On July 2, 2026, the Federal Bureau of Investigation (FBI), in collaboration with Google and other industry partners, seized hundreds of domains associated with NetNut, a residential proxy service operated by Alarum Technologies. This action disrupted the Popa botnet, which comprised at least two million compromised consumer devices, largely smart TVs and streaming boxes, used to route malicious internet traffic for cybercriminals and espionage groups.
Major Cybercrime Infrastructure Dismantled
A coordinated international operation led by the Federal Bureau of Investigation (FBI) and Google's Threat Intelligence Group (GTIG) has significantly disrupted NetNut, a major residential proxy network linked to the "Popa" botnet. This enforcement action, which occurred on July 2, 2026, targeted hundreds of domains associated with the service, severely impacting its ability to facilitate cybercrime.
The Anatomy of NetNut and the Popa Botnet
NetNut, a service provided by the publicly-traded Israeli company Alarum Technologies (NASDAQ: ALAR), operated a vast network of residential proxies. Security researchers identified this network as the Popa botnet, which secretly co-opted at least two million consumer devices globally, including smart TVs and streaming boxes. These devices were unknowingly transformed into residential proxy nodes, routing illicit internet traffic for various malicious purposes. Reports from multiple security firms in June 2026 initially highlighted NetNut's connection to the Popa botnet, noting its use for activities like advertising fraud and account takeovers.
Coordinated Global Enforcement Action
The FBI, supported by the Internal Revenue Service Criminal Investigation (IRS-CI), replaced NetNut's homepage with an official seizure notice, confirming the coordinated takedown. This notice specifically acknowledged the crucial assistance from industry partners such as Google, Lumen Technologies, and the Shadowserver Foundation in dismantling the infrastructure tied to the Popa botnet. Google's Threat Intelligence Group (GTIG) revealed that NetNut's proxy network was extensively resold and white-labeled by numerous third-party providers, making it a preferred tool for cybercriminals seeking to conceal their malicious activities.
"Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account." — Omer Weiss, Legal Counsel, Alarum Technologies
During a single week in June 2026, the GTIG observed 316 distinct clusters of threat actors utilizing suspected NetNut exit nodes. These malicious actors employed the network for activities such as password spraying, advertising fraud, and account takeover attempts. Alarum Technologies, NetNut's parent company, acknowledged the seizure, stating its commitment to cooperation.
- NetNut's software development kits (SDKs) were embedded in apps, often without clear user consent, turning devices into proxy nodes.
- Compromised devices primarily included Android-based smart TVs and streaming boxes.
- The network facilitated traffic for both cybercriminal and state-sponsored espionage groups.
What This Means
This significant disruption underscores the growing collaboration between law enforcement and technology companies in combating sophisticated cybercrime operations. The use of residential proxy networks like NetNut by malicious actors poses a unique challenge, as traffic routed through compromised home devices appears legitimate, bypassing traditional security defenses. For consumers, this action highlights the hidden risks associated with installing unofficial applications or purchasing inexpensive, off-brand smart devices that may secretly enlist their internet connections in illicit networks. The ongoing efforts by organizations like Google to disable command-and-control infrastructure and warn users through services like Google Play Protect are critical steps in protecting the broader digital ecosystem. Further information on the broader impact of such networks can be found in research on residential criminal proxies.
Key Points
- The FBI and IRS Criminal Investigation, with Google's assistance, seized hundreds of domains linked to NetNut on July 2, 2026.
- NetNut operated the Popa botnet, comprising at least two million compromised consumer devices, including smart TVs.
- Google's Threat Intelligence Group observed 316 distinct threat actor clusters using NetNut in a single week in June 2026.
- Alarum Technologies, NetNut's parent company, is publicly traded on NASDAQ (ALAR).
- NetNut's services were widely resold and white-labeled, enabling cybercriminals to mask their IP addresses.
The Bottom Line
The takedown of NetNut represents a substantial blow to the cybercrime ecosystem, particularly for those relying on residential proxies to anonymize their malicious traffic. While this operation has significantly degraded NetNut's capabilities, the fluid nature of these networks suggests that continuous vigilance and coordinated international efforts will be necessary to prevent their resurgence and adaptation. Users should remain cautious about the software they install and the devices they connect to their home networks.
