The Fall of NetNut: FBI Dismantles Global Residential Proxy Giant Linked to Massive Botnet

In a sweeping law enforcement action that has sent shockwaves through the cybersecurity industry, the Federal Bureau of Investigation (FBI) has seized hundreds of domains associated with NetNut, a prominent residential proxy service operated by the publicly traded Israeli firm Alarum Technologies (NASDAQ: ALAR). The takedown marks a significant victory in the ongoing battle against the illicit "proxy-as-a-service" market, a sector often leveraged by state-sponsored actors and cybercriminals to mask malicious traffic behind the IP addresses of unsuspecting residential consumers.
The operation, which also involved the Internal Revenue Service’s Criminal Investigation division, targeted the digital infrastructure underpinning the Popa botnet. This vast network, which security researchers estimate comprises at least two million compromised devices, has long been the engine driving NetNut’s residential proxy offerings. By turning common household devices—such as smart TVs, streaming boxes, and home routers—into "always-on" proxy nodes, the network allowed bad actors to conduct large-scale advertising fraud, content scraping, and password-spraying attacks with a veneer of residential legitimacy.
A Chronology of the Investigation and Takedown
The collapse of NetNut was not an overnight occurrence but rather the culmination of months of rigorous forensic research by private security firms and intelligence analysts.
- Mid-2026 (Preliminary Research): Security researchers began identifying clear, overlapping telemetry between the Popa botnet and NetNut’s proxy exit nodes. Analysis suggested that the "residential" traffic being sold by NetNut was, in fact, sourced from devices infected with malicious SDKs (Software Development Kits).
- June 19, 2026: Three independent security firms published concurrent findings explicitly linking NetNut to the Popa botnet. These reports detailed how the service distributed malware to household electronics, effectively hijacking the bandwidth and network security of innocent users.
- Early July 2026: The FBI and its industry partners, including Google’s Threat Intelligence Group (GTIG), Lumen, and Shadowserver, finalized the coordination for a multi-jurisdictional seizure.
- The Takedown: On the morning of the operation, users attempting to access NetNut’s primary web portal were redirected to an official FBI seizure banner. The notice confirmed the dismantling of the infrastructure associated with the Popa botnet.
- Post-Takedown Market Impact: Within 48 hours of the seizure, the parent company’s primary website, alarum.io, was also hit with a seizure notice. Alarum Technologies saw its stock value plummet by approximately 67% over the course of a week, trading at $2.62 per share at the time of reporting.
The Anatomy of the Popa Botnet
The Popa botnet represents a sophisticated evolution of the traditional proxy network. Unlike traditional botnets that focus primarily on Distributed Denial of Service (DDoS) attacks, Popa was designed to be a "commercialized" asset.
By integrating malicious SDKs into unofficial, budget-friendly Android TV boxes and various smart TV applications, the operators ensured that the botnet was self-propagating. Once a device was infected, it became a gateway into the victim’s home network. Security analysts at Google noted that this architecture is particularly dangerous because it grants unauthorized entities access not just to the device itself, but to other sensitive hardware behind the victim’s firewall, including personal computers, smart home hubs, and security cameras.
Google’s Threat Intelligence Group reported that in a single week in June 2026, they identified 316 distinct clusters of threat actors—ranging from cybercriminal syndicates to advanced persistent threat (APT) groups—actively utilizing NetNut exit nodes. These actors used the infrastructure to bypass IP-based security filters, allowing them to remain undetected while probing sensitive corporate and governmental networks.

Data and Industry Implications
The fallout from this seizure extends far beyond the immediate shutdown of NetNut. Industry experts, including Benjamin Brundage, founder of the proxy-tracking service Synthient, suggest that the removal of NetNut creates a massive vacuum in the cybercrime ecosystem.
"NetNut was essentially the successor to IPIDEA, which was dismantled in a similar operation earlier this year," Brundage explained. "Because they were so popular among resellers, their traffic volume, quality, and price point made them a primary choice for criminals. Their disappearance will force a massive, and likely chaotic, migration to other, potentially less reliable services."
However, analysts warn that the ecosystem is notoriously resilient. When one major provider is taken offline, the operators often pivot to "whitelabeling"—a process where they buy capacity from competitors, effectively turning themselves into resellers of other, smaller, and harder-to-track botnets.
Google’s GTIG report emphasized this trend, noting that while the takedown caused "significant degradation" to the network, the "fluid nature" of the residential proxy market necessitates a more aggressive, systemic approach to targeting the software supply chain rather than just individual domain names.
Official Responses and Legal Posturing
The response from Alarum Technologies was notably cautious. Omer Weiss, legal counsel for the firm, issued a statement acknowledging the seizure and expressing a commitment to cooperate with law enforcement.
"Alarum takes this matter seriously," Weiss stated. "We will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account."

Despite this cooperative stance, the company faces significant legal and financial peril. By operating a service that provided the technical means for millions of unauthorized intrusions, the firm may face regulatory scrutiny regarding its oversight of the SDKs it distributed and the origin of the traffic flowing through its nodes.
Consumer Safety and Recommendations
The most alarming finding in the aftermath of the NetNut takedown is the prevalence of proxy-enabling software in consumer electronics. Reports from the proxy-tracking firm Spur have revealed that nearly 42% of apps available on LG’s webOS, and over 25% of apps on Samsung’s Tizen OS, contain components that can turn a smart television into an unwitting residential proxy node.
For consumers, the advice from cybersecurity experts is clear:
- Avoid Unofficial Hardware: Avoid purchasing non-branded, "sketchy" Android streaming boxes from major e-commerce platforms. These devices often come pre-installed with backdoors or require the installation of unofficial operating systems that bypass security protections like Google Play Protect.
- Verify Certification: Consumers should ensure that any Android-based device is "Play Protect" certified. Instructions for verifying this can be found on official Google support pages.
- Audit Your Smart TV: Be judicious with the applications installed on smart TVs. If an app is not from a reputable developer, it may be a vehicle for proxy SDKs.
- Network Hygiene: If possible, segment your home network. Keep sensitive devices like computers and smart home security systems on a separate VLAN or guest network from media streaming devices.
The Road Ahead: Disrupting the Proxy Ecosystem
The dismantling of NetNut and the Popa botnet is a tactical success, but the war against residential proxy abuse remains a long-term challenge. As Google and the FBI continue to map the connections between these proxy networks and the criminal groups that fund them, the focus is shifting toward the "whitelabel" providers that keep the industry afloat.
"What we have observed," concludes the Google threat report, "is that when faced with the degradation of their own botnet, operators begin buying capacity from their competitors. To create a lasting disruption in this fluid ecosystem, we must scale our efforts to target the infrastructure of several interconnected providers simultaneously."
For now, the seizure of NetNut stands as a testament to the power of public-private partnerships in cybersecurity. By combining the vast telemetry of platforms like Google with the legal reach of the FBI, authorities have effectively blinded, at least for the moment, a primary tool used by the world’s most sophisticated digital adversaries. The challenge remains to ensure that the infrastructure does not simply reconstitute under a new name in the coming months.
