VYPR
breachPublished Jul 2, 2026· 2 sources

FBI Seizes NetNut Proxy Platform and Popa Botnet

The FBI, with industry partners, has seized hundreds of domains associated with NetNut, a residential proxy service linked to the Popa botnet, disrupting a major tool used by cybercriminals.

The Federal Bureau of Investigation (FBI), in collaboration with industry partners, announced the seizure of hundreds of domains associated with NetNut, a large-scale residential proxy service operated by the Israeli company Alarum Technologies. This action follows recent findings from multiple security firms that linked NetNut to the Popa botnet, a network comprising at least two million compromised devices.

NetNut's service functions by transforming compromised devices, including smart TVs and streaming boxes, into proxy nodes. These nodes are then rented out to cybercriminals who utilize them to mask their online activities. Common malicious uses include mass content scraping, advertising fraud, and account takeover operations. The FBI's seizure notice, which replaced NetNut's homepage, thanked key industry partners such as Google, Lumen, and Shadowserver for their assistance in dismantling the infrastructure.

Google Threat Intelligence Group (GTIG) observed that NetNut's proxy network is widely resold and white-labeled by numerous third-party providers. Cybercriminals heavily rely on these services to obscure the origin of their malicious traffic. In a single week during June 2026, GTIG identified 316 distinct clusters of threat actors using suspected NetNut exit nodes, encompassing both cybercriminal and espionage groups.

According to Google, these bad actors leverage NetNut to mask their origin IP addresses when accessing victim environments, their own infrastructure, or conducting password spray attacks. A significant concern highlighted by Google is that when a consumer device becomes an exit node, unauthorized network traffic passes through it, potentially exposing other private devices on the same home network to Internet threats.

In response, Google disabled accounts and services used by NetNut for command and control, and shared technical intelligence regarding NetNut's software development kits (SDKs) and backend infrastructure with law enforcement and research firms. The company also disabled applications known to bundle NetNut's SDKs.

NetNut's parent company, Alarum Technologies, did not respond to requests for comment. Prior to this seizure, Alarum had disputed characterizations of NetNut as a botnet and threatened legal action against those publishing reports that could damage its brand.

Benjamin Brundage, founder of the proxy tracking service Synthient, stated that the domain seizures have significantly disrupted both the Popa botnet and the NetNut proxy network. He noted that NetNut's demise is a major blow to the cybercrime community, especially following the earlier disruption of IPIDEA, NetNut's primary competitor. Brundage indicated that NetNut had gained substantial popularity after IPIDEA's takedown and was comparable in traffic, quality, size, and price.

The takedown is also expected to reduce the impact of large distributed denial-of-service (DDoS) botnets that have exploited poorly configured residential proxy services. Brundage mentioned that the compromise of TV boxes via proxy networks has fueled DDoS botnets like Kimwolf. While major proxy providers have taken steps to block such activity, resellers have been slower to respond. Google estimates that the action has caused significant degradation to NetNut's network and business operations, reducing the available pool of devices by millions, though they caution that proxy networks can rebuild by reselling services from competitors.

This new report from Google details its own "degradation" operation against the NetNut residential proxy network, which it identifies as also being known as Popa. Google's Threat Intelligence Group (GTIG) worked with the FBI and Lumen to reduce the network's usable devices by millions, estimating it had at least 2 million devices. The article further elaborates on how NetNut, owned by the publicly traded Israeli company Alarum Technologies, operates by embedding its code on home devices, often without clear user consent, and highlights that a single takedown is insufficient due to NetNut's reseller program.

Synthesized by Vypr AI