The Federal Bureau of Investigation moved swiftly this week. It seized hundreds of domains tied to NetNut, a residential proxy service run by the Israeli firm Alarum Technologies. The action, coordinated with Google, Lumen and other partners, targeted infrastructure that security researchers had linked to the Popa botnet. At least two million compromised devices powered the operation. And just like that, a major conduit for fraud, scraping and account takeovers lost its footing.
Visitors to the NetNut homepage on July 2 encountered an FBI seizure banner instead of product pitches. The notice credited Google, Lumen, Shadowserver and others for helping dismantle domains connected to Popa. Krebs on Security first detailed the takeover and its context hours after the banner appeared. The timing followed by roughly two weeks an earlier KrebsOnSecurity story that drew on reports from three security companies. Those firms had connected NetNut’s proxy network directly to Popa, a botnet built on software distributed for smart TVs, streaming boxes and similar home gadgets.
But this wasn’t a sudden discovery. Bloomberg News reported that the FBI had examined potential links between NetNut and Popa for more than a year. The probe formed part of a broader multi-agency review. Reuters covered the coordinated effort on the same day as the seizures. Google described disabling accounts and services used in NetNut-related malware command-and-control operations. The company shared technical intelligence on the group’s SDKs and backend systems with law enforcement and industry contacts.
Google’s Threat Intelligence Group went further in a detailed post. It observed 316 distinct clusters of threat actors using suspected NetNut exit nodes during a single week in June. Cybercriminal groups and espionage operations both appeared in the mix. “These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks,” the GTIG wrote. The group added a stark warning. When a consumer device becomes an exit node, unauthorized traffic passes through it. That opens other private devices on the same home network to fresh risks.
The mechanics behind Popa reveal a quiet form of exploitation. Software turns ordinary household internet connections into always-on proxy nodes. Owners rarely consent in any meaningful way. Researchers from Synthient, one of the firms that mapped the connections in June, examined more than 20 apps. None displayed a clear consent prompt to users. NetNut’s parent company pushed back against the botnet label. Alarum called the research “demonstrably inaccurate assertions and flawed deductions rather than verified facts.” The firm insisted its tools support consented bandwidth-sharing that leaves devices uncompromised. Yet the evidence from independent tests tells another story.
Omer Weiss, legal counsel for Alarum Technologies, issued a statement after the seizures. “Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.” The company, publicly traded on NASDAQ under ticker ALAR, had been informed directly by the FBI on July 2. Its stock and operations now face fresh scrutiny from investors watching how residential proxy providers handle sudden regulatory heat.
Benjamin Brundage founded Synthient. He tracked the proxy space closely and published key findings last month. Brundage told KrebsOnSecurity the domain seizures appear to have disrupted both the botnet and the proxy service layered on top of it. “I think this takedown is going to have a big impact, because NetNut gained significant popularity after the IPIDEA takedown,” he said. NetNut had stepped in as a major player after Google targeted IPIDEA earlier in the year. The two services showed similar daily traffic volumes, quality and pricing. Resellers spread NetNut’s capacity widely. Many popular residential proxy brands, according to Google, were simply white-labeling the same underlying pool.
That interconnectedness matters. Google described its moves as causing “significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions.” The company stopped short of calling it a complete kill. Past experience with IPIDEA showed how these networks adapt. Operators buy capacity from competitors and rebrand. They become resellers themselves. Lasting pressure, the GTIG argued, requires targeting several linked providers at once. One action sends ripples. But the market for clean residential IPs remains strong among those conducting large-scale scraping, ad fraud and credential stuffing.
Ordinary consumers sit at the center of this trade. Cheap Android TV boxes sold on major e-commerce sites often arrive preloaded with proxy software. Some require users to install SDKs before they can stream pirated content. Google recommends sticking to name-brand devices with official Android TV OS and Play Protect certification. Even without shady boxes, smart TVs from Samsung and LG carry risks. Spur, another proxy tracking firm, found that 42 percent of apps available for LG’s webOS included SDKs turning the television into a proxy node. More than a quarter of Samsung Tizen apps showed similar components.
The fallout extends beyond individual devices. Criminals have used these proxy footholds to build massive DDoS botnets. In January Synthient exposed Kimwolf, described as the world’s largest such network at the time. Attackers tunneled through residential proxy connections to reach devices behind home firewalls. They infected additional Android systems on the local network. Major proxy providers eventually blocked some of this activity. Many resellers moved more slowly. The current action against NetNut could ease pressure on that front, at least temporarily. Brundage noted that reducing compromised TV boxes should limit the raw material available for future DDoS operations.
Industry watchers reacted quickly on X. One Japanese security professional highlighted the shift in assumptions about residential IPs. “家庭用IPだから安全」という前提がまた崩れた,” the post read, noting the scale of at least two million devices and the 316 threat clusters observed by Google. CSIRT teams were urged to review logs for residential proxy patterns in authentication attacks. The demand for such proxies won’t disappear. New resellers or rebranded services could surface within months. But this coordinated strike buys defenders breathing room. Cleaner traffic logs. Fewer obvious exit nodes tied to the same backend.
Google’s involvement marks a notable expansion of private-sector disruption efforts. The company didn’t just share intelligence. It took direct technical steps against accounts, apps and command infrastructure. Lumen contributed mapping and analysis of the network’s structure. Shadowserver helped with sinkholing and notification. The FBI and IRS Criminal Investigation division handled the legal seizures. The operation reflects growing recognition that residential proxy networks operate in a gray zone. They promise privacy and scale to legitimate users while enabling widespread abuse. When the line blurs into outright botnet behavior, law enforcement and tech platforms now show willingness to act together.
Questions remain about long-term effectiveness. Proxy services have proven adaptable. Some resellers may already be shifting traffic to other networks. Alarum has promised cooperation, but its public statements continue to reject the botnet characterization. Independent researchers, meanwhile, maintain that consent was largely absent and that devices were compromised with little user awareness. The coming weeks will test whether this degradation holds or whether the market quickly fills the gap. For now, millions of home devices may have been freed from unwanted proxy duty. Home networks could see less unauthorized transit traffic. And threat actors face one fewer reliable way to hide their tracks.
Security teams should treat this as a prompt to audit. Check connected TVs and streaming devices for unfamiliar apps. Review bandwidth usage patterns that seem out of place. Update logging rules to flag residential proxy sources more aggressively in authentication and scraping defenses. The Popa-NetNut episode shows how consumer hardware quietly becomes infrastructure for global cyber operations. The response this week demonstrates that such infrastructure can be challenged when enough parties align. But the incentives driving these networks run deep. Expect further chapters in this contest between platform defenders, law enforcement and the resilient proxy economy.


WebProNews is an iEntry Publication