The Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI) seized hundreds of domains associated with NetNut on July 2, 2026, a major residential proxy service. This action, supported by Google and other industry partners, targeted infrastructure linked to the Popa botnet, which compromised at least two million consumer devices globally, significantly disrupting a key tool for cybercriminals.
Coordinated Takedown Targets Abusive Proxy Network
In a significant international operation on July 2, 2026, the FBI and IRS Criminal Investigation division announced the seizure of numerous domains connected to NetNut, a prominent residential proxy service. This coordinated effort, which involved major technology companies, aimed to dismantle a network widely exploited by cybercriminals to mask illicit online activities.
NetNut's Link to the Popa Botnet Exposed
NetNut, operated by the publicly-traded Israeli company Alarum Technologies (NASDAQ: ALAR), functioned as a sprawling residential proxy network. Investigations by multiple security firms in June 2026 revealed NetNut's infrastructure was deeply intertwined with the Popa botnet, a collection of at least two million consumer devices, including smart TVs and streaming boxes, compromised by malicious software. These devices were unknowingly converted into always-on proxy nodes, routing abusive internet traffic such as mass content scraping, advertising fraud, and account takeover attempts.
Industry Collaboration Leads to Major Disruption
The successful takedown was a result of extensive collaboration between law enforcement and industry partners, including Google, Lumen Technologies, and the Shadowserver Foundation. NetNut's homepage was replaced with an official FBI and IRS-CI seizure notice, signaling the immediate impact of the operation. The Google Threat Intelligence Group (GTIG) reported that NetNut's proxy network was frequently resold and white-labeled by third-party providers, making its services highly attractive to cybercriminals seeking to obfuscate their malicious traffic.
"We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions." — Google Threat Intelligence Group spokesperson
During a single week in June 2026, GTIG observed 316 distinct clusters of threat actors utilizing suspected NetNut exit nodes for various illicit purposes, including password-spraying attacks and accessing victim environments. This highlights the extensive misuse of the network by both cybercriminal and espionage groups.
- Hundreds of domains associated with NetNut were seized by federal authorities.
- Google disabled accounts and services used for NetNut's command-and-control infrastructure and updated Google Play Protect to identify and disable infected applications.
- The Popa botnet secretly hijacked Android-based smart TVs and streaming boxes by embedding deceptive software development kits (SDKs) into unofficial apps.
What This Means
This operation represents a significant blow to the cybercrime ecosystem, particularly those relying on residential proxy networks to evade detection. The disruption of NetNut, following similar actions against services like IPIDEA earlier in 2026, underscores a growing trend of law enforcement and tech companies actively targeting the infrastructure that enables malicious online activity. For professionals and developers, it emphasizes the critical importance of supply chain security, especially concerning third-party SDKs in applications, and the need for robust network monitoring. Consumers should exercise caution with "free" streaming apps and ensure their smart devices are from reputable manufacturers, as compromised home devices can expose entire networks to threats.
Key Points
- The FBI and IRS-CI seized hundreds of domains linked to NetNut on July 2, 2026, disrupting a major residential proxy service.
- NetNut's operations were tied to the Popa botnet, which comprised at least two million compromised consumer devices globally.
- Google's Threat Intelligence Group observed 316 distinct threat actor clusters using NetNut exit nodes in a single week during June 2026.
The Bottom Line
The coordinated takedown of NetNut and its associated Popa botnet demonstrates a strengthened resolve among global law enforcement and tech giants to dismantle cybercriminal infrastructure. While this action will significantly impede malicious operations, the interconnected nature of the residential proxy market suggests that continuous vigilance and proactive measures are essential to prevent new services from emerging to fill the void. Ongoing collaboration and consumer awareness remain vital in the fight against these pervasive threats.
