ProBackend
botnet disruption proxy networks
2 hours ago7 min read

FBI and Google Dismantle NetNut: How a 2-Million-Device Proxy Botnet Was Taken Down

A coordinated operation by the FBI, Google Threat Intelligence Group, Lumen Technologies, and Shadowserver has seized hundreds of NetNut domains and disrupted the Popa botnet — a residential proxy network built on at least 2 million compromised Android devices including smart TVs and streaming boxes, used by hundreds of threat actors for cybercrime and espionage.

The Operation That Took Down NetNut

On July 2, the FBI announced a coordinated takedown of NetNut — one of the world's largest residential proxy networks — working alongside Google Threat Intelligence Group (GTIG), Lumen Technologies, the Shadowserver Foundation, and other industry partners. The operation seized hundreds of NetNut domains, disabled critical backend infrastructure, and dealt what experts are calling a significant blow to the cybercrime proxy ecosystem.

The most visible symbol of the takedown: netnut.com now displays a seizure banner from the FBI and IRS Criminal Investigation division. The .io domain followed, with WHOIS records showing it moved to the FBI's seized-domain DNS (ns1.fbi.seized.gov) within hours.

But the domain seizures were only part of what made this operation stick. Google went after NetNut's command-and-control infrastructure directly — disabling the company accounts and services it used for malware C2, effectively cutting off the botnet's ability to receive new instructions from its operators. Google also disabled apps bundling NetNut SDKs via Play Protect, and shared technical intelligence on the network's SDKs and backend with platform providers, law enforcement, and researchers.

Mark Karayan of Mandiant confirmed to BleepingComputer that the .com domain was "also used by them along with other domains taken down." The scope here is broad, and the coordination between agencies and private-sector partners is exactly what makes these operations work.

Google's own assessment: the disruption has caused "significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions."

That's not a small number.

The Operation That Took Down NetNut

What Is Popa? The Botnet Behind the Proxy

NetNut is the commercial face of something far more sinister: a botnet called Popa, comprising at least 2 million compromised devices worldwide. The devices aren't servers in some dank data center — they're smart TVs, Android streaming boxes, and other home IoT sitting in living rooms across the globe.

Here's how it works. Malware gets onto these devices through trojanized applications and SDKs — either pre-installed on cheap, no-name Android TV boxes sold on major e-commerce platforms, or bundled into apps users download themselves. Badbox 2.0 is one botnet family that packages NetNut proxy plugins, according to GTIG.

Once infected, the device becomes an "exit node" — it routes unauthorized network traffic through its residential IP address. To the outside world, malicious activity appears to originate from a legitimate home internet connection. That makes attribution harder, detection trickier, and the whole thing remarkably resilient.

The residential proxy business model is straightforward: compromise devices at scale, rent access to them, and let threat actors use the residential IPs to mask their real location. NetNut's operators — the Israeli company Alarum Technologies (NASDAQ: ALAR), formerly DiviNetworks — monetized this at industrial scale.

The devices themselves don't know they're compromised. Most users have no idea their smart TV or streaming box is routing criminal traffic through their home connection.

What Is Popa? The Botnet Behind the Proxy

Who Was Using NetNut? Hundreds of Threat Clusters

The scale of abuse is where this story gets really disturbing.

GTIG reported that in a single week during June 2026, they observed 316 distinct threat clusters using suspected NetNut exit nodes. These weren't just script kiddies running basic attacks — the users included both cybercriminal groups and espionage operators.

The use cases are varied and nasty. Threat actors used NetNut to mask their origin IP when accessing victim environments, conduct password-spraying attacks against corporate systems, and reach their own infrastructure from seemingly legitimate residential addresses. When a consumer device becomes an exit node, unauthorized traffic passes through it — meaning bad actors can potentially access other private devices on the same home network.

That last point is critical. It's not just about your IP being used for scraping or fraud. If someone's routing malicious traffic through your TV, they're on the same network segment as your laptop, your phone, your NAS. The attack surface expands dramatically.

Google's GTIG put it plainly: "These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks. Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats."

Three hundred sixteen threat clusters in one week. That's not a niche problem.

The Reseller Problem: Why Takedowns Alone Aren't Enough

Here's where the proxy ecosystem gets interesting — and frustrating for law enforcement.

NetNut has a robust reseller and whitelabel program. Many popular residential proxy brands are believed to be whitelabeling NetNut's infrastructure, meaning the end customer doesn't even know they're buying access to a botnet.

Benjamin Brundage, founder of the proxy tracking service Synthient (and one of the firms that published evidence linking Popa to NetNut), confirmed the takedown disrupts both the botnet and the commercial proxy network. But he also pointed out something Google itself acknowledged: the proxy industry is deeply interconnected.

"The proxy industry is deeply interconnected where operators constantly buy and resell each other's botnet capacity, and Netnut is among the largest and most popular residential proxy networks in the world," Mark Karayan of Mandiant told BleepingComputer.

Brundage noted that NetNut gained significant popularity after Google's earlier takedown of its biggest competitor, IPIDEA, earlier in 2026. "Also NetNut has been incredibly common among resellers, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte, all of it," he said.

Google's own report warns that when one proxy network degrades, operators simply buy capacity from competitors — effectively becoming resellers themselves. "We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers."

In other words: take down one node, and the network reconfigures around the gap. The only way to make a real dent is coordinated action across multiple providers simultaneously.

Consumer Impact: Your TV Might Be a Botnet Node

The broader implications of this takedown extend beyond just NetNut itself.

Large DDoS botnets like Kimwolf — revealed in January 2026 by Synthient as the world's largest DDoS botnet — have been built on residential proxy infrastructure. Kimwolf specifically tunneled through IPIDEA proxy connections into the local networks of TV box owners, then infected other Android-based devices behind the victim's firewall.

Brundage noted that while many bigger proxy providers took steps to block this activity, resellers of the major proxy networks have been far slower to respond. The NetNut takedown may lessen the impact of these DDoS botnets, since they've been built on the backs of poorly configured residential proxy services.

But the consumer risk is even more pervasive than just TV boxes. A report from proxy tracking company Spur found that 42 percent of apps available for download via webOS on LG smart TVs include SDKs that turn the television into an always-on residential proxy node. More than a quarter of apps on Samsung's Tizen operating system had similar components.

That means even people without sketchy streaming boxes can find their smart TVs enrolled in residential proxy networks — just by installing apps from the built-in app store.

Google's advice is practical: stick to name-brand devices, verify your TV runs official Android TV OS with Play Protect certification, and be judicious about what apps you install. Synthient has also erected a page where you can check if your public IP appears among known proxy-infected systems, and compiled a list of the most commonly compromised TV box models.

The Company Response: Cooperation, For Now

Omer Weiss, legal counsel for NetNut parent Alarum Technologies, issued a statement after the seizure:

"Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account."

The statement is measured, cooperative, and deliberately vague about whether Alarum acknowledges that its infrastructure was being used without authorization at scale. The company is publicly traded on NASDAQ under ALAR, which adds an interesting dynamic — shareholders will be watching how this plays out financially and legally.

For now, the domains are seized. The C2 infrastructure is down. The question hanging over all of this is whether the proxy ecosystem will actually change, or whether it'll simply reconfigure around another gap.

More blogs