Back to Home
FBI, Google Dismantle NetNut Proxy Network Powering Popa Botnet

FBI, Google Dismantle NetNut Proxy Network Powering Popa Botnet

T
Techpivo News
·2 min read·0 views

The Federal Bureau of Investigation (FBI) and Google have coordinated a significant international operation, seizing hundreds of domains associated with NetNut, a major residential proxy service. This action, announced on July 2, 2026, targets the infrastructure of the Popa botnet, which compromised over two million consumer devices globally to facilitate cybercriminal activities.

Law Enforcement Targets Malicious Proxy Operations

On July 2, 2026, the Federal Bureau of Investigation (FBI), in collaboration with the Internal Revenue Service Criminal Investigation (IRS-CI) and industry partners, announced the seizure of numerous domains linked to NetNut. This residential proxy service, operated by the publicly traded Israeli company Alarum Technologies, allegedly powered the extensive Popa botnet.

The Rise of the Popa Botnet

The Popa botnet, a vast network of at least two million compromised devices, primarily consisted of consumer electronics like smart TVs and streaming boxes. These devices were unknowingly transformed into residential proxy nodes through malicious software development kits (SDKs) embedded in unofficial applications or pre-installed on inexpensive hardware. Security firms, including Qurium, Synthient, Nokia Deepfield, and Spur, had previously linked the Popa botnet to NetNut in June 2026, approximately two weeks before the federal seizure.

Coordinated Disruption Efforts

The coordinated action involved extensive collaboration between the FBI, IRS-CI, and leading technology entities such as Google, Lumen Technologies, and the Shadowserver Foundation. Google's Threat Intelligence Group (GTIG) played a critical role, publishing a blog post on July 2, 2026, detailing NetNut's operation and its use by cybercriminals.

"We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions." — Google Threat Intelligence Group, Official Blog Post

Google's efforts included disabling accounts and services used by NetNut for malware command-and-control (C2) and updating Google Play Protect to automatically warn Android users and disable compromised applications. This multi-faceted approach aimed to prevent the network from easily rebuilding.

  • Hundreds of domains associated with NetNut were seized by the FBI and IRS-CI.
  • The Popa botnet comprised at least two million devices, primarily Android-based smart TVs and streaming boxes.
  • In a single week during June 2026, GTIG observed 316 distinct clusters of threat actors utilizing NetNut exit nodes for malicious activities.

What This Means

The disruption of NetNut and the Popa botnet highlights the growing threat of residential proxy networks that leverage unsuspecting consumer devices for illicit purposes. For professionals and developers, this operation underscores the importance of supply chain security for internet-connected devices and the need for robust threat intelligence sharing. The use of compromised home internet connections to mask malicious traffic, including mass content scraping, advertising fraud, and account takeover attempts, poses a significant challenge for cybersecurity defenses. This action by law enforcement and tech giants demonstrates a strengthened resolve to dismantle such pervasive infrastructure, but also signals that the battle against these sophisticated networks is ongoing. Understanding supply chain risks is more crucial than ever.

Key Points

  • The FBI and IRS Criminal Investigation seized hundreds of domains linked to the NetNut residential proxy service on July 2, 2026.
  • NetNut was identified as the operator of the Popa botnet, which compromised over two million consumer devices globally.
  • Google's Threat Intelligence Group observed 316 distinct threat actor clusters using NetNut in a single week in June 2026 for cybercriminal and espionage activities.
  • Alarum Technologies, NetNut's parent company, acknowledged the seizure and pledged full cooperation with law enforcement.
  • The operation involved a broad coalition of partners including Google, Lumen Technologies, and the Shadowserver Foundation.

The Bottom Line

The coordinated takedown of NetNut and the Popa botnet represents a significant blow to a key piece of cybercriminal infrastructure. While Alarum Technologies, NetNut's owner, has stated its commitment to cooperation, the incident highlights the complex interplay between legitimate commercial services and their potential misuse for malicious activities. This disruption follows similar actions against other proxy networks, indicating a sustained effort by global law enforcement and tech companies to combat these pervasive threats. Further details from Google's Threat Intelligence Group provide deeper insight into the technical aspects of the disruption. Professionals should remain vigilant regarding the security of connected devices and the origins of internet traffic, as threat actors will likely seek alternative methods to obscure their operations.

Discussion

We use cookies and similar technologies to improve your experience, analyze traffic, and personalize content. By clicking “Accept All”, you consent to our use of cookies. See our Cookies Policy for details.