TempMail Ninja
//

NetNut Botnet Dismantled: FBI and Google Disrupt Massive Proxy Network

7 min read
TempMail Ninja
NetNut Botnet Dismantled: FBI and Google Disrupt Massive Proxy Network

p>On July 2, 2026, the global cyber-underground experienced a seismic disruption as a high-powered, international law enforcement coalition executed a major crackdown on one of the internet’s most prolific residential proxy networks. Led by the U.S. Federal Bureau of Investigation (FBI), the Internal Revenue Service (IRS) Criminal Investigation division, and Google’s Threat Intelligence Group (GTIG)—and supported by cybersecurity heavyweights like Lumen Technologies and the Shadowserver Foundation—the operation successfully dismantled the NetNut botnet, also widely tracked by security analysts as the “Popa” botnet. In a series of swift maneuvers, authorities seized hundreds of domains, knocked out crucial backend servers, and replaced the network’s flagship website, netnut.com, with an official law enforcement seizure banner. This milestone represents a monumental victory in the ongoing war against malicious residential proxy services.

Dismantling the NetNut Botnet: The Architecture of a Modern Proxy Takedown

At the core of this operation was the systematic neutralization of the NetNut botnet, which had ballooned to control at least two million compromised devices worldwide. Unlike traditional underground botnets managed by obscure hacker collectives on encrypted chat channels, NetNut represented a commercial enterprise masquerading as a legitimate web-scraping and data harvesting utility. This commercial positioning made it a preferred choice for threat actors seeking high-availability, bulletproof anonymity.

The joint coalition targeted several operational pillars to ensure the disruption was both broad and enduring:

  • Infrastructure Seizure: The FBI and IRS-CI executed coordinated legal warrants to seize hundreds of domains critical to the routing and commercialization of the proxy network, immediately cutting off customers from their rented nodes.
  • Command-and-Control (C2) Neutralization: Google identified and deactivated numerous Google accounts and associated infrastructure services that the botnet’s operators used to manage the malware’s backend control loops.
  • Endpoint Remediation via Play Protect: Leveraging its vast Android ecosystem, Google deployed Google Play Protect to automatically notify users and disable applications embedding the malicious NetNut Software Development Kits (SDKs).
  • Ecosystem-Wide Threat Intel Sharing: The coalition distributed highly specific technical signatures, behavioral patterns, and indicator-of-compromise (IOC) datasets to global ISPs, hardware manufacturers, and international police agencies to prevent the botnet’s reconstruction.

Under the Hood: How the Popa Botnet Hijacked the Living Room

For several years, the Popa botnet operated as a stealthy communications layer quietly embedded inside consumer smart home ecosystems. Security researchers from firms like Synthient, Spur, Nokia Deepfield, and Qurium discovered that the botnet’s primary growth mechanism relied on exploiting everyday, internet-connected appliances. In contrast to classic computer viruses that spread via email attachments or unpatched operating system exploits, the NetNut operators utilized a highly sophisticated, multi-pronged distribution pipeline:

Deceptive Proxyware and SDK Integration

The most common infection method involved tricking consumers into downloading seemingly benign “bandwidth-sharing” or proxyware applications. These apps lured users with promises of passive income or micro-payouts in exchange for sharing “unused internet capacity”. However, the software’s terms of service either completely obscured the severe risks involved, or bypassed legitimate, informed user consent altogether. Once installed, the embedded Popa SDK turned the user’s home connection into a proxy relay.

Supply Chain Compromise and Grey-Market Hardware

A more insidious vector involved the direct exploitation of smart TV streaming boxes and off-brand Android-based home devices. Researchers discovered that many cheap, unbranded streaming devices sold via major online retail marketplaces came pre-loaded with malicious firmware right out of the box. This firmware housed components of the Vo1d botnet, a massive malware family designed to target uncertified Android-based TV systems, which in turn loaded the Popa proxyware plugin. Additionally, unauthorized, trojanized versions of popular open-source media player clients, such as unauthorized iterations of the “SmartTube” app, were distributed online with the malicious SDK deeply integrated into their codebase.

Once a device was infected and connected to a home Wi-Fi network, it initiated an encrypted, long-lived tunnel to the NetNut backend infrastructure. The device was officially registered as an active “exit node,” making its legitimate, ISP-allocated residential IP address available on the open market for anyone willing to lease it.

Weaponizing Legitimate IPs: Bypassing Enterprise Defenses

Why are residential proxies highly sought after by threat actors? The answer lies in the fundamental nature of modern IP reputation and network perimeter security. Security operations centers (SOCs) and web application firewalls (WAFs) aggressively monitor and block traffic originating from known data centers or hosting providers (such as AWS, Azure, or DigitalOcean) because legitimate consumers rarely browse the web from these environments. Conversely, traffic coming from standard residential internet service providers (ISPs) like Comcast, AT&T, or Charter is deemed highly trustworthy.

