Global Takedown: FBI Dismantles NetNut Proxy Network Amidst Botnet Allegations

In a decisive strike against the illicit residential proxy ecosystem, the Federal Bureau of Investigation (FBI), supported by the Internal Revenue Service (IRS) Criminal Investigation division and a coalition of global technology partners, has seized hundreds of domains associated with NetNut. The service, a sprawling residential proxy network operated by the publicly traded Israeli firm Alarum Technologies [NASDAQ: ALAR], had long been identified by security researchers as a primary engine for cybercriminal activity.

The coordinated operation, which resulted in the widespread display of federal seizure banners across NetNut’s digital infrastructure, marks a significant escalation in the war against "residential proxy" services—tools that hijack everyday consumer electronics to mask the origins of malicious internet traffic.


The Anatomy of the Operation: Chronology and Context

The takedown did not occur in a vacuum; it was the culmination of months of investigative pressure from the cybersecurity community.

Early Detection (June 2026)

The investigation gained critical momentum on June 19, 2026, when three independent cybersecurity firms released synchronized reports. These reports provided forensic evidence linking NetNut’s infrastructure to the Popa botnet. The Popa botnet, a massive collection of at least two million compromised devices, primarily consisted of smart TVs, streaming boxes, and home routers. The research revealed that these devices were being transformed into "always-on" proxy nodes, rented out to threat actors for activities ranging from automated content scraping and advertising fraud to large-scale account takeover (ATO) campaigns.

The Federal Intervention (July 2026)

Following the public exposure of the link between NetNut and the Popa botnet, federal authorities moved swiftly. By early July, the NetNut homepage and its associated infrastructure were seized by the FBI and IRS-CI. The seizure notice explicitly credited Google, Lumen, and Shadowserver for their technical intelligence, which allowed law enforcement to identify and disrupt the hundreds of domains tethered to the botnet’s backend.

The Aftermath

By July 8, the fallout extended to the parent company itself. The corporate website for Alarum Technologies (alarum.io) was also hit with a federal seizure notice. Investors reacted sharply to the news, with Alarum’s stock plummeting by approximately 67% over the course of a single week, settling at $2.62 per share.


Supporting Data: How the "Botnet-as-a-Service" Model Works

The technical underpinnings of NetNut, as detailed by Google’s Threat Intelligence Group (GTIG) and other researchers, highlight the sophisticated, parasitic nature of the modern proxy economy.

FBI Seizes NetNut Proxy Platform, Popa Botnet

The Mechanics of Exploitation

NetNut’s business model relied on the deployment of Software Development Kits (SDKs) embedded in various applications. When users downloaded these apps—often under the guise of free streaming services or utility tools—the SDKs would run in the background, turning the user’s home network into a relay point.

Google’s investigation discovered that in a single week in June 2026, there were 316 distinct clusters of threat actors leveraging NetNut exit nodes. These actors included state-sponsored espionage groups and sophisticated cybercriminal syndicates. By routing their traffic through a domestic residential IP address, attackers could effectively bypass traditional security filters that flag connections from known data centers or foreign servers.

The Ripple Effect on Consumers

The danger of this model extends beyond the user’s device being used as a proxy. When a consumer device is compromised as an exit node, it creates a "bridge" into the local home network. This exposure allows unauthorized traffic to traverse the user’s private network, potentially granting cybercriminals access to other sensitive devices—such as laptops, security cameras, and personal storage servers—sitting behind the same firewall.


Official Responses and Corporate Accountability

The response from the entities involved reflects the gravity of the situation.

Google’s Stance:
The Google Threat Intelligence Group issued a comprehensive report detailing their remediation efforts. Beyond providing intelligence to the FBI, Google proactively disabled Google accounts used by NetNut for command-and-control (C2) operations. Furthermore, the company purged its app store of applications known to bundle the malicious NetNut SDKs. Google noted that while this disruption is significant, the proxy ecosystem is fluid, and operators often attempt to rebrand or pivot to "reselling" competitor services.

Alarum Technologies’ Defense:
Omer Weiss, legal counsel for Alarum Technologies, issued a statement acknowledging the seizure and promising cooperation. "Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account," Weiss stated. Despite this, the company faces significant legal and regulatory hurdles as investigators examine how deep the integration between their proxy network and the Popa botnet went.


Implications: The Future of the Proxy Ecosystem

Industry experts believe the takedown of NetNut is a transformative moment for the internet security landscape.

FBI Seizes NetNut Proxy Platform, Popa Botnet

The Vacuum Left by Market Leaders

Benjamin Brundage, founder of the proxy tracking service Synthient, noted that NetNut had surged in popularity following the FBI’s earlier takedown of IPIDEA, another major proxy provider. With both major players now facing legal action, the "dark market" for residential proxies is currently in a state of disarray.

"I think this takedown is going to have a big impact," Brundage said. "NetNut was on par with the largest players in terms of traffic, quality, and price. Its removal removes a significant layer of obfuscation that many criminal groups relied upon."

The DDoS Connection

One of the most promising implications of the NetNut takedown is the potential reduction in the power of distributed denial-of-service (DDoS) botnets. Researchers previously identified the Kimwolf botnet, which utilized similar tunneling methods to infect Android-based devices behind firewalls. By disabling the SDKs that power these proxies, the infrastructure used to launch massive DDoS attacks is being dismantled at the source.


Consumer Guidance: Protecting the Home Network

The incident underscores the urgent need for consumer vigilance, particularly regarding "no-name" streaming hardware.

Avoiding Compromised Hardware

Many budget-friendly Android TV streaming boxes sold on major e-commerce platforms arrive pre-loaded with proxy-enabled firmware. These devices often do not run genuine versions of the Android TV operating system and fail to meet the security requirements for Google Play Protect.

Expert Recommendations:

  1. Stick to Reputable Brands: Avoid off-brand streaming devices that claim to offer "free" access to premium content. These devices are the primary targets for botnet recruitment.
  2. Verify Play Protect Certification: Consumers can check if their device is certified by visiting the official Google support pages regarding Play Protect.
  3. Audit Smart TV Apps: Research from Spur found that 42% of apps on LG’s webOS and over 25% on Samsung’s Tizen contain residential proxy SDKs. Users should audit their installed apps and remove any that are not essential or from unknown developers.
  4. Network Segmentation: Where possible, place "Internet of Things" (IoT) devices on a separate "guest" network to prevent them from communicating with sensitive personal computers or servers.

The Path Forward

While the FBI’s actions have dealt a severe blow to NetNut, the digital cat-and-mouse game continues. As Google noted, the industry must scale its efforts to target the infrastructure of interconnected providers. The dismantling of NetNut and the exposure of its integration with the Popa botnet serve as a warning to both cybercriminals and the companies that profit from the exploitation of consumer privacy: the era of unchecked residential proxy abuse is rapidly coming to an end.