The Fall of NetNut: FBI Dismantles Global Residential Proxy Giant Linked to Massive Botnet

In a coordinated strike against the infrastructure of global cybercrime, the Federal Bureau of Investigation (FBI) has seized hundreds of domains belonging to NetNut, a prominent residential proxy service operated by the Israeli publicly-traded firm Alarum Technologies (NASDAQ: ALAR). This decisive enforcement action represents a major escalation in the international effort to curb the proliferation of "residential proxy networks"—services that weaponize consumer hardware to mask malicious internet traffic.
The seizure, executed in partnership with the Internal Revenue Service (IRS) Criminal Investigation division, follows weeks of intense scrutiny after security researchers revealed that NetNut’s network was the primary engine behind the "Popa" botnet. Popa consists of an estimated two million compromised devices—predominantly smart TVs, streaming boxes, and home IoT hardware—that have been conscripted into service without the explicit consent of their owners.
The Chronology of a Takedown
The collapse of NetNut was not an overnight occurrence but the culmination of a months-long investigative trail pursued by private security firms and global technology giants.
- November 2025: Security researchers began raising alarms regarding the prevalence of residential proxy software embedded in low-cost, unbranded Android streaming boxes. These devices, often marketed for illicit streaming, were found to contain hidden Software Development Kits (SDKs) that transformed the devices into proxy exit nodes.
- January 2026: The security firm Synthient exposed the "Kimwolf" botnet, revealing how cybercriminals were using proxy tunnels to bypass residential firewalls, effectively turning local networks into launchpads for massive Distributed Denial-of-Service (DDoS) attacks.
- June 19, 2026: A coordinated disclosure by three major security firms provided definitive technical evidence linking the sprawling NetNut residential proxy network to the Popa botnet. The reports illustrated how NetNut’s infrastructure was effectively laundering malicious traffic, allowing attackers to masquerade as legitimate home users.
- July 2026: Following these revelations, Google’s Threat Intelligence Group (GTIG) intensified its internal investigation, identifying that NetNut was a primary source of obfuscated traffic for state-sponsored espionage groups and cybercriminal syndicates alike.
- Today: The FBI and IRS-CI executed a sweeping domain seizure. The NetNut homepage, once a gateway for marketers and businesses to purchase "legitimate" proxy access, was replaced by a federal seizure banner, signaling the immediate disruption of the service’s command-and-control operations.
The Anatomy of the Popa Botnet
The Popa botnet is a testament to the modern threat landscape, where the "Internet of Things" has become a liability rather than a convenience. NetNut’s business model involved the sale of proxy access to millions of IP addresses. While marketed as a tool for market research and content scraping, investigators found that a significant portion of this traffic was malicious.
By bundling malicious SDKs into the firmware of budget-friendly streaming hardware, NetNut effectively created an "always-on" proxy network. When a user plugs in a compromised TV box, the device immediately begins routing traffic for third parties. This allows cybercriminals to bypass IP-based security filters. If an attacker attempts an account takeover or an advertising fraud scheme, the traffic appears to originate from a legitimate residential home rather than a data center or a known malicious IP block.
Google’s findings were particularly damning. During a single week in June 2026, GTIG observed 316 distinct clusters of threat actors—ranging from petty scammers to sophisticated espionage groups—utilizing NetNut exit nodes to hide their origins.

Official Responses and Corporate Accountability
The involvement of Alarum Technologies, a publicly-traded company, adds a layer of corporate complexity to the investigation. Following the seizure, Omer Weiss, legal counsel for Alarum Technologies, issued a statement acknowledging the company’s awareness of the situation and pledging cooperation.
"Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account," Weiss stated.
However, the industry perspective is far more critical. Benjamin Brundage, founder of the proxy tracking service Synthient, noted that the seizure effectively "crippled" the Popa botnet. "This takedown is going to have a massive impact," Brundage said. "NetNut had become the go-to provider for the cybercriminal underworld, especially after the previous takedown of their competitor, IPIDEA, earlier this year."
Google, in its official blog post, outlined the technical steps it took to assist in the operation. The company confirmed it had disabled Google accounts utilized for malware command-and-control, purged malicious apps from its ecosystem that bundled NetNut SDKs, and shared critical intelligence with law enforcement and other service providers to ensure the network could not simply "re-bootstrap" itself under a different name.
Implications for the Cybersecurity Ecosystem
The disruption of NetNut serves as a warning to both the proxy industry and the average consumer. However, experts warn that the battle is far from won. The "whitelabeling" of proxy services means that when one major provider falls, others often rise to fill the void, purchasing capacity from competitors and rebranding.
The Threat to Home Networks
The most alarming implication of the Popa botnet is the risk posed to individual home networks. When a smart TV becomes an exit node for a proxy network, the device acts as a bridge. This allows unauthorized traffic to traverse the user’s home network, potentially exposing other devices—such as laptops, smartphones, and security cameras—to direct compromise.

The "TV Box" Problem
A significant portion of the botnet’s growth has been fueled by consumers purchasing "sketchy" Android streaming devices. These devices, which often promise access to pirated movies or sports, operate outside the safety of Google’s official Play Protect certification.
Recent research from the firm Spur highlights the scale of this infection vector:
- LG Smart TVs: 42% of apps available on the webOS platform were found to contain SDKs that turn the device into an always-on residential proxy node.
- Samsung Smart TVs: Over 25% of apps developed for the Tizen OS were found to contain similar residential proxy components.
A Path Forward for Consumers and Regulators
The FBI’s action against NetNut is a significant victory for internet hygiene, but it highlights the desperate need for stricter oversight of the residential proxy market. As long as proxy providers can operate with limited accountability, the incentive to compromise consumer hardware will remain high.
For consumers, the advice from cybersecurity experts is clear:
- Avoid Unbranded Hardware: Stick to name-brand streaming devices from reputable manufacturers.
- Verify Certification: Ensure that devices are running official, manufacturer-supported operating systems and that they carry Play Protect certification.
- Audit App Permissions: Be extremely judicious when installing apps on Smart TVs. If an app requires excessive network permissions, it may be operating as a proxy node.
- Network Segmentation: For those with advanced technical knowledge, placing IoT devices and smart TVs on a separate "guest" VLAN can help prevent a compromise of the TV from spreading to sensitive computers and personal storage devices.
While the "Popa" botnet has been dealt a severe blow, the fluid nature of these networks means that the infrastructure of digital exploitation is constantly evolving. The dismantling of NetNut is a landmark case that will likely force a shift in how these companies operate, but as long as the market for "residential" IP addresses remains profitable, the cat-and-mouse game between security researchers and proxy-based botnet operators will undoubtedly continue.
