Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

FBI Seizes NetNut Proxy Platform, Popa Botnet

0
Medium
Vulnerability
Published: 07/02/2026 (07/02/2026, 19:27:33 UTC)
Source: Krebs on Security

Description

The FBI seized hundreds of domains associated with NetNut, a residential proxy service operated by Alarum Technologies, following findings linking it to the Popa botnet. Popa is a botnet of at least two million compromised devices, including smart TVs and streaming boxes, used without owners' consent. NetNut's proxy network was exploited by cybercriminals and espionage groups to mask malicious traffic sources and conduct attacks such as password spraying. The seizure disrupted NetNut's proxy infrastructure and the Popa botnet, significantly reducing the pool of compromised devices. However, the residential proxy ecosystem is fluid, with operators reselling capacity from competitors, potentially allowing rebuilding. Google and other partners disabled related infrastructure and apps, and law enforcement continues investigations. Consumers are advised to use reputable devices and apps to avoid involuntary proxy participation.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/03/2026, 01:20:37 UTC

Technical Analysis

The FBI, in collaboration with industry partners including Google, seized hundreds of domains linked to NetNut, a residential proxy service operated by Alarum Technologies. This action followed security research connecting NetNut to the Popa botnet, which comprises over two million devices compromised with little or no user consent. NetNut's software turns consumer devices such as smart TVs and streaming boxes into proxy nodes rented out to third parties, facilitating abusive activities like content scraping, advertising fraud, and account takeover attempts. Google Threat Intelligence Group observed extensive use of NetNut exit nodes by cybercriminal and espionage actors to obfuscate their origins and conduct attacks. The seizure has caused significant degradation of NetNut's proxy network and business operations, disrupting the Popa botnet. Google disabled accounts and services used for command and control and shared intelligence with law enforcement and platform providers. Despite this disruption, the residential proxy ecosystem is resilient, with operators reselling capacity from competitors, necessitating continued efforts to target interconnected infrastructure. Consumers are advised to use official Android TV OS devices and trusted apps to reduce risk of involuntary proxy node participation.

Potential Impact

The Popa botnet, leveraging NetNut's residential proxy network, compromised at least two million consumer devices without consent, turning them into proxy nodes for malicious traffic. This enabled cybercriminals and espionage groups to mask their IP addresses, conduct password spraying, content scraping, advertising fraud, and account takeover activities. Unauthorized network traffic passing through infected devices also exposed other devices on the same home networks to potential threats. The FBI seizure and associated actions have significantly disrupted NetNut's infrastructure and the Popa botnet, reducing the pool of compromised devices by millions and impacting cybercrime operations relying on this network. However, the proxy ecosystem's resilience means similar threats may re-emerge through reselling arrangements among proxy providers.

Mitigation Recommendations

The FBI seizure and coordinated industry actions have significantly disrupted the NetNut proxy network and Popa botnet infrastructure. Google and partners have disabled related accounts, services, and apps used for command and control. Consumers are advised to use name-brand smart TVs and streaming devices with official Android TV OS and Play Protect certification, and to be cautious with app installations, avoiding unofficial or sideloaded apps that may contain proxy SDKs. Continued vigilance and cooperation with law enforcement are necessary to address the fluid residential proxy ecosystem. No direct patch applies to end users, but device hygiene and app vetting reduce risk of involuntary proxy participation.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://krebsonsecurity.com/2026/07/fbi-seizes-netnut-proxy-platform-popa-botnet/","fetched":true,"fetchedAt":"2026-07-03T01:20:29.624Z","wordCount":1649}

Threat ID: 6a470e5d27e9c7971998f196

Added to database: 07/03/2026, 01:20:29 UTC

Last enriched: 07/03/2026, 01:20:37 UTC

Last updated: 07/03/2026, 03:26:21 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses