The FBI has dealt a significant blow to the cybercrime community with the seizure of hundreds of domains associated with NetNut, a residential proxy service operated by Alarum Technologies. This move comes after multiple security firms revealed that NetNut was linked to the Popa botnet, a collection of at least two million compromised devices used for malicious activities such as mass content scraping and account takeover.
NetNut’s business model involves turning innocent household devices like smart TVs and streaming boxes into always-on proxy nodes, which are then rented out to others who use them to relay abusive internet traffic. This infrastructure has been widely resold and white-labeled by third-party proxy providers, making it a favorite among cybercriminals seeking to obfuscate the source of their malicious activities.
Google’s Threat Intelligence Group (GTIG) has shed light on the scope of NetNut’s involvement in cybercrime. In a single week during June 2026, they observed 316 distinct clusters of threat actors using suspected NetNut exit nodes. These bad actors can use NetNut to mask their origin IP address when accessing victim environments or conducting password spray attacks. Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it, potentially exposing other private devices on the same home network to internet threats.
The FBI’s takedown of NetNut’s infrastructure has been hailed as a significant success by industry experts. Benjamin Brundage, founder of proxy tracking service Synthient, believes that this move will have a major impact on the cybercrime community, which was already reeling from Google’s earlier seizure of IPIDEA’s infrastructure. With NetNut out of commission, cybercriminals will need to find alternative ways to carry out their malicious activities, making it more difficult for them to operate.
The takedown also has the potential to reduce the impact of large distributed denial-of-service (DDoS) botnets that have been built on the backs of poorly configured residential proxy services. In January, Synthient revealed how cybercriminals had built the world’s largest DDoS botnet by tunneling through IPIDEA proxy connections into targeted networks.
While it remains to be seen what the long-term effects of this takedown will be, one thing is clear: NetNut and its associated Popa botnet have been major players in the world of cybercrime. With their infrastructure now gone, law enforcement and cybersecurity experts will need to stay vigilant to ensure that these malicious activities do not simply migrate to other platforms.
As a practical takeaway from this story, it’s essential for consumers to be aware of the risks associated with residential proxy services and household devices being used as exit nodes in botnets. To mitigate these risks, users should take steps to secure their home networks, including ensuring that all devices are patched and updated regularly, using strong passwords, and monitoring network activity for suspicious behavior. By staying informed and taking proactive measures, individuals can help prevent their devices from becoming unwitting participants in cybercrime operations.
Source: Krebs on Security — 2026-07-02