In a coordinated international operation, the Federal Bureau of Investigation (FBI), alongside the Internal Revenue Service Criminal Investigation (IRS-CI) division, has successfully seized hundreds of domains linked to NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli firm Alarum Technologies (NASDAQ: ALAR).
The seizure, which replaced the company’s primary web portals with official law enforcement banners, marks a significant escalation in the ongoing battle against the weaponization of consumer Internet of Things (IoT) devices. The operation was bolstered by critical technical intelligence from industry heavyweights, including Google, Lumen, and the threat-intelligence firm Shadowserver. This action effectively cripples a network that had become a primary infrastructure provider for cybercriminals, state-sponsored espionage groups, and purveyors of large-scale advertising fraud.
The Chronology of a Collapse
The downfall of NetNut was not an overnight occurrence but the culmination of months of rigorous investigative work by security researchers.
June 19, 2026: Three independent security firms published concurrent findings identifying a direct link between NetNut’s commercial proxy infrastructure and the "Popa" botnet. The researchers detailed how NetNut’s software was being bundled into innocuous-looking applications for home devices—specifically Android-based streaming boxes and smart TVs. These devices were then converted into "always-on" residential proxy nodes, allowing third parties to route malicious traffic through the unsuspecting victims’ home networks.
Late June 2026: As evidence of the nexus between the commercial service and the botnet solidified, Google’s Threat Intelligence Group (GTIG) intensified its monitoring, identifying over 300 distinct clusters of threat actors leveraging NetNut exit nodes for password spraying, account takeovers, and infrastructure obfuscation.
July 2026 (Present): Following the collection of sufficient forensic evidence, the FBI and IRS-CI executed the domain seizures. The operation effectively severed the command-and-control (C2) communication channels that kept the Popa botnet active. By the afternoon of the seizure, the NetNut homepage—a portal previously used by businesses to rent residential IP addresses—displayed the standard FBI banner notifying visitors that the infrastructure had been taken offline due to its involvement in criminal activity.
Anatomy of the Popa Botnet
At the heart of the investigation is the "Popa" botnet, a massive, distributed network comprising at least two million compromised devices. Unlike traditional botnets that rely on sophisticated malware exploits, Popa utilized a more insidious approach: the integration of Software Development Kits (SDKs).
These SDKs were frequently embedded into unofficial streaming apps, particularly those designed for budget-friendly Android TV boxes sold on major e-commerce platforms. Once a user installed an app to watch unauthorized content, the underlying SDK would silently register the device as a residential proxy node.

The implications for the end-user are severe. When a device becomes an exit node for a proxy network, it allows strangers to route traffic through the user’s home IP address. This obscures the origin of the traffic, making it appear as if the malicious activity—be it phishing, spamming, or accessing illegal content—is originating from a legitimate, residential household. Furthermore, because these devices reside behind the user’s home firewall, they provide a bridge for attackers to scan and potentially exploit other private devices on the same local area network (LAN), including laptops, smartphones, and security cameras.
Industry Perspectives and Technical Data
Google’s Threat Intelligence Group has been at the forefront of the effort to sanitize the proxy landscape. In a detailed post-mortem, GTIG experts emphasized that NetNut’s business model was essentially a "laundry service" for malicious traffic. By offering residential IPs, NetNut allowed criminals to bypass security filters that typically block known data-center IP ranges.
"In a single week during June 2026, we observed 316 distinct clusters of threat actors using suspected NetNut exit nodes," the GTIG report noted. "These bad actors use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks."
Benjamin Brundage, founder of the proxy tracking service Synthient, suggests that the takedown will have a lasting impact on the cybercriminal ecosystem. Having previously exposed the links between NetNut and Popa, Brundage notes that NetNut had experienced a surge in popularity following the earlier disruption of its main competitor, IPIDEA.
"I think this takedown is going to have a big impact," Brundage stated. "NetNut was on par with IPIDEA in terms of daily traffic, quality, and price. When the ‘big’ providers go down, the criminal community is forced to scramble, which creates friction and disrupts their operations for significant periods."
Official Responses
Alarum Technologies, the parent company of NetNut, has acknowledged the seizure and pledged cooperation. Omer Weiss, legal counsel for the firm, issued a statement following the announcement:
"Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account."
The company’s stock, which relies heavily on the commercial viability of its proxy services, faces significant uncertainty as federal investigators sift through the seized data. For now, the company remains under intense scrutiny as law enforcement attempts to determine the degree of oversight—or willful negligence—involved in the distribution of the software that fueled the Popa botnet.

Broader Implications: A Resilient but Shifting Ecosystem
While the removal of NetNut is a victory for cybersecurity, experts warn that the ecosystem of "residential proxy-as-a-service" is remarkably fluid. The disruption of IPIDEA earlier this year demonstrated that these operators often attempt to rebrand or transition into "reseller" roles, purchasing capacity from other, less-scrutinized providers to maintain their illicit operations.
Google has acknowledged this "whack-a-mole" reality. "While we expect this disruption to have a larger ripple effect, observations after the disruption of IPIDEA proved that individual networks can appear resilient," the GTIG report cautioned. "What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller."
The "Smart" Home Risk
The investigation into NetNut has also shed light on a broader, systemic issue within the consumer electronics market. A study by the proxy-tracking firm Spur found that 42% of apps available for LG smart TVs (via the webOS platform) and over 25% of apps for Samsung’s Tizen operating system contained proxy-enabling SDKs.
This suggests that the "Popa" model is not a unique phenomenon but a standardized industry practice for monetizing free software. For the average consumer, the danger lies in "sketchy" or uncertified devices. These are often inexpensive, off-brand TV boxes that do not adhere to Google’s Play Protect certification standards.
Moving Forward: Consumer Safety Guidelines
To avoid becoming an unwitting participant in a botnet, security professionals offer the following guidance:
- Stick to Reputable Brands: Avoid no-name streaming devices sold on third-party marketplaces. Reputable manufacturers have more rigorous app-vetting processes and firmware update cycles.
- Verify Play Protect Certification: Users can verify if their device is certified by checking the Google Play Store settings on their Android devices. If a device is not certified, it is significantly more likely to contain unauthorized, pre-installed proxy SDKs.
- Audit App Permissions: Be wary of apps that request unnecessary network permissions. If a simple streaming app asks for the ability to operate in the background or modify network settings, it should be treated with extreme caution.
- Network Hygiene: Ensure your home router has the latest firmware updates and, if possible, utilize a guest network for untrusted or budget IoT devices to isolate them from your primary home computers and sensitive data.
The seizure of NetNut serves as a stark reminder that in the hyper-connected era, the "price" of free software is often the security of one’s own home network. As law enforcement continues to dismantle these infrastructures, the burden remains on the consumer to exercise extreme caution in an increasingly untrustworthy digital marketplace.

