Skip to content

FBI Dismantles NetNut Proxy Network and Popa Botnet with Hundreds of Domain Seizures

Bottom line: The FBI has seized NetNut — a proxy network based on the Popa botnet comprising two million compromised devices — after security firms documented its connection to malware on smart TVs and streaming devices in June.

The FBI, working with partners including Google, Lumen, and Shadowserver, has seized hundreds of domains belonging to NetNut, an Israeli proxy platform. The network operated the Popa botnet, which comprised at least two million compromised devices and was massively abused for cybercrime activities.

The FBI and the Criminal Investigation division of the Internal Revenue Service seized hundreds of domains connected to NetNut, a residential proxy service operated by NASDAQ-listed company Alarum Technologies. The action followed two weeks after security firms published findings directly linking NetNut to the Popa botnet — a network of at least two million compromised devices that were infected with malware without user consent.

On June 19, three separate security companies simultaneously documented that NetNut operates a residential proxy infrastructure based on software installed on home devices such as smart TVs and streaming boxes. These systems are repurposed as always-on proxy nodes and rented to third parties, who predominantly use them for abuse: large-scale data theft, ad fraud, and account takeover attacks. Google’s Threat Intelligence Group (GTIG) observed in a single week in June 316 different clusters of threat actors using suspected NetNut exit nodes — including cybercrime and espionage groups. NetNut proxies were also widely resold by third-party vendors and offered under their own branded services.

Google disabled Google accounts and services that NetNut had used for command-and-control, blocked apps bundling NetNut SDKs, and shared technical information about NetNut malware kits and backend infrastructure with platform operators, law enforcement, and research organizations. The company also warned that through a compromised home device exit node, attackers could gain access to other devices on the same home network, directly exposing additional systems.

Benjamin Brundage, founder of proxy-tracking service Synthient and participant in the June disclosure, said the domain seizures disrupted both the Popa botnet and the NetNut infrastructure built upon it. NetNut’s outage affects the cybercrime community, which has already suffered from earlier Google actions against its largest competitor IPIDEA. Following IPIDEA’s takedown, NetNut gained considerable popularity — this time, the impact on available infrastructure for attackers could be significantly greater.


Source: krebsonsecurity.com · Published July 2, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.2.

Share on: