FBI Seizes NetNut Proxy Platform, Popa Botnet

The FBI’s Takedown of NetNut Proxy Platform Exposes Widespread Abuse of Residential Proxies

In a significant blow to cybercrime, the Federal Bureau of Investigation (FBI) has worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by Alarum Technologies. The action comes after multiple security firms revealed that NetNut is deeply linked to the Popa botnet, a massive collection of compromised devices used for malicious activities such as mass content scraping and advertising fraud.

NetNut’s software turns ordinary household devices like smart TVs and streaming boxes into always-on proxy nodes that are rented out to others. These proxies are then used to relay abusive internet traffic, often on behalf of cybercriminals seeking to hide their tracks. The sheer scale of NetNut’s operation is staggering: with at least two million devices compromised by the Popa botnet, experts warn that this takedown will have a significant impact on the cybercrime community.

The NetNut homepage now displays a seizure notice from the FBI and the Internal Revenue Service Criminal Investigation division, thanking Google, Lumen, Shadowserver, and other industry partners for their assistance in dismantling the domains tied to the Popa botnet. In a blog post published today, Google’s Threat Intelligence Group (GTIG) revealed that NetNut’s proxy network is widely resold and white-labeled by third-party providers, making it a lucrative tool for cybercriminals.

Google’s GTIG explained that NetNut’s services are used to mask the origin IP address of malicious traffic, allowing bad actors to access victim environments, infrastructure, and conduct password spray attacks with ease. Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it, exposing other private devices on the same home network to internet threats.

The takedown of NetNut’s proxy platform may also have far-reaching benefits for the cybersecurity landscape. Experts warn that poorly configured residential proxy services often serve as the backbone for large distributed denial-of-service (DDoS) botnets. By disrupting NetNut’s infrastructure, law enforcement and industry partners may be able to reduce the impact of these massive DDoS attacks.

Benjamin Brundage, founder of proxy tracking service Synthient, believes that the takedown will have a significant disadvantage for the cybercrime community. “NetNut gained significant popularity after the IPDEA takedown,” he said, “and was incredibly common among resellers.” With NetNut’s demise, the market for residential proxies may be forever changed.

As the cybersecurity landscape continues to evolve, this takedown serves as a reminder of the importance of vigilance and cooperation between industry partners and law enforcement. For users, it highlights the need to remain cautious when engaging with services that promise convenient or anonymous internet access – often at the cost of compromising their own security.


Source: Krebs on Security — 2026-07-02