Back to Home
FBI, Google Disrupt NetNut Proxy Network and 2M Device Popa Botnet

FBI, Google Disrupt NetNut Proxy Network and 2M Device Popa Botnet

T
Techpivo News
·2 min read·0 views
Quick Brief
  • FBI and Google seized NetNut domains on July 2, 2026.
  • The action disrupted the Popa botnet, compromising two million devices.
  • NetNut facilitated cybercrime, including ad fraud and account takeovers.
📌Key Points
1The FBI and IRS Criminal Investigation, with Google's assistance, seized hundreds of domains linked to NetNut on July 2, 2026.
2NetNut operated the Popa botnet, comprising at least two million compromised consumer devices.
3Google's Threat Intelligence Group observed 316 distinct threat actor clusters using NetNut in a single week in June 2026.

On July 2, 2026, the Federal Bureau of Investigation (FBI), in collaboration with Google and other industry partners, seized hundreds of domains associated with NetNut, a residential proxy service operated by Alarum Technologies. This action disrupted the Popa botnet, which comprised at least two million compromised consumer devices, largely smart TVs and streaming boxes, used to route malicious internet traffic for cybercriminals and espionage groups.

Major Cybercrime Infrastructure Dismantled

A coordinated international operation led by the Federal Bureau of Investigation (FBI) and Google's Threat Intelligence Group (GTIG) has significantly disrupted NetNut, a major residential proxy network linked to the "Popa" botnet. This enforcement action, which occurred on July 2, 2026, targeted hundreds of domains associated with the service, severely impacting its ability to facilitate cybercrime.

The Anatomy of NetNut and the Popa Botnet

NetNut, a service provided by the publicly-traded Israeli company Alarum Technologies (NASDAQ: ALAR), operated a vast network of residential proxies. Security researchers identified this network as the Popa botnet, which secretly co-opted at least two million consumer devices globally, including smart TVs and streaming boxes. These devices were unknowingly transformed into residential proxy nodes, routing illicit internet traffic for various malicious purposes. Reports from multiple security firms in June 2026 initially highlighted NetNut's connection to the Popa botnet, noting its use for activities like advertising fraud and account takeovers.

Coordinated Global Enforcement Action

The FBI, supported by the Internal Revenue Service Criminal Investigation (IRS-CI), replaced NetNut's homepage with an official seizure notice, confirming the coordinated takedown. This notice specifically acknowledged the crucial assistance from industry partners such as Google, Lumen Technologies, and the Shadowserver Foundation in dismantling the infrastructure tied to the Popa botnet. Google's Threat Intelligence Group (GTIG) revealed that NetNut's proxy network was extensively resold and white-labeled by numerous third-party providers, making it a preferred tool for cybercriminals seeking to conceal their malicious activities.

"Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account." — Omer Weiss, Legal Counsel, Alarum Technologies

During a single week in June 2026, the GTIG observed 316 distinct clusters of threat actors utilizing suspected NetNut exit nodes. These malicious actors employed the network for activities such as password spraying, advertising fraud, and account takeover attempts. Alarum Technologies, NetNut's parent company, acknowledged the seizure, stating its commitment to cooperation.

  • NetNut's software development kits (SDKs) were embedded in apps, often without clear user consent, turning devices into proxy nodes.
  • Compromised devices primarily included Android-based smart TVs and streaming boxes.
  • The network facilitated traffic for both cybercriminal and state-sponsored espionage groups.

What This Means

This significant disruption underscores the growing collaboration between law enforcement and technology companies in combating sophisticated cybercrime operations. The use of residential proxy networks like NetNut by malicious actors poses a unique challenge, as traffic routed through compromised home devices appears legitimate, bypassing traditional security defenses. For consumers, this action highlights the hidden risks associated with installing unofficial applications or purchasing inexpensive, off-brand smart devices that may secretly enlist their internet connections in illicit networks. The ongoing efforts by organizations like Google to disable command-and-control infrastructure and warn users through services like Google Play Protect are critical steps in protecting the broader digital ecosystem. Further information on the broader impact of such networks can be found in research on residential criminal proxies.

Key Points

  • The FBI and IRS Criminal Investigation, with Google's assistance, seized hundreds of domains linked to NetNut on July 2, 2026.
  • NetNut operated the Popa botnet, comprising at least two million compromised consumer devices, including smart TVs.
  • Google's Threat Intelligence Group observed 316 distinct threat actor clusters using NetNut in a single week in June 2026.
  • Alarum Technologies, NetNut's parent company, is publicly traded on NASDAQ (ALAR).
  • NetNut's services were widely resold and white-labeled, enabling cybercriminals to mask their IP addresses.

The Bottom Line

The takedown of NetNut represents a substantial blow to the cybercrime ecosystem, particularly for those relying on residential proxies to anonymize their malicious traffic. While this operation has significantly degraded NetNut's capabilities, the fluid nature of these networks suggests that continuous vigilance and coordinated international efforts will be necessary to prevent their resurgence and adaptation. Users should remain cautious about the software they install and the devices they connect to their home networks.

Frequently Asked Questions

What is NetNut?
NetNut was a residential proxy service operated by the Israeli company Alarum Technologies, which allowed users to route internet traffic through compromised consumer devices.
What is the Popa botnet?
The Popa botnet was a network of at least two million consumer devices, primarily smart TVs and streaming boxes, secretly co-opted by NetNut to serve as proxy nodes for malicious traffic.
Who was involved in the NetNut takedown?
The takedown was a coordinated effort by the FBI, IRS Criminal Investigation, Google's Threat Intelligence Group, Lumen Technologies, and the Shadowserver Foundation.

Discussion

We use cookies and similar technologies to improve your experience, analyze traffic, and personalize content. By clicking “Accept All”, you consent to our use of cookies. See our Cookies Policy for details.