On July 2, 2026, the Federal Bureau of Investigation (FBI) and Google, in collaboration with other industry partners, successfully disrupted NetNut, a major residential proxy service, and its associated Popa botnet. This coordinated action targeted hundreds of domains, impacting a network of at least two million compromised consumer devices that were unknowingly used to route malicious internet traffic for cybercriminals and espionage groups. The operation aims to significantly degrade a key infrastructure used for activities like account takeover and advertising fraud.
Major Cybercrime Infrastructure Taken Down
A significant international law enforcement and industry effort culminated on July 2, 2026, with the Federal Bureau of Investigation (FBI) and Google leading the disruption of NetNut, a vast residential proxy service. This action also targeted the Popa botnet, which leveraged millions of compromised devices globally to facilitate cybercrime and espionage activities. The operation involved seizing hundreds of domains linked to NetNut, effectively crippling a critical component of the cybercriminal ecosystem.
NetNut's Deceptive Operations and Global Reach
NetNut, operated by the publicly-traded Israeli company Alarum Technologies Ltd. (NASDAQ: ALAR), built its extensive network by embedding deceptive software development kits (SDKs) into consumer devices. These devices, primarily Android-based smart TVs and streaming boxes, were unknowingly transformed into residential proxy nodes. This allowed malicious traffic to appear as legitimate residential internet activity, bypassing traditional security measures. The Popa botnet, synonymous with NetNut's infrastructure, comprised at least two million compromised devices worldwide. For more details on residential proxy networks and their abuse, consult resources like Wikipedia's explanation of proxy servers.
Coordinated Disruption and Industry Collaboration
The coordinated takedown involved the FBI, the Internal Revenue Service Criminal Investigation (IRS-CI) division, Google, Lumen Technologies, and the Shadowserver Foundation. Google's Threat Intelligence Group (GTIG) played a crucial role, publishing a report on July 2, 2026, detailing NetNut's extensive use by threat actors. The GTIG observed 316 distinct clusters of cybercriminal and espionage groups utilizing NetNut exit nodes in a single week during June 2026 for activities such as password-spraying and credential stuffing.
"We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions." — Google Threat Intelligence Group, Official Statement
As part of the disruption, Google disabled NetNut's accounts used for command-and-control (C2) infrastructure and updated Google Play Protect to detect and disable applications containing the compromised SDKs. Alarum Technologies acknowledged the FBI's seizure of certain domains on July 2, 2026, and pledged full cooperation with law enforcement. The company's stock experienced a significant drop following the news.
- Hundreds of domains, including netnut.com, proxyjet.io, and divinetworks.com, were seized by federal authorities.
- NetNut's services were widely resold and white-labeled, making it a popular choice for cybercriminals seeking to obfuscate their malicious traffic.
- The operation follows a similar disruption of the IPIDEA proxy network in January 2026, highlighting an ongoing effort to combat malicious residential proxy services.
What This Means
The dismantling of NetNut represents a substantial blow to the cybercrime ecosystem, particularly for groups relying on residential proxies to mask their illicit activities. For professionals and developers, this action underscores the persistent threat posed by compromised consumer devices and the sophisticated methods used to exploit them. It also highlights the critical importance of supply chain security for software development kits (SDKs) and the need for consumers to exercise caution when installing unofficial applications on smart devices. While this disruption will impact many malicious actors, the interconnected nature of the proxy industry suggests that new services may emerge or existing ones may absorb the demand, necessitating continuous vigilance from law enforcement and cybersecurity firms. This event reinforces the need for robust security practices across all digital touchpoints.
Key Points
- The FBI and Google led a major operation on July 2, 2026, to disrupt the NetNut residential proxy network.
- NetNut's Popa botnet comprised at least two million compromised smart TVs and streaming devices globally.
- Google's Threat Intelligence Group observed 316 distinct threat actor clusters using NetNut in a single week in June 2026.
The Bottom Line
The coordinated takedown of NetNut and the Popa botnet marks a significant victory against a pervasive cybercrime enabler, disrupting operations that leveraged millions of unsuspecting consumer devices. While this action creates immediate challenges for cybercriminals, the resilience of the residential proxy market means continuous efforts are essential. Tech professionals and consumers alike must remain aware of the risks associated with device compromise and the ongoing fight to secure the digital landscape. Continued collaboration between law enforcement and industry partners will be vital in addressing this evolving threat.
