Back to Home
FBI, Partners Seize NetNut Proxy Network Tied to Popa Botnet

FBI, Partners Seize NetNut Proxy Network Tied to Popa Botnet

T
Techpivo News
·2 min read·0 views
Quick Brief
  • FBI and IRS-CI seized NetNut domains on July 2, 2026, disrupting a major residential proxy service.
  • NetNut was linked to the Popa botnet, comprising over two million compromised consumer devices.
  • Google and other industry partners assisted in the coordinated international operation against cybercriminal activity.
📌Key Points
1The FBI and IRS-CI seized hundreds of NetNut domains on July 2, 2026, disrupting its residential proxy operations.
2NetNut, operated by Alarum Technologies, was linked to the Popa botnet, which leveraged over two million compromised devices.
3Google, Lumen, and Shadowserver collaborated in the takedown, with Google disabling command and control infrastructure.

The Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI) seized hundreds of domains associated with NetNut on July 2, 2026. This action disrupted a significant residential proxy service linked to the Popa botnet, which compromised over two million consumer devices globally. Industry partners, including Google, Lumen, and Shadowserver, supported this coordinated international effort against cybercriminal operations.

Major Disruption Targets Malicious Proxy Infrastructure

U.S. law enforcement, in collaboration with key technology firms, has executed a significant operation against NetNut, a prominent residential proxy network. On July 2, 2026, the Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI) seized numerous domains tied to NetNut, replacing its homepage with an official seizure notice. This coordinated action aimed to dismantle infrastructure widely exploited by cybercriminals and espionage groups.

NetNut's Operations and Botnet Connections

NetNut, operated by the publicly-traded Israeli company Alarum Technologies (NASDAQ: ALAR), functioned as a residential proxy service. This service allowed users to route internet traffic through IP addresses assigned to ordinary homes and consumer devices. Security researchers have long connected NetNut's infrastructure to the Popa botnet. Findings from multiple security firms in June 2026 highlighted how NetNut populated the Popa botnet by distributing software for common household devices, such as smart TVs and streaming boxes. These devices were then unwittingly transformed into always-on residential proxy nodes. For more information on residential proxies and their uses, see Wikipedia's explanation of proxy servers.

The Popa Botnet's Scale and Misuse

The Popa botnet is estimated to encompass at least two million compromised devices globally. These devices, often infected through deceptive software development kits (SDKs) embedded in unofficial apps or uncertified Android TV operating systems, became exit nodes for illicit traffic. Malicious actors rented access to these nodes to obscure their origins, facilitating various abusive activities. These included mass content scraping, advertising fraud, and account takeover attempts. The Google Threat Intelligence Group (GTIG) reported observing 316 distinct clusters of threat actors using suspected NetNut exit nodes in a single week during June 2026. These groups included both cybercriminals and state-backed espionage operations.

"These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks." — Google Threat Intelligence Group, Blog Post

Google played a crucial role in the disruption, disabling accounts and services NetNut used for malware command and control. They also updated Google Play Protect to warn Android users and disable applications containing NetNut's SDKs. This operation follows Google's earlier disruption of the IPIDEA proxy network in January 2026.

  • The FBI and IRS Criminal Investigation led the domain seizures on July 2, 2026.
  • NetNut's network comprised at least two million compromised smart TVs and streaming boxes.
  • Google identified 316 distinct threat actor clusters using NetNut in a single week in June 2026.

What This Means

This coordinated law enforcement and industry action underscores a growing commitment to combating the misuse of residential proxy networks. For professionals and developers, it highlights the persistent threat of compromised consumer devices being weaponized for cybercrime. The involvement of publicly-traded companies like Alarum Technologies adds a layer of complexity, raising questions about accountability and due diligence in the proxy service industry. While Alarum Technologies has pledged full cooperation with investigators, stating they take the matter seriously, the incident highlights the need for greater transparency and stricter controls over such services. Consumers, in turn, are reminded of the risks associated with installing unofficial software or using uncertified streaming devices, which can inadvertently enroll their home networks into these malicious systems. For Alarum Technologies' official statements, refer to their investor relations page: Alarum Technologies Investor Relations.

Key Points

  • The FBI and IRS-CI seized hundreds of NetNut domains on July 2, 2026, disrupting its residential proxy operations.
  • NetNut, operated by Alarum Technologies, was linked to the Popa botnet, which leveraged over two million compromised devices.
  • Google, Lumen, and Shadowserver collaborated in the takedown, with Google disabling command and control infrastructure.

The Bottom Line

The takedown of NetNut and its associated Popa botnet marks a significant victory against a pervasive form of cybercrime. This operation demonstrates the effectiveness of multi-agency and industry collaboration in disrupting sophisticated malicious networks. However, experts caution that the residential proxy ecosystem is resilient, with operators often rebuilding or white-labeling services, suggesting ongoing vigilance will be essential to protect consumer devices and internet integrity.

Frequently Asked Questions

What is NetNut and why was it seized?
NetNut was a residential proxy service operated by Alarum Technologies, which was seized by the FBI and IRS-CI on July 2, 2026. It was targeted for its links to the Popa botnet, which facilitated various cybercriminal activities.
What is the Popa botnet?
The Popa botnet is a network of at least two million compromised consumer devices, including smart TVs and streaming boxes. These devices were unwittingly used as proxy nodes to route malicious internet traffic for cybercriminals.
How does this affect smart TV and streaming box users?
Users of smart TVs and streaming boxes that were part of the Popa botnet had their devices unknowingly used to relay illicit traffic. This exposed their home networks to potential threats. Google has updated Play Protect to disable apps containing NetNut's SDKs.

Discussion

We use cookies and similar technologies to improve your experience, analyze traffic, and personalize content. By clicking “Accept All”, you consent to our use of cookies. See our Cookies Policy for details.