Back to Home
FBI, IRS Seize NetNut Proxy Network Linked to Popa Botnet

FBI, IRS Seize NetNut Proxy Network Linked to Popa Botnet

T
Techpivo News
·2 min read·0 views
Quick Brief
  • FBI and IRS-CI seized NetNut proxy platform.
  • Operation targeted Popa botnet, compromising millions of devices.
  • Industry partners like Google, Lumen, Shadowserver assisted.
📌Key Points
1FBI and IRS-CI seized NetNut domains on July 2, 2026.
2NetNut was a residential proxy service tied to the Popa botnet.
3Popa botnet compromised over two million devices for malicious traffic.
4Google observed 316 threat actor clusters using NetNut in June 2026.
5Industry partners aided the takedown of the botnet infrastructure.

The Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI) have successfully seized hundreds of domains associated with NetNut, a residential proxy service operated by Alarum Technologies. This action, announced on July 2, 2026, targets the infrastructure of the Popa botnet, which compromised at least two million devices globally, turning them into proxy nodes for malicious internet traffic.

U.S. Authorities Dismantle Major Proxy Infrastructure

United States law enforcement agencies, including the Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI), announced on July 2, 2026, the seizure of numerous internet domains linked to NetNut. This operation targeted a significant residential proxy service, which had been identified as a core component of the Popa botnet.

NetNut's Role in the Popa Botnet Ecosystem

NetNut, a residential proxy service managed by the publicly-traded Israeli company Alarum Technologies (NASDAQ: ALAR), was found to be integral to the Popa botnet. Security researchers, as early as June 19, 2026, published findings detailing how NetNut's network populated the Popa botnet, which comprised at least two million compromised devices. These devices, often consumer electronics like smart televisions and streaming boxes, were unwittingly converted into proxy nodes. These nodes were then rented out to facilitate abusive internet activities, including mass content scraping, advertising fraud, and account takeover attempts. The FBI's seizure notice, which replaced NetNut's homepage, explicitly thanked industry partners such as Google, Lumen, and Shadowserver for their crucial assistance in this complex investigation. For more information on botnet operations, refer to Wikipedia's botnet overview.

Google Details Criminal Exploitation

The Google Threat Intelligence Group (GTIG) provided extensive details regarding the illicit use of NetNut's infrastructure. In a blog post published on July 2, 2026, GTIG highlighted that NetNut's proxy network was widely resold and white-labeled by numerous third-party proxy providers. Cybercriminals actively sought these services to obscure the origins of their malicious traffic.

"NetNut's proxy network was extensively utilized by cybercriminals to mask their activities, observing 316 distinct clusters of threat actors in a single week in June 2026." — Google Threat Intelligence Group Blog, July 2, 2026

The GTIG's analysis revealed a significant scale of abuse. In a single week during June 2026, the group observed 316 distinct clusters of threat actors actively employing these suspect services. This widespread adoption by malicious actors underscored the critical need for the law enforcement intervention.

  • NetNut's services were resold and white-labeled by numerous third-party providers.
  • Cybercriminals used the network to obfuscate the source of their malicious online activities.
  • The Popa botnet, powered by NetNut, comprised at least two million compromised devices.

What This Means

This coordinated law enforcement action against NetNut and the Popa botnet represents a significant disruption to the infrastructure underpinning various forms of cybercrime. For professionals and developers, it highlights the persistent threat of compromised consumer devices being weaponized for illicit purposes. The operation also underscores the growing importance of public-private partnerships in combating sophisticated cyber threats. Companies like Alarum Technologies, operating services that can be abused, face increased scrutiny and legal consequences when their platforms facilitate widespread criminal activity.

Key Points

  • The FBI and IRS Criminal Investigation seized hundreds of domains associated with NetNut on July 2, 2026.
  • NetNut, operated by Alarum Technologies, was a residential proxy service linked to the Popa botnet.
  • The Popa botnet compromised at least two million devices, including smart TVs, turning them into proxy nodes.
  • Google Threat Intelligence Group observed 316 distinct threat actor clusters using NetNut in one week of June 2026.
  • Industry partners like Google, Lumen, and Shadowserver assisted in dismantling the botnet infrastructure.

The Bottom Line

The takedown of NetNut and its associated Popa botnet marks a substantial blow to cybercriminals relying on residential proxy networks to mask their operations. This action reinforces the commitment of law enforcement and industry partners to dismantle the infrastructure that enables online fraud and abuse. Tech professionals should remain vigilant about device security and the potential for legitimate services to be exploited for illicit ends, as authorities continue to target such networks.

Frequently Asked Questions

What is NetNut?
NetNut was a residential proxy service operated by Alarum Technologies, which allowed users to route internet traffic through compromised residential devices, often for illicit purposes.
What is the Popa botnet?
The Popa botnet was a network of at least two million compromised devices, including smart TVs and streaming boxes, that were unwittingly turned into proxy nodes by NetNut's software.
Who was involved in the NetNut seizure?
The Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI) led the seizure, with assistance from industry partners like Google, Lumen, and Shadowserver.

Discussion

We use cookies and similar technologies to improve your experience, analyze traffic, and personalize content. By clicking “Accept All”, you consent to our use of cookies. See our Cookies Policy for details.