FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors

hubraumhugo1 pts0 comments

FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors - Infosecurity Magazine

Infosecurity Magazine Home » News » FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors

FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors

News<br>3 July 2026

Written by

Kevin Poireault<br>Reporter, Infosecurity Magazine<br>Follow @Kpoireault<br>Connect on LinkedIn

In a large-scale coordinated international operation, the FBI and Google&rsquo;s Threat Intelligence Group have disrupted NetNut, one of the world's largest commercial residential proxy networks.

The network, which security researchers also track as the &lsquo;Popa&rsquo; botnet, co-opted over two million consumer devices globally, turning them into traffic-routing relays for cybercriminals and state-sponsored espionage groups.

Working alongside industry partners including Lumen Technologies, the Shadowserver Foundation, and the US Internal Revenue Service&rsquo;s (IRS) Criminal Investigation division, the joint operation targeted the digital infrastructure fueling the massive proxy service and seized hundreds of domains.

Banner shown when visiting netnut.com. Source: Infosecurity MagazineHow the Popa Botnet Turned Smart TVs into Proxy Exit Nodes

At the heart of the NetNut residential proxy service was the Popa botnet, an engineered stealth communications layer. By embedding deceptive software development kits into inexpensive, off-brand Android-based smart TVs, streaming media boxes and unofficial apps like the SmartTube client, NetNut hijacked ordinary home electronics.

When consumers plugged in these devices, their home internet connections were quietly rented out as residential proxy exit nodes. This allowed malicious traffic to route through legitimate domestic IP addresses, effectively bypassing standard data center blocks and security filters.

According to a Google report published on July 2, at least 316 distinct threat clusters utilized NetNut exit nodes to conduct password-spraying campaigns, credential stuffing, advertising fraud and sensitive data scraping in a single week in June 2026.

Unlike typical underground botnets operated by covert hacking groups, independent cybersecurity journalist Brian Krebs reported that NetNut could be linked to a commercial enterprise, Alarum Technologies Ltd which is a publicly traded Israeli firm listed on NASDAQ.

This reporting is partly based on security investigations by firms like Qurium and Synthient, which both established direct links between Alarum's executive leadership and the original developers of the malicious Popa software defined kit (SDK).

While Alarum has historically marketed its software as a consensual bandwidth-sharing tool, independent technical reviews found that hijacked host applications failed to present users with any clear notice or consent prompt.

In response to the seizure of certain domains associated with NetNut by the FBI, Alarum Technologies issued the following statement: &ldquo;Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.&rdquo;

While the Google report does not mention the link to Alarum, the GITG researchers noted that NetNut has &ldquo;a robust reseller program that allows whitelabeling of its network&rdquo; and assessed with &ldquo;high confidence&rdquo; that many popular residential proxy brands are in fact whitelabeling the NetNut botnet.

The company also mentions public reports by Synthient, Spur, Nokia Deepfield and others documenting the use of NetNut to infect devices with variants of Mirai distributed denial-of-service (DDoS) botnets.

Google and FBI Deploy Mitigations to Dismantle NetNut Infrastructure

To prevent the network from easily rebuilding, Google deployed immediate technical mitigations alongside the FBI's legal actions.

The company disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to automatically warn Android users and disabled apps containing the compromised SDKs.

&ldquo;We believe our coordinated actions have caused significant degradation to NetNut&rsquo;s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,&rdquo; Google said.

The company noted that this action built on the disruption of the IPIDEA proxy network that took place in January 2026.

Domain Takedown Confusion

The initial phase of the NetNut takedown sparked immediate discussion within the threat intelligence community, with some pointing out that while the FBI's seizure banner appeared on netnut.com, NetNut&rsquo;s primary commercial domain, netnut.io, temporarily remained active and accessible.

Some online commentators suggested law enforcement might have targeted the wrong domain.

However, other security experts clarified that both domains are tied to the same...

netnut proxy google network threat alarum

Related Articles