HackMyIP
← Back to News
2026-07-02 KrebsOnSecurity

FBI Seizes NetNut Proxy Network and Popa Botnet Tied to 2M Infected Devices

MalwareThreat IntelIncident Response

The FBI and IRS Criminal Investigation have seized hundreds of domains associated with NetNut, a sprawling residential proxy service operated by publicly-traded Israeli company Alarum Technologies (NASDAQ: ALAR). The action follows findings from three independent security firms, published roughly two weeks ago by KrebsOnSecurity, connecting NetNut to the Popa botnet — a network of at least two million compromised consumer devices, including smart TVs and streaming boxes, infected with little or no user consent. NetNut's homepage was replaced with an official seizure banner thanking Google, Lumen, Shadowserver, and other industry partners for their assistance in dismantling the infrastructure.

According to research from Google Threat Intelligence Group (GTIG), NetNut's proxy network populates Popa by bundling malicious software development kits (SDKs) into consumer-facing apps. Once installed, these apps turn home devices into always-on residential proxy nodes that are rented to third parties — often through resellers and white-label providers — for mass content scraping, advertising fraud, and account takeover campaigns. GTIG observed 316 distinct clusters of threat actors using suspected NetNut exit nodes in a single week during June 2026, including both cybercriminal and nation-state espionage groups. "Bad actors can use NetNut to mask their origin IP address when accessing victim environments, conducting password spray attacks, and accessing their own infrastructure," GTIG wrote, warning that compromised devices also expose other private systems on the same home network to Internet threats.

Google said it disabled Google accounts and services used by NetNut for malware command-and-control, terminated apps known to bundle NetNut's SDKs, and shared technical intelligence on the platform's backend infrastructure with law enforcement and other platform providers. Omer Weiss, legal counsel for Alarum Technologies, confirmed the company is cooperating with investigators. Users concerned about whether their devices have been conscripted into a residential proxy botnet should run a privacy checkup to audit outbound connections, test their network with a port scanner to identify suspicious open services, and use a VPN and proxy detector to determine whether their IP has been flagged as a known residential proxy node.

Source: KrebsOnSecurity →

Related Tools

Check whether this kind of story affects you — free, no signup:

IP Lookup →IP Blacklist Check →VPN & Proxy Detector →

Related Guides

Learn the background behind this story:

What is a DDoS attack? →What is a proxy server? →Is my IP blacklisted? →