FBI Dismantles "Popa" Botnet: The Fall of NetNut and the War on Residential Proxy Networks
In a significant blow to the cybercriminal underground, the Federal Bureau of Investigation (FBI), in coordination with the Internal Revenue Service Criminal Investigation (IRS-CI) and a coalition of industry giants, has executed a massive operation to seize hundreds of domains associated with NetNut. NetNut, a sprawling residential proxy service operated by the publicly traded Israeli firm Alarum Technologies [NASDAQ: ALAR], had long been identified by security researchers as the backbone of the "Popa" botnet—a malicious network comprising at least two million compromised devices worldwide.
The operation, which rendered NetNut’s primary web portals inaccessible and replaced them with official seizure banners, marks the latest escalation in a global campaign to dismantle the infrastructure that enables high-level cyberattacks, including account takeovers, advertising fraud, and large-scale content scraping.
The Chronology of an Investigation
The downfall of NetNut was not an overnight occurrence but the culmination of months of rigorous forensic analysis by the cybersecurity community.
On June 19, 2026, the investigation reached a fever pitch when three independent security firms simultaneously released reports identifying a direct link between NetNut’s residential proxy infrastructure and the Popa botnet. Researchers discovered that NetNut’s software was surreptitiously installed on consumer hardware—primarily low-cost smart TVs and streaming boxes—without the explicit or informed consent of the device owners. Once infected, these devices were transformed into "always-on" proxy nodes, essentially turning millions of household internet connections into a weaponized relay network for cybercriminals.
Following this disclosure, the pressure on Alarum Technologies mounted. By early July, the FBI and IRS-CI moved to disrupt the command-and-control infrastructure. The seizure notice displayed on the company’s homepage explicitly credited Google, Lumen, and the Shadowserver Foundation for providing the technical intelligence necessary to identify and neutralize the hundreds of domains feeding the Popa botnet.
Anatomy of the Popa Botnet
The Popa botnet is a classic example of "proxy-as-a-service" abuse. In this model, malicious software is bundled with legitimate-looking apps or pre-installed on "gray-market" hardware. Once active, the software utilizes the device’s internet connection to route traffic for third-party clients.
For the average consumer, this means their bandwidth is being consumed to facilitate illicit activities. For the victim’s home network, the risks are far more severe. By acting as an exit node, a compromised TV box provides a tunnel for bad actors to bypass firewalls, gain access to local network devices, and launch password-spraying attacks against sensitive corporate or personal environments.
Google’s Threat Intelligence Group (GTIG) noted in a post-seizure analysis that in a single week in June 2026, they observed 316 distinct clusters of threat actors—ranging from petty cybercriminals to state-sponsored espionage groups—actively utilizing NetNut exit nodes to obfuscate their digital footprints.

Official Responses and Corporate Accountability
The response from the parent company, Alarum Technologies, has been one of damage control and pledged cooperation. Omer Weiss, legal counsel for Alarum, confirmed that the company was fully aware of the seizure and was actively working with federal investigators.
"Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account," Weiss stated in a written response to inquiries.
Conversely, the tech industry giants involved in the takedown are emphasizing the necessity of sustained pressure. Google, which played a pivotal role by disabling the Google accounts used for malware command and control, has taken the additional step of stripping apps that bundle NetNut’s Software Development Kits (SDKs) from the ecosystem.
"These bad actors can use NetNut to mask their origin IP address when accessing victim environments," Google’s GTIG stated. "Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it, effectively exposing other private devices on the same home network to internet threats."
The Ecosystem of "White-Label" Cybercrime
A critical realization from this investigation is that the residential proxy market is deeply interconnected and remarkably resilient. Benjamin Brundage, founder of the proxy tracking service Synthient, notes that the collapse of NetNut represents a "significant disadvantage" for the criminal community, particularly following the earlier takedown of IPIDEA, another major player in the proxy space.
However, the threat remains fluid. Many proxy providers operate by "white-labeling" their services, meaning smaller, lesser-known proxy brands often simply resell the capacity of larger, more established networks like NetNut.
"I think this takedown is going to have a big impact, because NetNut gained significant popularity after the IPIDEA takedown," Brundage explained. "NetNut was incredibly common among resellers, and they were on par with IPIDEA in terms of daily traffic, quality, size, and price per gigabyte."
The primary concern among researchers is that the "whack-a-mole" nature of these operations allows providers to simply pivot. As the GTIG report suggests, when a primary botnet is degraded, operators often transition to becoming resellers for their competitors, maintaining their business model while simply changing their upstream provider.

Implications for Consumer Security
The broader implications of the NetNut/Popa takedown extend well beyond the immediate disruption of proxy services. The operation highlights a pervasive security crisis in the Internet of Things (IoT) and streaming device markets.
1. The Hardware Vulnerability
The devices most frequently co-opted into the Popa botnet are often low-cost, uncertified Android TV boxes sold via major e-commerce platforms. These devices often come with modified operating systems that circumvent Google’s official "Play Protect" certification. By avoiding these official channels, the manufacturers bypass security audits that would otherwise flag the presence of proxy-SDKs.
2. The Smart TV "App" Trap
The risk is not confined to obscure streaming boxes. A recent study by the security firm Spur revealed that 42% of apps available for LG’s webOS and over 25% of apps for Samsung’s Tizen operating system contained SDKs capable of turning the television into a residential proxy node. This creates a massive, latent pool of potential nodes that can be activated at a moment’s notice.
3. DDoS Mitigation
One of the secondary, yet vital, benefits of this takedown is the potential reduction in the efficacy of Distributed Denial of Service (DDoS) botnets. By crippling the infrastructure that allowed for "tunneling" into home networks—a technique previously seen in the massive Kimwolf botnet—the takedown limits the ability of attackers to use residential IP addresses to launch high-volume, harder-to-block traffic.
A Path Forward
Google and other security researchers have issued clear guidance to consumers looking to mitigate these risks:
- Stick to Reputable Brands: Avoid purchasing "no-name" streaming devices from third-party e-commerce sellers. Certified devices from reputable manufacturers are far less likely to come pre-loaded with malicious SDKs.
- Verify Play Protect: Consumers should confirm that their Android devices are officially Play Protect certified.
- Judicious App Installation: Be skeptical of free apps that offer "premium" content, especially those that require unconventional installation methods or sideloading.
- Network Segmentation: Whenever possible, place IoT devices—including smart TVs—on a separate "guest" network to ensure that a compromise of the TV does not lead to a compromise of computers, phones, or home storage devices.
Conclusion: The Long Game
While the FBI and its partners have successfully dismantled a major piece of cybercriminal infrastructure, the ecosystem of residential proxy networks remains dangerous. The disruption of NetNut is a tactical victory that will force cybercriminals to reorganize and potentially drive up the cost of illicit services, but it is unlikely to be the final word.
As long as there is a market for anonymized, residential-grade IP traffic, there will be operators willing to build botnets to satisfy that demand. The future of this conflict will likely require not just domain seizures, but a systemic change in how smart devices are vetted, how SDKs are regulated, and how manufacturers are held accountable for the security—or lack thereof—baked into their products. For now, the takedown of NetNut serves as a stark reminder of the hidden costs associated with the "free" or "cheap" technology that permeates the modern household.
