• Home  
  • FBI Seizes NetNut Residential Proxy Botnet
- Cybersecurity

FBI Seizes NetNut Residential Proxy Botnet

The FBI, with industry partners, seized hundreds of domains tied to NetNut’s residential proxy botnet, disrupting a network of over 2 million compromised devices.

FBI Seizes NetNut Residential Proxy Botnet

On July 3, 2026, the FBI announced it had seized hundreds of domains linked to NetNut, a residential proxy platform operated by Alarum Technologies (NASDAQ: ALAR). That seizure effectively crippled a residential proxy botnet that security researchers say spans at least 2 million devices. The move came just two weeks after KrebsOnSecurity published a detailed investigation tying NetNut’s service to the notorious Popa botnet.

Key Takeaways

  • The FBI, with Google, Lumen, Shadowserver and others, seized hundreds of NetNut‑related domains.
  • NetNut’s infrastructure powers the Popa botnet, estimated to control over 2 million home devices.
  • Google observed 316 distinct clusters of threat actors using NetNut exit nodes in a single week of June 2026.
  • Alarum Technologies acknowledges the seizure and says it’s cooperating with investigators.
  • Developers should reassess reliance on third‑party residential proxies for any production traffic.

What the FBI’s seizure reveals about the residential proxy botnet

What’s striking isn’t just the number of domains taken down, but the breadth of the ecosystem that fed the botnet. NetNut’s service turned ordinary smart TVs, streaming boxes and other consumer gadgets into always‑on proxy nodes. Those nodes were then rented out to actors who used them for mass content scraping, advertising fraud and account takeover. The FBI’s notice thanked Google, Lumen and Shadowserver for helping dismantle the infrastructure that had become synonymous with the Popa botnet.

How NetNut built the botnet

Security firms that published findings on June 19 described NetNut as a residential proxy network that “populates a botnet called Popa.” The software they pushed to devices didn’t ask for consent; it simply co‑opted the device’s network connection. Once a device became an exit node, any traffic routed through it could hide the attacker’s true IP address. That made it attractive to cybercriminals who needed to mask large‑scale operations.

Google’s intelligence shows the scale of abuse

Google’s Threat Intelligence Group (GTIG) posted a blog on the same day as the seizure, noting that NetNut’s proxies are “widely resold and white‑labeled by a number of third‑party proxy providers.” In just one week of June 2026, GTIG logged 316 distinct clusters of threat actors using suspected NetNut exit nodes. Those clusters included both cyber‑criminal groups and nation‑state espionage actors.

“These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks,” GTIG wrote.

GTIG added, “ when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats.”

Industry response and remediation

Google didn’t stop at the blog. It disabled Google accounts and services that NetNut used for malware command‑and‑control, shared technical intelligence on NetNut’s SDKs and backend with other platform providers, and disabled apps that bundled those SDKs. The coordinated effort shows how quickly the tech ecosystem can rally when a threat vector becomes visible.

Alarum Technologies’ stance and the road ahead

Omer Weiss, legal counsel for Alarum Technologies, confirmed the company is aware of the FBI seizure and is cooperating with investigators. The statement, though brief, indicates the firm isn’t denying its role in the infrastructure, but is instead choosing to work with law enforcement to mitigate further damage.

That cooperation might help prevent future iterations of the same model, but it also raises questions about how many other residential‑proxy services operate under a similar veil. If the pop‑up of a seizure banner can shut down a platform overnight, it suggests those services are fragile, yet they’ve managed to persist long enough to compromise millions of devices.

Historical Context

Residential proxy services have existed for well over a decade, originally marketed as a way to obtain “real‑world” IP addresses for legitimate testing and market research. Early adopters praised the ability to route traffic through consumer‑grade connections, which often bypassed geolocation filters that data‑center proxies could not. Over time, a subset of those services began to blur the line between consent‑based usage and covert operation. The first public reports of large‑scale abuse surfaced when researchers uncovered networks that silently enrolled devices without user interaction. Those findings foreshadowed the scale of the NetNut operation, showing that the business model could be repurposed for illicit ends.

Law‑enforcement actions against similar platforms have occurred sporadically, each time highlighting a gap between the advertised “proxy as a service” and the hidden software that turns a home device into a botnet node. The July 2026 seizure stands as the most extensive takedown to date, not just because of the number of domains but because of the coordination among multiple industry partners. That collaborative model mirrors previous incidents where the FBI, private security firms, and cloud providers joined forces to disrupt command‑and‑control infrastructure.

Technical Architecture of Residential Proxies

At the heart of NetNut’s offering lies a lightweight SDK that developers embed in client applications. The SDK initiates a persistent TCP connection to NetNut’s backend, then forwards outbound traffic through the host device. Because the connection originates from a consumer broadband line, downstream services see a residential IP rather than a data‑center block. The SDK also includes a heartbeat mechanism that reports device health, allowing NetNut to manage a pool of millions of nodes and automatically replace any that go offline.

When a device becomes an exit node, the SDK does not differentiate between benign and malicious traffic. Any HTTP request, DNS lookup, or TLS handshake that passes through the node is indistinguishable from normal home browsing. This lack of granular control creates an attack surface: a malicious user can route credential‑spraying scripts, web scrapers, or even ransomware payloads through the same device. The resulting traffic inherits the IP address of the home router, making attribution far more difficult for defenders.

