FBI Dismantles NetNut Proxy and Popa Botnet Operations
The FBI seizes key domains of NetNut, disrupting a sprawling proxy service linked to cybercriminal activities.

Key points
- The FBI seized hundreds of domains linked to NetNut on a recent date.
- NetNut is operated by Alarum Technologies and connected to the Popa botnet.
- Google observed 316 clusters of threat actors using NetNut exit nodes in June 2026.
- The domain seizure impacted both the Popa botnet and NetNut's proxy network.
- Google disabled services associated with NetNut and shared intelligence with partners.
In a decisive move against cybercrime, the Federal Bureau of Investigation has seized hundreds of domains associated with NetNut, a residential proxy service operated by Alarum Technologies. This action follows findings from KrebsOnSecurity and multiple security firms that tied NetNut to the expansive Popa botnet, compromising over two million devices. The FBI's intervention was evident when NetNut's homepage was replaced by a seizure notice, a collaborative operation credited to partners like Google, Lumen, and Shadowserver.
The Popa botnet, as reported by three security firms on June 19, transforms everyday devices like smart TVs into proxy nodes for notorious internet activities. These include content scraping, advertising fraud, and account takeovers. NetNut, a name now synonymous with the Popa botnet, has been a go-to service for cybercriminals to obscure their digital footprints.
Google's Threat Intelligence Group (GTIG) revealed the widespread reselling and white-labeling of NetNut's proxy network. In a single week in June 2026, the group identified 316 distinct clusters of threat actors utilizing NetNut's exit nodes. GTIG also highlighted the risks posed when consumer devices become proxy nodes, inadvertently exposing home networks to cyber threats.
NetNut's downfall is a blow to cybercriminals, especially after Google's earlier actions against IPIDEA, a major competitor. Benjamin Brundage, of proxy tracking service Synthient, noted that the seizure disrupts both the Popa botnet and NetNut's proxy operations, potentially impacting other illicit activities like distributed denial-of-service attacks.
Google's efforts included disabling related Google accounts and apps bundling NetNut's SDKs. The tech giant also warned about proxy networks' resilience, as shown by IPIDEA's recovery. Many residential proxy brands were identified as white-labeling NetNut's botnet, indicating a complex, interconnected proxy ecosystem.
The situation underscores the need for vigilance in device choice. Most smart TVs infected with proxy software run unofficial Android OS, bypassing Google's Play Protect. Consumers are advised to stick to name-brand devices and scrutinize app installations. A report by Spur revealed significant proxy SDK presence in apps for LG and Samsung smart TVs, further emphasizing the risks.
How can defenders mitigate risks from compromised devices?
For those dealing with smart TVs, the advice is clear: use reputable brands and limit app installations to those from verified sources. Recognizing and removing unauthorized SDKs is crucial. Organizations should enhance network monitoring to detect anomalies indicative of proxy traffic. Collaboration with security firms and sharing threat intelligence can also aid in identifying and mitigating these threats across the board.



