The Federal Bureau of Investigation (FBI), alongside the Internal Revenue Service Criminal Investigation (IRS-CI) and industry partners including Google, Lumen, and Shadowserver, seized hundreds of domains associated with NetNut on July 2, 2026. This coordinated action targeted a vast residential proxy service, operated by the publicly-traded Israeli company Alarum Technologies, which was linked to the Popa botnet, compromising over two million consumer devices globally for malicious activities.
International Operation Targets Malicious Proxy Infrastructure
In a significant international effort, law enforcement and technology firms have dismantled key infrastructure of NetNut, a large residential proxy network. This network, also known as the Popa botnet, secretly utilized over two million consumer devices worldwide to route illicit internet traffic. The operation on July 2, 2026, aims to severely disrupt cybercriminal and espionage activities that relied on NetNut's services.
NetNut's Connection to the Popa Botnet
NetNut, a subsidiary of Alarum Technologies Ltd. (NASDAQ: ALAR), an Israeli publicly traded company, operated by transforming ordinary home electronics into proxy nodes. These devices, including smart televisions and streaming boxes, were compromised by malicious software, often without the owners' explicit consent. Security researchers from firms like Qurium and Synthient initially connected NetNut to the Popa botnet in June 2026, approximately two weeks before the federal seizure.
The Popa botnet leveraged these compromised devices to facilitate various abusive and intrusive online activities. These included mass content scraping, advertising fraud, account takeover attempts, and credential stuffing. The Google Threat Intelligence Group (GTIG) reported observing 316 distinct clusters of threat actors utilizing suspected NetNut exit nodes in a single week during June 2026, highlighting the network's extensive use by cybercriminals and even state-sponsored espionage groups.
Coordinated Takedown and Industry Response
The Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI) spearheaded the seizure of hundreds of domains linked to NetNut on July 2, 2026. A seizure banner from the FBI replaced NetNut's homepage, acknowledging the crucial support from industry partners such as Google, Lumen Technologies, and The Shadowserver Foundation.
"We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions." — Google Threat Intelligence Group
Google implemented immediate technical mitigations to prevent the network from quickly rebuilding. These actions included disabling all Google accounts NetNut used for malware command-and-control, updating Google Play Protect to warn Android users, and deactivating applications containing the compromised software development kits (SDKs). This operation follows Google's prior disruptions of other malicious proxy networks, such as IPIDEA in January 2026 and the Badbox 2.0 botnet in July 2025.
- Hundreds of NetNut domains were seized by the FBI and IRS-CI on July 2, 2026.
- Google disabled command-and-control accounts and updated Play Protect to counter NetNut's malicious SDKs.
- Alarum Technologies, NetNut's parent company, acknowledged the seizure and pledged full cooperation with law enforcement.
- The company's stock, trading under NASDAQ: ALAR, experienced a significant decline following the news.
What This Means
The disruption of NetNut underscores a growing trend of law enforcement and tech companies collaborating to combat sophisticated cybercrime infrastructure. For professionals and developers, this highlights the persistent threat posed by residential proxy networks that exploit unsuspecting users' devices. While residential proxies themselves can be used for legitimate purposes, their misuse for illegal activities like fraud and data theft carries severe consequences for operators and their clients alike (learn more about residential proxy legality). Consumers must remain vigilant about the software they install and the devices they connect to their home networks, as seemingly innocuous apps or cheap streaming boxes can unwittingly turn their internet connections into tools for criminals.
Key Points
- The FBI and IRS-CI, with partners, seized NetNut domains on July 2, 2026.
- NetNut, operated by Alarum Technologies, was linked to the Popa botnet, comprising over two million compromised devices.
- Google's Threat Intelligence Group observed 316 distinct threat clusters using NetNut in a single week in June 2026.
- The operation included Google disabling NetNut's command-and-control infrastructure and updating Android security.
- Alarum Technologies has committed to cooperating with the ongoing investigation.
The Bottom Line
The takedown of NetNut represents a significant blow to the cybercriminal ecosystem that relies on residential proxy networks to mask illicit operations. This coordinated action demonstrates the increasing effectiveness of public-private partnerships in disrupting large-scale cyber threats. However, the residential proxy market remains resilient, and users should continue to exercise caution regarding device security and software installations to avoid becoming unwitting participants in future botnets.
