The Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI) have successfully seized hundreds of domains associated with NetNut, a residential proxy service operated by Alarum Technologies. This action, announced on July 2, 2026, targets the infrastructure of the Popa botnet, which compromised at least two million devices globally, turning them into proxy nodes for malicious internet traffic.
U.S. Authorities Dismantle Major Proxy Infrastructure
United States law enforcement agencies, including the Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI), announced on July 2, 2026, the seizure of numerous internet domains linked to NetNut. This operation targeted a significant residential proxy service, which had been identified as a core component of the Popa botnet.
NetNut's Role in the Popa Botnet Ecosystem
NetNut, a residential proxy service managed by the publicly-traded Israeli company Alarum Technologies (NASDAQ: ALAR), was found to be integral to the Popa botnet. Security researchers, as early as June 19, 2026, published findings detailing how NetNut's network populated the Popa botnet, which comprised at least two million compromised devices. These devices, often consumer electronics like smart televisions and streaming boxes, were unwittingly converted into proxy nodes. These nodes were then rented out to facilitate abusive internet activities, including mass content scraping, advertising fraud, and account takeover attempts. The FBI's seizure notice, which replaced NetNut's homepage, explicitly thanked industry partners such as Google, Lumen, and Shadowserver for their crucial assistance in this complex investigation. For more information on botnet operations, refer to Wikipedia's botnet overview.
Google Details Criminal Exploitation
The Google Threat Intelligence Group (GTIG) provided extensive details regarding the illicit use of NetNut's infrastructure. In a blog post published on July 2, 2026, GTIG highlighted that NetNut's proxy network was widely resold and white-labeled by numerous third-party proxy providers. Cybercriminals actively sought these services to obscure the origins of their malicious traffic.
"NetNut's proxy network was extensively utilized by cybercriminals to mask their activities, observing 316 distinct clusters of threat actors in a single week in June 2026." — Google Threat Intelligence Group Blog, July 2, 2026
The GTIG's analysis revealed a significant scale of abuse. In a single week during June 2026, the group observed 316 distinct clusters of threat actors actively employing these suspect services. This widespread adoption by malicious actors underscored the critical need for the law enforcement intervention.
- NetNut's services were resold and white-labeled by numerous third-party providers.
- Cybercriminals used the network to obfuscate the source of their malicious online activities.
- The Popa botnet, powered by NetNut, comprised at least two million compromised devices.
What This Means
This coordinated law enforcement action against NetNut and the Popa botnet represents a significant disruption to the infrastructure underpinning various forms of cybercrime. For professionals and developers, it highlights the persistent threat of compromised consumer devices being weaponized for illicit purposes. The operation also underscores the growing importance of public-private partnerships in combating sophisticated cyber threats. Companies like Alarum Technologies, operating services that can be abused, face increased scrutiny and legal consequences when their platforms facilitate widespread criminal activity.
Key Points
- The FBI and IRS Criminal Investigation seized hundreds of domains associated with NetNut on July 2, 2026.
- NetNut, operated by Alarum Technologies, was a residential proxy service linked to the Popa botnet.
- The Popa botnet compromised at least two million devices, including smart TVs, turning them into proxy nodes.
- Google Threat Intelligence Group observed 316 distinct threat actor clusters using NetNut in one week of June 2026.
- Industry partners like Google, Lumen, and Shadowserver assisted in dismantling the botnet infrastructure.
The Bottom Line
The takedown of NetNut and its associated Popa botnet marks a substantial blow to cybercriminals relying on residential proxy networks to mask their operations. This action reinforces the commitment of law enforcement and industry partners to dismantle the infrastructure that enables online fraud and abuse. Tech professionals should remain vigilant about device security and the potential for legitimate services to be exploited for illicit ends, as authorities continue to target such networks.
