Back to Home
FBI and Google Dismantle NetNut Proxy Network, Popa Botnet

FBI and Google Dismantle NetNut Proxy Network, Popa Botnet

T
Techpivo News
·2 min read·0 views
Quick Brief
  • FBI, Google disrupted NetNut proxy network and Popa botnet.
  • Millions of consumer devices were unknowingly compromised.
  • Operation targeted cybercriminals and espionage groups.
📌Key Points
1FBI and Google disrupted NetNut residential proxy network and Popa botnet on July 2, 2026.
2NetNut utilized over two million compromised consumer devices, including smart TVs, as proxy nodes.
3Google's Threat Intelligence Group observed 316 distinct threat actor groups using NetNut in June 2026.

On July 2, 2026, the Federal Bureau of Investigation (FBI) and Google, in collaboration with other industry partners, successfully disrupted NetNut, a major residential proxy service, and its associated Popa botnet. This coordinated action targeted hundreds of domains, impacting a network of at least two million compromised consumer devices that were unknowingly used to route malicious internet traffic for cybercriminals and espionage groups. The operation aims to significantly degrade a key infrastructure used for activities like account takeover and advertising fraud.

Major Cybercrime Infrastructure Taken Down

A significant international law enforcement and industry effort culminated on July 2, 2026, with the Federal Bureau of Investigation (FBI) and Google leading the disruption of NetNut, a vast residential proxy service. This action also targeted the Popa botnet, which leveraged millions of compromised devices globally to facilitate cybercrime and espionage activities. The operation involved seizing hundreds of domains linked to NetNut, effectively crippling a critical component of the cybercriminal ecosystem.

NetNut's Deceptive Operations and Global Reach

NetNut, operated by the publicly-traded Israeli company Alarum Technologies Ltd. (NASDAQ: ALAR), built its extensive network by embedding deceptive software development kits (SDKs) into consumer devices. These devices, primarily Android-based smart TVs and streaming boxes, were unknowingly transformed into residential proxy nodes. This allowed malicious traffic to appear as legitimate residential internet activity, bypassing traditional security measures. The Popa botnet, synonymous with NetNut's infrastructure, comprised at least two million compromised devices worldwide. For more details on residential proxy networks and their abuse, consult resources like Wikipedia's explanation of proxy servers.

Coordinated Disruption and Industry Collaboration

The coordinated takedown involved the FBI, the Internal Revenue Service Criminal Investigation (IRS-CI) division, Google, Lumen Technologies, and the Shadowserver Foundation. Google's Threat Intelligence Group (GTIG) played a crucial role, publishing a report on July 2, 2026, detailing NetNut's extensive use by threat actors. The GTIG observed 316 distinct clusters of cybercriminal and espionage groups utilizing NetNut exit nodes in a single week during June 2026 for activities such as password-spraying and credential stuffing.

"We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions." — Google Threat Intelligence Group, Official Statement

As part of the disruption, Google disabled NetNut's accounts used for command-and-control (C2) infrastructure and updated Google Play Protect to detect and disable applications containing the compromised SDKs. Alarum Technologies acknowledged the FBI's seizure of certain domains on July 2, 2026, and pledged full cooperation with law enforcement. The company's stock experienced a significant drop following the news.

  • Hundreds of domains, including netnut.com, proxyjet.io, and divinetworks.com, were seized by federal authorities.
  • NetNut's services were widely resold and white-labeled, making it a popular choice for cybercriminals seeking to obfuscate their malicious traffic.
  • The operation follows a similar disruption of the IPIDEA proxy network in January 2026, highlighting an ongoing effort to combat malicious residential proxy services.

What This Means

The dismantling of NetNut represents a substantial blow to the cybercrime ecosystem, particularly for groups relying on residential proxies to mask their illicit activities. For professionals and developers, this action underscores the persistent threat posed by compromised consumer devices and the sophisticated methods used to exploit them. It also highlights the critical importance of supply chain security for software development kits (SDKs) and the need for consumers to exercise caution when installing unofficial applications on smart devices. While this disruption will impact many malicious actors, the interconnected nature of the proxy industry suggests that new services may emerge or existing ones may absorb the demand, necessitating continuous vigilance from law enforcement and cybersecurity firms. This event reinforces the need for robust security practices across all digital touchpoints.

Key Points

  • The FBI and Google led a major operation on July 2, 2026, to disrupt the NetNut residential proxy network.
  • NetNut's Popa botnet comprised at least two million compromised smart TVs and streaming devices globally.
  • Google's Threat Intelligence Group observed 316 distinct threat actor clusters using NetNut in a single week in June 2026.

The Bottom Line

The coordinated takedown of NetNut and the Popa botnet marks a significant victory against a pervasive cybercrime enabler, disrupting operations that leveraged millions of unsuspecting consumer devices. While this action creates immediate challenges for cybercriminals, the resilience of the residential proxy market means continuous efforts are essential. Tech professionals and consumers alike must remain aware of the risks associated with device compromise and the ongoing fight to secure the digital landscape. Continued collaboration between law enforcement and industry partners will be vital in addressing this evolving threat.

Frequently Asked Questions

What is NetNut?
NetNut was a residential proxy service operated by Alarum Technologies Ltd. that illegally routed internet traffic through millions of compromised consumer devices.
What is the Popa botnet?
The Popa botnet was a network of at least two million consumer devices, like smart TVs, compromised by malicious software and used by NetNut as proxy nodes.
Who was involved in the NetNut disruption?
The disruption was a joint effort by the FBI, IRS Criminal Investigation, Google, Lumen Technologies, and the Shadowserver Foundation.

Discussion

We use cookies and similar technologies to improve your experience, analyze traffic, and personalize content. By clicking “Accept All”, you consent to our use of cookies. See our Cookies Policy for details.