Federal Law Enforcement Dismantles NetNut: A Major Blow to Global Proxy Botnet Infrastructure

In a significant escalation of the ongoing battle against cybercrime, the Federal Bureau of Investigation (FBI), in coordination with the Internal Revenue Service’s Criminal Investigation (IRS-CI) division, has executed a massive operation to seize hundreds of domains linked to the residential proxy service NetNut. The service, which was operated by the publicly-traded Israeli firm Alarum Technologies [NASDAQ: ALAR], had become a cornerstone for threat actors seeking to obfuscate their digital footprints.

The seizure marks a pivotal moment in the crackdown on "residential proxy" networks—services that disguise malicious traffic by routing it through the IP addresses of unsuspecting consumers’ devices. By replacing NetNut’s primary web portals with official federal seizure banners, authorities have effectively severed the control channels for the Popa botnet, a malicious network comprising at least two million compromised devices, including smart televisions and streaming hardware.

A Chronology of Discovery and Disruption

The collapse of NetNut was not an overnight occurrence but the culmination of months of investigative pressure from cybersecurity researchers.

The Investigative Trail (June 2026)

On June 19, 2026, the cybersecurity landscape was jolted by a wave of coordinated disclosures. Three independent security firms published concurrent findings identifying a direct, inextricable link between the NetNut residential proxy network and the Popa botnet. These reports detailed how NetNut’s proprietary software was being surreptitiously bundled into consumer-grade devices.

The software functioned as an "always-on" proxy node, allowing the company to rent out the bandwidth and IP reputation of private home networks to third parties. These clients—ranging from legitimate businesses to sophisticated state-sponsored hackers—used these nodes to conduct mass content scraping, advertising fraud, and, most alarmingly, credential stuffing and account takeover attacks.

The Federal Intervention (July 2026)

Following the publication of these findings, the FBI moved quickly to dismantle the infrastructure. By early July, the NetNut homepage had been replaced by a Department of Justice seizure notice. The operation relied on the technical collaboration of tech giants, including Google and Lumen, alongside the threat-intelligence specialists at Shadowserver.

By July 8, the impact on Alarum Technologies was immediate and devastating. The parent company’s own website, alarum.io, was also hit with a seizure notice. Investors reacted sharply to the news, causing Alarum’s stock to plummet by approximately 67 percent in a single week, landing at $2.62 per share as the market processed the legal fallout.

FBI Seizes NetNut Proxy Platform, Popa Botnet

Supporting Data: The Anatomy of a Proxy Botnet

The scale of the Popa botnet was not merely an inconvenience; it was a systemic threat to global network integrity. According to the Google Threat Intelligence Group (GTIG), the NetNut network had become a "preferred" tool for cybercriminals.

The White-Labeling Ecosystem

Google’s analysis revealed that NetNut’s infrastructure was not just used directly by a single group; it was a wholesale provider for the cybercrime underground. NetNut services were widely resold and white-labeled, allowing various proxy providers to mask their origins. In a single week in June, Google researchers identified 316 distinct clusters of threat actors—including groups involved in high-level corporate espionage—utilizing suspected NetNut exit nodes to hide their origins.

The Risk to Home Networks

The implications for the average consumer are severe. When a home device, such as a smart TV, is co-opted as a proxy node, it does not just transmit malicious data; it opens a back door into the private home network. As the GTIG noted in their technical analysis, once a device becomes an exit node, unauthorized traffic traverses the local network, potentially exposing other private devices—such as home computers, NAS drives, and IoT sensors—to direct internet-based threats.

Official Responses and Corporate Accountability

The involvement of Alarum Technologies, a publicly-traded entity, adds a layer of corporate accountability rarely seen in the shadowy world of proxy services.

Alarum Technologies’ Stance

Omer Weiss, legal counsel for Alarum Technologies, issued a statement shortly after the seizure, signaling an intent to cooperate with federal authorities. "Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account," Weiss stated. Despite this posture, the company remains the subject of an intense investigation, and the broad seizure of their infrastructure suggests that authorities view the company’s business model as being fundamentally intertwined with the malicious activity of the Popa botnet.

Law Enforcement and Partners

The FBI and IRS-CI highlighted the critical role of industry partners in the operation. By disabling Google accounts used for malware command and control and providing the technical intelligence necessary to identify the SDKs (Software Development Kits) responsible for the infections, Google significantly hampered the ability of the botnet operators to maintain their foothold on consumer devices.

Broader Implications for the Digital Ecosystem

The fall of NetNut is part of a broader, ongoing campaign to clean up the residential proxy market. The industry has long operated in a gray area, but recent legal actions, including the earlier disruption of IPIDEA, suggest that a "new normal" is emerging in internet governance.

FBI Seizes NetNut Proxy Platform, Popa Botnet

The "Whack-a-Mole" Reality

While the takedown is a major victory, cybersecurity experts warn that the ecosystem is highly resilient. Benjamin Brundage, founder of the proxy tracking service Synthient, observes that proxy operators are quick to pivot. "When faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller," Brundage explains. He notes that the market is fluid, and unless the underlying demand for illicit, obfuscated traffic is addressed, new players will inevitably fill the void left by NetNut.

The Vulnerability of "Smart" Devices

The investigation has shone a harsh light on the lack of security in affordable, non-brand-name streaming devices. The Popa botnet thrived on the fact that many of these devices are shipped with unofficial Android operating systems that bypass Google’s Play Protect security features.

The security community’s advice to consumers remains consistent:

  1. Stick to Reputable Brands: Avoid "no-name" TV streaming boxes purchased from marketplaces where hardware is rarely vetted for security.
  2. Audit Your Apps: Be wary of applications that request excessive network permissions.
  3. Verify OS Integrity: Ensure devices are Play Protect certified to prevent the installation of backdoored firmware.

Furthermore, the issue extends beyond cheap hardware. A recent report by Spur found that nearly 42 percent of apps on LG’s webOS and over 25 percent on Samsung’s Tizen operating system contained proxy-related SDKs. This reveals a disturbing trend where legitimate smart TV ecosystems are being used to monetize user bandwidth without explicit, informed consent.

Conclusion: A Turning Point?

The takedown of NetNut and the Popa botnet represents a significant hurdle for cybercriminals who rely on residential IP addresses to conduct their operations. By striking at the infrastructure—the domains, the command-and-control accounts, and the SDKs—the FBI and its partners have forced a temporary, yet substantial, retreat in the proxy-for-hire market.

However, the long-term success of this intervention depends on whether it can force a structural shift in the industry. As Google noted, the disruption of a single network is only effective if it is scaled to target the entire interconnected web of proxy providers. For the moment, the digital ecosystem is safer, but the shadow of the residential proxy botnet remains, waiting for the next vulnerability to exploit.