FBI Seizes Hundreds of Domains Linked to NetNut Residential Proxy Network and Popa Botnet
The **Federal Bureau of Investigation (FBI)**, in collaboration with industry partners, has seized hundreds of domains associated with **NetNut**, a prominent residential proxy service operated by the publicly-traded Israeli company **Alarum Technologies**. This action follows recent revelations connecting NetNut to the **Popa botnet**, a vast network of at least two million compromised devices, primarily smart TVs and streaming boxes, used to relay malicious internet traffic.
# FBI Seizes Hundreds of Domains Linked to NetNut Residential Proxy Network and Popa Botnet
In a significant move against cybercrime infrastructure, the **Federal Bureau of Investigation (FBI)** announced today a coordinated effort with industry partners to seize hundreds of domains tied to **NetNut**. This sprawling residential proxy service, operated by **Alarum Technologies** [NASDAQ: ALAR], has been identified as a key component of the **Popa botnet**, a network comprising millions of compromised devices.

The action comes roughly two weeks after multiple security firms published findings linking **NetNut** to the **Popa botnet**. These reports indicated that **NetNut**'s software transforms common household devices, such as smart TVs and streaming boxes, into always-on residential proxy nodes. These nodes are then rented out, primarily to facilitate abusive and intrusive internet activities like mass content scraping, advertising fraud, and account takeover attempts.
## The Popa Botnet Connection
On June 19, three distinct security firms independently released research highlighting **NetNut**'s role in populating the **Popa botnet**. The software distributed by **NetNut** compromises devices with minimal or no consent from victims, effectively turning them into unwilling participants in a global proxy network.
Earlier today, **NetNut**'s homepage was replaced with a seizure notice from the **FBI** and the **Internal Revenue Service Criminal Investigation** division. The notice specifically thanked **Google**, **Lumen**, **Shadowserver**, and other industry partners for their assistance in dismantling hundreds of domains associated with the **Popa botnet**, which experts have long equated with **NetNut**'s residential proxy infrastructure.
## Google's Role and Warnings
In a blog post published today, the **Google Threat Intelligence Group (GTIG)** elaborated on **NetNut**'s widespread use among cybercriminals. They noted that **NetNut**'s proxy network is frequently resold and white-labeled by numerous third-party proxy providers, making it a popular choice for threat actors seeking to obfuscate their malicious traffic.
During a single week in June 2026, **GTIG** observed 316 distinct clusters of threat actors, including cybercriminal and espionage groups, utilizing suspected **NetNut** exit nodes. "These bad actors can use **NetNut** to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks," **Google's GTIG** wrote. They further warned, "Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats."
**Google** has taken decisive action, disabling accounts and services used by **NetNut** for malware command and control. The company also shared technical intelligence regarding **NetNut**'s software development kits (**SDKs**) and backend infrastructure with platform providers, law enforcement, and research firms, and disabled apps known to bundle **NetNut**'s various **SDKs**.
## Industry Impact and Future Outlook
**Omer Weiss**, legal counsel for **NetNut** parent **Alarum Technologies**, confirmed the company's awareness of the **FBI** seizure and stated their full cooperation with investigators.
**Benjamin Brundage**, founder of the proxy tracking service **Synthient**, which was among the companies that published evidence linking **Popa botnet** to **NetNut** last month, believes the domain seizures have significantly disrupted both the **Popa botnet** and the **NetNut** proxy network. Brundage anticipates this takedown will severely disadvantage the cybercrime community, which was already reeling from **Google**'s earlier legal actions against **NetNut**'s competitor, **IPIDEA**.
"I think this takedown is going to have a big impact, because **NetNut** gained significant popularity after the **IPIDEA** takedown," Brundage commented. "Also **NetNut** has been incredibly common among resellers, and they were on par with **IPIDEA** in terms of their daily traffic, quality, size, price per gigabyte, all of it."

Beyond disrupting proxy services, Brundage suggests the takedown may also mitigate the impact of large distributed denial-of-service (**DDoS**) botnets. He cited **Synthient**'s January revelation of the **Kimwolf botnet**, which leveraged **IPIDEA** proxy connections to infect Android-based devices within victims' local networks.
While larger proxy providers have taken steps to block such activity, resellers have been slower to react. This takedown is expected to have a positive impact on reducing the prevalence of **DDoS** botnets built on compromised TV box devices.
**Google** estimates that today's actions have caused "significant degradation to **NetNut**βs proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions." However, the company warns that proxy networks can rebuild by reselling other services, as observed with **IPIDEA**.
"**Google** has high confidence that many popular residential proxy brands are in fact whitelabeling the **NetNut botnet**," the **GTIG** report concludes. "While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of **IPIDEA** proved that individual networks can appear resilient. What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers."
## Protecting Your Devices
As **Ghost Protocol** has repeatedly warned, many no-name TV streaming boxes available on e-commerce platforms either come pre-installed with residential proxy software or require the installation of proxy **SDKs** to function. **Google** advises consumers to stick to reputable brands for TV boxes and exercise caution with app installations.
Sketchy TV boxes, often commandeered by the **Popa botnet** and similar threats, typically run unofficial Android operating systems outside of **Google**'s Official Play Protect store. Consumers can verify if a device is built with the official Android TV OS and Play Protect certification by following [Google's instructions](https://support.google.com/googleplay/answer/7165974).
Even smart TVs from manufacturers like **Samsung** and **LG** can be enrolled in residential proxy networks through app installations. A recent report by proxy tracking company **Spur** found that 42% of apps available for download via the webOS operating system on **LG** smart TVs include **SDKs** that can turn a television into a proxy node.