"The Popa botnet is a collection of at least two million devices," security researchers reported — and on July 3, 2026 the FBI, working with industry partners, moved to seize hundreds of domains tied to that network and to NetNut, the residential proxy service alleged to ride on top of it.
FBI and IRS Criminal Investigation seize NetNut-linked domains
The Federal Bureau of Investigation said it worked with industry partners to take down hundreds of domains associated with NetNut, a residential proxy service run by the publicly traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The FBI seizure banner replaced NetNut’s homepage, and the seizure notice acknowledged help from Google, Lumen, Shadowserver and other partners. The Internal Revenue Service Criminal Investigation division was also named on the notice.
Google Threat Intelligence Group: resellers, clusters, and operational disruption
In a blog post published the same day, Google's Threat Intelligence Group (GTIG) said NetNut’s proxy network is widely resold and white-labeled by third-party providers and is heavily sought by cybercriminals. GTIG wrote that in a single week in June 2026 it observed 316 distinct clusters of threat actors using suspected NetNut exit nodes, including both cybercriminal and espionage groups.
GTIG described operational steps it took: disabling Google accounts and services used by NetNut for malware command-and-control, sharing technical intelligence on NetNut SDKs and backend infrastructure with platform providers, law enforcement and research firms, and disabling apps known to bundle NetNut’s SDKs. Google said the seizures have caused “significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions.”
How NetNut’s software and the Popa botnet interacted with consumer devices
Multiple security firms — and a KrebsOnSecurity report published roughly two weeks earlier — linked NetNut to the Popa botnet. According to those findings, NetNut’s software turns consumer devices commonly found in homes, such as smart TVs and streaming boxes, into always-on residential proxy nodes. Those nodes are then rented to others who use them to relay abusive Internet traffic, including mass content scraping, advertising fraud and account takeover activity.
Google warned that when a consumer device becomes an exit node, unauthorized traffic passes through it and bad actors can use the device to mask their origin IP address when accessing victim environments or conducting password-spray attacks. The source material notes that many cheap TV streaming boxes come either pre-installed with residential proxy software or require installation of proxy SDKs, and that these devices often run unofficial Android operating systems outside of Google’s Play Protect ecosystem.
Spur, a proxy-tracking company cited in the coverage, found that 42 percent of apps available for LG’s webOS include SDKs that turn the television into an always-on proxy node, and more than a quarter of apps for Samsung’s Tizen operating system contained similar components.
Alarum Technologies, researchers, and the knock-on effects across proxy networks
Omer Weiss, legal counsel for Alarum Technologies, said the company was aware of the FBI seizure and “will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.”
Benjamin Brundage, founder of the proxy-tracking service Synthient, said the domain seizures appear to have disrupted both the Popa botnet and the NetNut proxy network. Brundage characterized NetNut as having gained significant popularity after earlier legal action against another provider, IPIDEA, and said NetNut had parity with IPIDEA “in terms of their daily traffic, quality, size, price per gigabyte, all of it.”
Brundage and others expect the takedown to reduce damaging activity that has leveraged residential proxy infrastructure — including large distributed denial-of-service botnets. Synthient’s earlier research showed how a DDoS botnet called Kimwolf was built by tunneling through IPIDEA proxy connections into local networks and infecting Android-based devices behind consumers’ firewalls.
What this means for consumers, resellers, and cybercriminal operators
- Consumers and smart-TV users: the reporting underscores that many no-name TV boxes and third-party apps might include SDKs that turn devices into proxy nodes. Google advised sticking to name-brand devices and being selective with app installs; it also published instructions to confirm whether a device has the official Android TV OS and Play Protect certification.
- Resellers and third-party proxy providers: GTIG and researchers say resellers have frequently white-labeled and redistributed capacity from major proxy networks. That practice can allow capacity to shift quickly among providers when one network is degraded.
- Cybercriminal operators: researchers and Google observed that criminal clusters relied on suspected NetNut exit nodes for obfuscation and hostile access. The seizure reduced available capacity by millions of devices, but GTIG warned that proxy networks can rebuild by buying capacity from competitors, and that wider, coordinated action will be required to create lasting disruption.
Google summed up the challenge bluntly: “Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet,” and noted that making disruption durable will require scaling efforts to target infrastructure across several interconnected providers. For now, the seizures have produced significant degradation to the NetNut/Popa infrastructure — a measurable win for investigators — but the source material leaves clear the larger proxy ecosystem remains fluid and capable of recomposition.
https://krebsonsecurity.com/2026/07/fbi-seizes-netnut-proxy-platform-popa-botnet/




