FBI Seizes NetNut Proxy Platform, Popa Botnet – Krebs in security

I Federal Bureau of Investigation (The FBI) said today it has worked with industry partners to seize hundreds of related domains NetNuta comprehensive residential proxy service operated by a publicly traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The move comes nearly two weeks after KrebsOnSecurity published findings from several security companies linking NetNut to Pope botnet, a collection of at least two million devices compromised by malicious software with little or no consent from the victims.
NetNut’s home page today has been replaced with this kidnapping banner from the FBI.
On June 19, three different security firms released the same findings: That NetNut is a residential proxy network full of a botnet called Popa, and it distributes software for devices commonly found in homes, such as smart TVs and streaming boxes. NetNut’s software turns those systems into permanent proxy nodes that others use to transmit malicious and disruptive Internet traffic, such as massive content scraping, ad fraud, and account takeover activity.
Earlier today, NetNut’s home page was replaced with a seizure notice from the FBI as well Internal Revenue Service Criminal Investigation separation. Notice of seizure thanks Google, Lumen, Shadowserver and other industry partners for their help in taking down hundreds of domains tied to the Popa botnet, which experts say has long resembled NetNut’s residential proxy infrastructure.
In a blog post published today, i Google Intelligence Group (GTIG) said that NetNut’s proxy network is widely marketed and white-labeled by third-party proxy providers, and that its services are in high demand by cybercriminals who want to hide the source of their malicious traffic. GTIG said that in one week in June 2026, they saw 316 different groups of threat actors using suspected NetNut exit points, including cybercriminal groups and spies.
“These bad actors can use NetNut to spoof their IP address when accessing target sites, accessing their infrastructure, and conducting password spraying attacks,” wrote Google’s GTIG. “Furthermore, if a consumer’s device becomes an exit point, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to cyber threats.”
Google said it disabled Google accounts and services used by NetNut to command and control the malware, and that it shared technical intelligence on NetNut’s software development tools (SDKs) and supporting infrastructure with platform providers, law enforcement and research companies. The company also disabled applications known to integrate various NetNut SDKs.
Omer WeissA lawyer for NetNut’s parent company, Alarum Technologies, said the company is aware of the FBI’s seizure and is cooperating with investigators.
“Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure that any misuse of its infrastructure is properly investigated and those responsible are held accountable,” Weiss said in a written statement.
Benjamin Brundage is the founder of the proxy tracking service The Synthientone of the companies that published evidence last month linking the Popa botnet to NetNut and Alarum Technologies. Brundage said the domain seizure appears to have disrupted both the Popa botnet and the NetNut proxy network it rides on.
Brundage said the apparent demise of NetNut could be a major threat to the cybercrime community, which was already frustrated by Google’s legal action earlier this year when it seized the infrastructure of NetNut’s main competitor – IPIDEA.
“I think this downgrade will have a big impact, because NetNut gained a lot of popularity after the IPIDEA downgrade,” he said. “And NetNut is incredibly popular among vendors, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte, everything.”
NetNut infrastructure, in a nutshell. Image: Black Lotus Labs, Lumen.
The reduction of the NetNut and Popa botnets may have one additional benefit, Brundage said: Reducing the impact of large denial-of-service botnets built behind poorly configured residential proxy services. In January, Synthient revealed how cybercriminals built the world’s largest DDoS botnet (Kimwolf) by connecting through an IPIDEA proxy to the local networks of TV box owners, and infecting other Android-based devices behind the victim’s firewall.
While many major proxy providers are taking steps to block this activity, vendors of major proxy networks have been slow to respond to the threat, Brundage said.
“Regarding all of these compromised TV box devices on the proxy network, they’re going to have an impact on existing DDoS bots,” he said.
On the other hand, Google considers that today’s actions have caused “significant damage to NetNut’s proxy network and its business operations, reducing the available pool of proxy operator devices by millions.” But the company warns that proxy networks can rebuild themselves by reselling other proxy services, as IPIDEA did a few months ago.
“Google has high hopes that many popular residential proxies are whitelisting the NetNut botnet,” the GTIG report concluded. “Although we expect that this disruption will have a major impact on the ecosystem of the proxy accommodation, the observation after the IPIDEA disruption has proven that individual networks can be seen as strong. What we have noticed is that when faced with the destruction of their botnet, proxy operators begin to buy capacity from competitors, effectively becoming a seller in this long-lasting process means that we realize that our efforts to create an ecosystem must be disrupted. It targets the infrastructure of several providers they are not connected.”
As KrebsOnSecurity has repeatedly warned, most of the anonymous TV streaming boxes sold on major e-commerce websites come pre-installed with a residential proxy software, or require the installation of proxy SDKs in order to use the device for its stated purpose (streaming fake movies, sports events and TV shows). Google’s advice here makes sense: When it comes to TV boxes, stick to name brands from reputable manufacturers, and be smart about any apps you choose to install.
Cartoon TV boxes targeted by the Popa botnet and other threats all come with or require the user to install non-working Android operating systems within the official Google Play Protect store. Google says consumers can verify that a device has been built with an official Android TV OS certification and Play Protect certification by following these instructions.
Even people without TV boxes can get their smart TVs registered to local proxy networks, just by installing one of the thousands of apps available for download. Samsung again LG smart TVs. In a report released last month, the company is tracking the agent Spur found 42 percent of apps available for download via the webOS operating system on LG smart TVs include SDKs that turn a person’s television into an always-on living space. More than a quarter of applications developed by Samsung Tizen the operating system had similar resident proxy components, Spur found.
Photo: Spur.us.
Update, 4:24 pm ET: A statement was shared after publication from a lawyer representing NetNut’s parent company Alarum Technologies.



