to foster broader ecosystem-wide enforcement. Furthermore, Google Play Protect, Android's built-in security layer, was configured to warn users and disable applications known to incorporate NetNut SDKs.
"Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account." — Omer Weiss, Corporate Legal Counsel, Alarum Technologies
Alarum Technologies acknowledged the FBI's seizure on July 2, 2026, stating its commitment to cooperate with investigators. This disruption builds on previous efforts, such as Google's action against the IPIDEA proxy network in January 2026. The Shadowserver Foundation, a non-profit security organization, contributed its expertise in analyzing malicious internet activity and supporting cybercrime investigations. Shadowserver Foundation works with law enforcement globally to dismantle criminal infrastructure.
- Google disabled NetNut's command and control infrastructure.
- Technical intelligence on NetNut's SDKs was shared with partners.
- Google Play Protect now identifies and disables apps containing NetNut SDKs.
What This Means
The dismantling of the NetNut proxy network underscores the growing threat posed by residential proxy services that covertly enlist consumer devices. For professionals and developers, this highlights the critical need for vigilance against malicious SDKs embedded in seemingly innocuous applications, particularly those targeting smart home devices. The incident also emphasizes the effectiveness of coordinated efforts between law enforcement and technology companies in disrupting large-scale cybercriminal operations. Businesses relying on IP reputation for security should re-evaluate their strategies, as legitimate residential IP addresses can mask illicit traffic. Users should be cautious about installing unofficial software on smart TVs and streaming boxes, as these are common vectors for botnet recruitment.
Key Points
- The FBI and Google seized hundreds of domains associated with NetNut on July 2, 2026.
- NetNut, operated by Alarum Technologies, powered the Popa botnet, comprising at least two million compromised devices.
- Google Threat Intelligence Group observed 316 distinct threat clusters using NetNut in a single week during June 2026.
The Bottom Line
The successful disruption of NetNut and the Popa botnet represents a significant blow to the cybercrime ecosystem, demonstrating the power of inter-agency and industry collaboration. This event serves as a stark reminder of how everyday devices can be weaponized for illicit purposes. Ongoing vigilance from consumers and proactive security measures from developers are essential to counter the evolving tactics of malicious actors. We anticipate continued actions against similar residential proxy networks as law enforcement and tech firms refine their strategies to protect digital infrastructure.