Google’s disclosure of the SDK signatures gave security teams a concrete indicator to hunt for. By matching network flows against those signatures, analysts can spot compromised endpoints inside corporate environments. The same technique can be applied at the perimeter to block outbound connections that attempt to use a known residential‑proxy SDK, effectively cutting off a potential escalation path.

Adoption Timeline and Market Dynamics

Residential proxies surged in popularity as companies sought to bypass anti‑scraping defenses that relied on IP reputation. The model promised “unlimited” IP diversity without the overhead of managing a fleet of physical devices. Vendors packaged the service behind white‑label agreements, allowing resellers to market the proxies as their own. This ecosystem created a cascade effect: as more third‑party providers entered the market, the pool of devices grew, and the incentive to monetize them increased.

By mid‑2026, analytics from GTIG showed a sharp uptick in the number of distinct threat actors using NetNut‑derived exit nodes. The 316 clusters recorded in a single week illustrate how quickly the service became a shared resource among disparate groups. That rapid adoption hints at a broader market trend where the line between legitimate proxy usage and illicit abuse is increasingly blurred. Companies that once relied on residential proxies for benign purposes now find themselves sharing infrastructure with actors conducting fraud, espionage, and credential‑theft.

Regulatory Implications

The seizure underscores the growing willingness of regulators to treat residential‑proxy platforms as critical infrastructure. By coordinating with Google, Lumen, and Shadowserver, the FBI demonstrated a multi‑agency approach that uses both public‑sector authority and private‑sector threat intelligence. This partnership model may become a template for future investigations, especially as cyber‑crime groups continue to adopt cloud‑native tactics that span multiple jurisdictions.

For businesses, the regulatory fallout could manifest as stricter compliance requirements around data‑origin verification. Vendors offering proxy services may be compelled to provide audit logs that prove user consent, as well as mechanisms to quickly disable compromised nodes. Failure to meet such standards could result in penalties or loss of market access, especially for firms operating in sectors with heightened data‑privacy obligations.

What This Means For You

If your product uses residential proxies, start by scanning outbound traffic for any connections to domains that were part of the seizure. You can pull the list from the FBI notice or from the official original report. Replace any suspect endpoints with reputable data‑center proxies that have clear compliance documentation.

For security teams, the takeaway is to monitor for unusual outbound patterns that could indicate a device in your network has become an exit node. Deploy network‑level controls that block unknown proxy traffic, and consider adding endpoint detection that flags the NetNut SDK signatures that Google shared.

Scenario one: a SaaS startup that runs automated UI tests across multiple geographies relies on residential proxies to simulate local user behavior. After the seizure, the startup should audit its test suite, identify any hard‑coded proxy endpoints, and shift to a provider that offers verifiable device consent. By doing so, the team avoids inadvertently routing test traffic through compromised devices, which could expose internal APIs to external observation.

Scenario two: a digital‑marketing agency purchases ad‑verification services that scrape competitor sites. The agency’s contracts list “high‑quality residential IPs” as a selling point. The agency now needs to request transparency from its vendor about the source of those IPs and demand proof that devices are not part of an unauthorized botnet. This due‑diligence step protects the agency from legal exposure if the scraped traffic is later linked to illicit activity.

Scenario three: an enterprise security operations center detects a sudden rise in outbound TLS connections to unfamiliar domains. Correlating those connections with the known NetNut SDK fingerprint reveals a compromised endpoint that has been silently co‑opted as a proxy. The SOC isolates the device, removes the SDK, and updates the incident response playbook to include checks for residential‑proxy abuse.

What new defensive measures will emerge when the next wave of proxy‑based botnets tries to hide behind legitimate services?

Key Questions Remaining

  • Will other residential‑proxy platforms adopt stricter consent mechanisms, or will they simply disappear under legal pressure?
  • How will threat‑intelligence communities share indicators of compromise for SDKs that are quickly updated by malicious actors?
  • What role will cloud providers play in policing traffic that originates from residential nodes but traverses their infrastructure?
  • Can industry standards be developed to certify “clean” residential proxy services, and will such certifications gain traction among buyers?

Sources: Krebs on Security, Google Threat Intelligence Group

About the Author

— AI & Technology Reporter

Halil Kale is an AI and technology reporter at AI Post Daily, where he covers artificial intelligence, machine learning, cybersecurity, and the business of tech. With a background in computer science and over five years of experience tracking the AI industry, Halil specializes in translating complex technical developments into clear, actionable insights for developers, founders, and technology professionals. He has reported on breakthroughs from Anthropic, OpenAI, Google DeepMind, and NVIDIA, as well as critical cybersecurity incidents and emerging robotics applications. Halil believes that understanding AI is no longer optional — it's essential for anyone working in or around technology. At AI Post Daily, he applies rigorous editorial standards to ensure every story is accurate, sourced, and genuinely useful to readers.

About AI Post Daily

Independent coverage of artificial intelligence, machine learning, cybersecurity, and the technology shaping our future.

Contact: Get in touch

We use cookies to personalize content and ads, and to analyze traffic. By using this site, you agree to our Privacy Policy.