In a significant blow to the cybercrime ecosystem, the Federal Bureau of Investigation (FBI) has successfully seized hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The takedown, executed in coordination with the Internal Revenue Service Criminal Investigation (IRS-CI) and a coalition of global industry partners, marks a major turning point in the ongoing battle against the weaponization of residential internet infrastructure.
The operation comes just weeks after independent security researchers, including KrebsOnSecurity, published damning evidence linking NetNut to the "Popa" botnet—a massive, illicit network of at least two million compromised consumer devices. These devices, ranging from smart TVs to Android-based streaming boxes, were covertly transformed into "always-on" proxy nodes, serving as a gateway for malicious actors to conduct high-stakes cyberattacks, including account takeovers, advertising fraud, and large-scale data scraping.
A Chronology of the Investigation
The downfall of NetNut was not an overnight occurrence, but rather the result of months of persistent scrutiny by the cybersecurity community.
- Mid-2025 – Early 2026: Security researchers begin identifying patterns of malicious traffic originating from residential IP ranges associated with low-cost, "off-brand" streaming hardware. Reports suggest that these devices are shipping with pre-installed proxy software or requiring the installation of suspicious Software Development Kits (SDKs) to function.
- January 2026: The security firm Synthient exposes the "Kimwolf" botnet, revealing how cybercriminals utilized proxy networks to tunnel into the local networks of home users, effectively bypassing firewalls to infect other devices on the same Wi-Fi network.
- June 19, 2026: Three separate security firms release synchronized reports confirming that NetNut is the primary engine behind the Popa botnet. The reports outline how NetNut’s infrastructure exploits consumer devices to facilitate the global distribution of malicious traffic.
- Late June 2026: Google’s Threat Intelligence Group (GTIG) begins a comprehensive analysis of NetNut’s backend, identifying hundreds of clusters of threat actors—including state-sponsored espionage groups—relying on the service to mask their origin IP addresses.
- July 2026: The FBI and IRS-CI execute a coordinated seizure of hundreds of domains tied to the NetNut infrastructure. By mid-day, the NetNut homepage is replaced with an official federal seizure banner, signaling the termination of its primary public-facing operations.
The Mechanics of the Popa Botnet
At the heart of the controversy is the concept of a "residential proxy." In a legitimate context, these services allow users to route traffic through a residential IP address to appear as a normal home user. However, NetNut’s model relied on the unauthorized recruitment of "nodes."
By bundling proxy SDKs into popular, albeit unofficial, applications—particularly those used for streaming pirated content—NetNut effectively hijacked the home network of the unsuspecting consumer. Once installed, the device becomes a conduit for cybercriminal activity. Because the traffic originates from a residential IP, it often bypasses the standard security filters that would otherwise flag traffic coming from known data center IP blocks.
According to Google’s GTIG, this architecture provides a dual threat: it enables the bad actor to perform "password spray" attacks or access restricted environments while remaining anonymous, and it leaves the compromised device—and other hardware on the same local network—vulnerable to secondary intrusions.

Supporting Data: The Scale of the Ecosystem
The sheer scale of the operation is staggering. During a single week in June 2026, Google researchers identified 316 distinct clusters of threat actors utilizing NetNut exit nodes. This data suggests that NetNut was not merely a niche provider, but a primary utility for the modern cybercriminal underground.
Furthermore, the problem extends beyond dedicated streaming boxes. A recent report by the proxy tracking service Spur highlighted the prevalence of this threat in the smart television market. Their findings revealed that 42% of apps available for download on LG’s webOS contain proxy SDKs, while over 25% of apps for Samsung’s Tizen operating system carry similar components. These apps effectively turn millions of smart TVs into silent, always-on weapons for the botnet operators.
Official Responses and Corporate Liability
The seizure has prompted a flurry of responses from the entities involved. The FBI and IRS-CI, in their seizure notice, acknowledged the pivotal roles played by Google, Lumen, and Shadowserver in providing the technical intelligence necessary to dismantle the botnet’s command-and-control (C2) infrastructure.
Alarum Technologies, the parent company of NetNut, has adopted a cooperative stance following the seizure. Omer Weiss, legal counsel for Alarum, stated, "Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account."
Google, for its part, has taken proactive measures to limit the damage. In addition to assisting with the investigation, the tech giant has disabled Google accounts utilized for NetNut’s malware C2 communications and has purged its platform of applications found to be bundling the malicious SDKs.
Implications for Cybersecurity
The takedown of NetNut serves as a critical case study in the resilience of modern botnets. Industry experts, including Benjamin Brundage of Synthient, note that while the seizure is a significant victory, the ecosystem is inherently fluid.

1. The "Whitelabeling" Problem
One of the most concerning revelations is that NetNut’s infrastructure was widely resold and "white-labeled" by other proxy providers. Even if the primary brand is taken down, the underlying infrastructure often remains, being sold to other operators. Google warned that as one network falls, operators often turn to competitors, creating a "ripple effect" that necessitates a more comprehensive, multi-provider approach to disruption.
2. The Shift Toward "Brand-Name" Security
The rise of the Popa and Kimwolf botnets has fundamentally changed the risk assessment for consumer hardware. Experts are now warning that the "cheap" streaming box market is essentially a minefield. Consumers are strongly advised to stick to reputable, name-brand hardware from manufacturers that adhere to Google’s Play Protect certification. Devices running unverified, unofficial versions of the Android OS are the primary targets for recruitment into these networks.
3. A Strategic Shift for Law Enforcement
The FBI’s targeting of the infrastructure—the domains and the SDKs themselves—rather than just the end-user devices, represents a more surgical approach to cyber-policing. By disrupting the command-and-control layer, investigators can effectively "blind" the botnet operators, rendering millions of compromised devices inert without needing to touch the individual hardware.
Conclusion: A Pyrrhic Victory?
While the NetNut takedown is undeniably a major disruption to the criminal proxy market, it serves as a stark reminder of how deeply embedded these risks have become in the "Internet of Things" (IoT). As residential proxy networks continue to evolve, moving toward increasingly decentralized and obfuscated architectures, the responsibility for securing the perimeter is shifting back toward the consumer.
As of this writing, the Popa botnet’s influence is severely degraded, and the cybercrime community is scrambling to find alternatives. However, as the history of the IPIDEA takedown showed, the vacuum left by one service is often filled by another within months. For the average consumer, the lesson is clear: the convenience of a $30 streaming box or a "free" TV app may come at the cost of their home network’s security, effectively turning their living room into a launchpad for the next wave of global cyberattacks. Vigilance, firmware updates, and sticking to reputable, certified hardware remain the only effective defenses against this invisible, ever-present threat.
