Home/News/FBI Seizes NetNut Proxy Platform, Popa Botnet
Krebs on Security2 min read

FBI Seizes NetNut Proxy Platform, Popa Botnet

The Federal Bureau of Investigation (FBI) announced this week that it collaborated with industry partners to seize hundreds of domains associated with NetNut, a large-scale residential proxy service operated by the Israeli company Alarum Technologies (NASDAQ: ALAR). This action follows findings published approximately two weeks prior by KrebsOnSecurity, which linked NetNut to the Popa botnet. The Popa botnet comprises at least two million compromised devices, infected with malicious software without the owners' explicit consent.

On June 19, three separate security firms released parallel reports indicating that NetNut functions as a residential proxy network that fuels the Popa botnet. The service distributes software for common household devices, including smart TVs and streaming boxes. Once installed, NetNut's software transforms these systems into continuously active residential proxy nodes. These nodes are then rented to third parties who primarily use them to reroute malicious internet traffic, such as mass content scraping, advertising fraud, and account takeover activities.

NetNut's homepage was replaced with a seizure notice from the FBI and the Internal Revenue Service Criminal Investigation division. The notice acknowledged contributions from industry partners, including Google, Lumen, and Shadowserver, for their assistance in dismantling hundreds of domains tied to the Popa botnet. Security experts have long associated the Popa botnet with NetNut's residential proxy infrastructure.

The Google Threat Intelligence Group (GTIG) stated in a blog post that NetNut's proxy network is frequently resold and white-labeled by numerous third-party proxy providers. Cybercriminals actively seek NetNut's services to conceal the origins of their malicious traffic. GTIG observed 316 distinct clusters of threat actors utilizing suspected NetNut exit nodes within a single week in June 2026, encompassing both cybercriminal and state-sponsored entities.

Original source — read the full reporting at the publisher:

Read on Krebs on Security

Read next