By routing malicious commands through compromised home devices via NetNut, cybercriminals could masquerade as everyday families streaming movies or checking social media. This allowed them to execute highly intrusive attacks with a very low risk of detection. In a single week in June 2026, Google’s Threat Intelligence Group observed at least 316 distinct threat clusters utilizing NetNut’s compromised exit nodes. These threat groups spans the entire spectrum of digital crime, using the botnet to orchestrate:

  • Password-Spraying and Credential Stuffing: Threat actors fed millions of leaked username and password combinations into login portals of banks, retailers, and corporate networks, cycling through thousands of unique residential IPs to evade rate-limiting controls.
  • Distributed Denial of Service (DDoS) Attacks: Some compromised devices were concurrently pulled into massive, highly-coordinated Mirai-variant DDoS attack campaigns, flooding targeted web properties with seemingly legitimate home-user traffic.
  • Advertising Fraud and Search Engine Scraping: Automated scripts simulated human ad clicks on custom fraud websites to drain advertising budgets, while scrapers extracted proprietary data from e-commerce sites without triggering anti-bot protections.
  • State-Sponsored Espionage: Sophisticated Advanced Persistent Threat (APT) groups used the proxy nodes to obscure their origin locations, quietly exfiltrating sensitive intellectual property and maintaining persistent access to targeted corporate systems.

Furthermore, because the proxy client runs natively inside the victim’s local area network (LAN), the threat is not limited to outbound traffic. Google and other security analysts warned that compromised smart TVs and TV boxes essentially served as an unmonitored foothold inside the home, allowing attackers to scan, probe, and potentially pivot to compromise other sensitive devices on the same private network, such as personal computers, home servers, and smart security cameras.

The Corporate Paradox: Nasdaq, Alarum, and the Commercial Proxy Market

Perhaps the most startling aspect of the NetNut network is its deep connection to a legitimate, publicly traded corporate entity. While typical botnets are operated by covert digital cartels lurking on the dark web, NetNut was developed and operated under the corporate umbrella of Alarum Technologies Ltd., an Israeli cybersecurity and data-collection firm listed on the NASDAQ exchange under the ticker symbol ALAR.

Alarum marketed NetNut as a high-performance enterprise proxy solution, offering rotating residential, ISP, mobile, and data center IP pools for legitimate corporate uses such as SEO monitoring, market research, price comparison, and website localization. To fuel this massive pool, the company relies heavily on its proxyware SDKs. However, the revelation that these SDKs were deeply entwined with the unconsented compromise of millions of consumer home devices triggered a severe backlash and intensive law enforcement scrutiny.

To compound the issue, NetNut maintained a highly lucrative “white-label” reseller program. This program allowed third-party commercial proxy providers to buy access to NetNut’s pool of compromised residential devices, slap their own branding on it, and resell it as a white-labeled product under the NetNut botnet framework. Consequently, many of the internet’s most popular “residential proxy” storefronts were secretly fueled by the exact same exploited home appliances.

Following the FBI’s domain seizures on July 2, 2026, Alarum Technologies released a series of updates via SEC Form 6-K filings. The company acknowledged the domain seizures, initiated a “temporary operational pause” of certain network services, and stated it is actively investigating whether third parties manipulated its infrastructure. Unsurprisingly, the news sent shockwaves through the financial sector, causing Alarum’s stock value to plunge as investors reacted to the severe operational, financial, and legal risks of an active federal probe.

Lessons for Cyber Defenders and Home Consumers

The takedown of the NetNut proxy network, following on the heels of the disruption of the “IPIDEA” proxy network in January 2026, highlights a broader, systemic issue in modern internet infrastructure. Residential proxy networks have evolved into a multi-billion-dollar shadow industry, directly driven by the insatiable appetite for data from artificial intelligence training models and aggressive web scraping.

As security tools successfully block hosting providers, attackers are shifting their focus to the weakest link: the smart home. For defenders and everyday consumers, several key security practices must be prioritized:

  1. Segregate IoT Devices: Smart TVs, streaming sticks, and smart appliances should always be placed on a separate guest Wi-Fi network rather than the primary local area network (LAN). This isolates any compromised smart device and prevents lateral movement to personal computers or storage drives.
  2. Avoid “Free” Bandwidth-Sharing Apps: Consumers must remain extremely skeptical of any utility or proxyware app that promises payouts for “sharing your internet connection”. The potential liabilities, ISP-level blocks, and internal security exposures far outweigh any minimal monetary gain.
  3. Vet Smart TV Hardware and Software: Stick to certified, mainstream hardware brands for home entertainment. Avoid purchasing deeply discounted, unbranded “jailbroken” streaming devices from grey-market marketplaces, as they are routinely backdoored at the factory level. Do not side-load unauthorized apps or modified media player apks.
  4. Continuous Network Monitoring: Enterprise network defenders must transition to behavior-based anomaly detection rather than relying solely on static IP blocklists. Because malicious traffic is increasingly masquerading as ordinary consumer connections, identifying patterns of credential stuffing and API abuse is critical.

The successful disruption of Net

TN

Written by

TempMail Ninja

Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.