FBI and Google Join Forces to Disrupt NetNut, a Major Proxy Network
In a significant coordinated international operation, the FBI, in collaboration with Google’s Threat Intelligence Group, has successfully disrupted NetNut, one of the largest commercial residential proxy networks in the world. This groundbreaking initiative has raised alarms in cybersecurity circles, as it reveals the growing sophistication of cybercriminal enterprises and the unprecedented scale at which they operate.
At the core of this operation lies the notorious Popa botnet, a mechanism that has covertly co-opted more than two million consumer devices worldwide, effectively turning them into traffic-routing relays for various nefarious actors, including cybercriminal groups and state-sponsored espionage organizations. The sheer size of this operation underscores the complex challenges faced by cybersecurity experts in combating modern digital threats.
The collaboration involved notable industry partners such as Lumen Technologies, the Shadowserver Foundation, and the Criminal Investigation division of the U.S. Internal Revenue Service (IRS). Together, they focused on dismantling the digital infrastructure underpinning the NetNut proxy service, managing to seize hundreds of domains linked to this extensive network.
Unveiling the Mechanism: How Popa Turned Everyday Devices into Proxy Nodes
The Popa botnet operates as a sophisticated communications layer that facilitates its objectives through unsuspecting consumer electronics. By embedding deceptive software development kits (SDKs) into low-cost, off-brand Android-based smart TVs and streaming media boxes, NetNut transformed ordinary devices into proxy exit nodes. This method enabled them to hijack the home internet connections of users, allowing malicious traffic to pass through legitimate domestic IP addresses. Consequently, this operation effectively bypassed standard data center blocks and security measures that protect online data.
A report from Google, published on July 2, revealed that at least 316 distinct threat clusters leveraged NetNut exit nodes within just one week in June 2026. These clusters engaged in a range of malicious activities, including password-spraying campaigns, credential stuffing, advertising fraud, and sensitive data scraping, highlighting the extensive misuse of compromised devices.
Unlike typical underground botnets run by clandestine groups, independent cybersecurity journalist Brian Krebs has drawn connections between NetNut and Alarum Technologies Ltd., a publicly traded Israeli company listed on NASDAQ. Research conducted by firms like Qurium and Synthient supports these links, revealing direct ties between Alarum’s leadership and the original developers of the Popa SDK.
Although Alarum has traditionally promoted its software as a consensual bandwidth-sharing tool, independent reviews suggest that applications hijacked through this technology did not provide users with adequate notice or consent. This lack of transparency raises ethical questions about how user data and device resources are being exploited.
In response to the seizure of certain domains by the FBI, Alarum Technologies has publicly stated its commitment to cooperating with law enforcement to investigate and address any misuse of its infrastructure. This statement reflects the seriousness with which the company views the allegations against them.
Even though the Google report did not directly mention Alarum Technologies, GITG researchers pointed out that NetNut operates a robust reseller program that allows other brands to white-label its network. This means that many popular residential proxy services may trace their roots back to the NetNut botnet, complicating the landscape of digital security even further.
Additionally, Google has highlighted ongoing research from Synthient, Spur, and Nokia Deepfield that documents the use of NetNut in infecting devices with variants of the notorious Mirai distributed denial-of-service (DDoS) botnets.
Strategic Countermeasures: Google and the FBI’s Response
To prevent the rapid resurgence of the NetNut network, Google implemented immediate tactical measures in tandem with the legal actions of the FBI. The company took the significant step of disabling all Google accounts associated with NetNut’s command-and-control operations and updating Google Play Protect to warn Android users about the compromised applications. This included disabling apps that contained the malicious SDKs.
Google expressed confidence that their coordinated actions had significantly degraded NetNut’s operational capacity, estimating that millions of devices previously available to the proxy operators had been rendered useless. This strategy builds on their earlier efforts in January 2026, when they successfully disrupted another proxy network known as IPIDEA.
Legal and Operational Confusion: The Domain Takedown Dilemma
The initial phase of the NetNut disruption spurred discussions within the threat intelligence community, especially regarding the domain takedown process. Although the FBI’s seizure notice appeared on netnut.com, the primary commercial domain, netnut.io, remained active and accessible for a time. This situation led to speculation among online commentators as to whether law enforcement agencies had targeted the wrong domain.
However, cybersecurity specialists clarified that both domains were interconnected, and while seizing the primary commercial domain might involve longer legal and jurisdictional processes, the backend command-and-control servers critical to the botnet’s operations had been effectively dismantled. This significant action severely disrupted the overall functioning of the network.
In conclusion, the collaborative operation between the FBI and Google serves as a vital reminder of the evolving landscape of cyber threats and the importance of international cooperation in combating them. As digital infrastructures continue to grow more complex, the ongoing efforts of law enforcement and tech giants will be crucial in safeguarding users and their devices from exploitation.
