Skip to content
Chimera readability score 65 out of 100, Academic reading level.

The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botnet, a collection of at least two million devices that have been compromised by malicious software with little or no consent from victims.
On June 19, three different security firms issued similar findings: That NetNut is a residential proxy network which populates a botnet called Popa, and distributes software for devices commonly found in homes, such as smart TVs and streaming boxes. NetNut’s software turns those systems into always-on residential proxy nodes that are rented to others, who predominantly use them to relay abusive and intrusive Internet traffic, such as mass content scraping, advertising fraud, and account takeover activity.
Earlier today, NetNut’s homepage was replaced with a seizure notice from the FBI and the Internal Revenue Service Criminal Investigation division. The seizure notice thanked Google, Lumen, Shadowserver and other industry partners for their help in dismantling hundreds of domains tied to the Popa botnet, which experts say has long been synonymous with NetNut’s residential proxy infrastructure.
In a blog post published today, the Google Threat Intelligence Group (GTIG) said NetNut’s proxy network is widely resold and white-labeled by a number of third-party proxy providers, and that its services are heavily sought out by cybercriminals seeking to obfuscate the source of their malicious traffic. The GTIG said that in a single week during June 2026, they observed 316 distinct clusters of threat actors using suspected NetNut exit nodes, including cybercriminal and espionage groups.
“These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks,” Google’s GTIG wrote. “Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats.”
Google said it disabled Google accounts and services used by NetNut for malware command and control, and that it shared technical intelligence on NetNut’s software development kits (SDKs) and backend infrastructure with platform providers, law enforcement and research firms. The company also disabled apps known to bundle NetNut’s various SDKs.
Omer Weiss, legal counsel for NetNut parent Alarum Technologies, said the company was aware of the FBI seizure and cooperating with investigators.
“Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” Weiss said in a written statement.
Benjamin Brundage is founder of the proxy tracking service Synthient, one of the companies that published evidence last month linking the Popa botnet to NetNut and Alarum Technologies. Brundage said the domain seizures appear to have disrupted both the Popa botnet and the NetNut proxy network that rides on top of it.
Brundage said NetNut’s apparent demise is likely to be a great disadvantage for the cybercrime community, which was already reeling from legal actions by Google earlier this year that seized infrastructure for NetNut’s biggest competitor — IPIDEA.
“I think this takedown is going to have a big impact, because NetNut gained significant popularity after the IPIDEA takedown,” he said. “Also NetNut has been incredibly common among resellers, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte, all of it.”
The NetNut and Popa botnet takedown may have another added benefit, Brundage said: Lessening the impact of large distributed denial-of-service botnets that have been built on the backs of poorly configured residential proxy services. In January, Synthient revealed how cybercriminals had built the world’s largest DDoS botnet (Kimwolf) by tunneling through IPIDEA proxy connections into the local networks of TV box owners, and infecting other Android-based devices behind the victim’s firewall.
While many of the bigger proxy providers took steps to block this activity, resellers of the major proxy networks have been far slower to respond to the threat, Brundage said.
“In terms of all these TV box devices getting compromised from the proxy network, it will have an impact on the DDoS botnets out there,” he said.
For its part, Google reckons today’s actions have caused “significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions.” But the company warns that proxy networks can rebuild themselves by effectively reselling other proxy services, as IPIDEA has done over the past few months.
“Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet,” the GTIG report concludes. “While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient. What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers.”
As KrebsOnSecurity has warned repeatedly, most of the no-name TV streaming boxes for sale on the major e-commerce websites either come pre-installed with residential proxy software, or require the installation of proxy SDKs in order to use the device for its stated purpose (streaming pirated movies, sporting events and TV shows). Google’s advice here is sound: When it comes to TV boxes, stick to name brands from reputable manufacturers, and then be sparing and judicious with any apps you choose to install.
The sketchy TV boxes that are being commandeered by the Popa botnet and other threats all come with or require the user to install unofficial Android operating systems that do not operate within the confines of Google’s Official Play Protect store. Google says consumers can confirm whether or not a device is built with the official Android TV OS and Play Protect certification by following these instructions.
Even people without TV streaming boxes can find their smart TVs enrolled in residential proxy networks, just by installing one of thousands of apps available for download on Samsung and LG smart TVs. In a report released last month, the proxy tracking company Spur found 42 percent of apps available for download via the webOS operating system on LG smart TVs include SDKs that turn one’s television into an always-on residential proxy node. More than a quarter of the apps made for Samsung’s Tizen operating system had similar residential proxy components, Spur found.
Update, 4:24 p.m. ET: Included a statement shared post-publication from an attorney representing NetNut parent Alarum Technologies.
Update, July 8, 2:34 p.m. ET: The website for Alarum Technologies — alarum[.]io — now also features a seizure notice from the FBI. The company’s stock has taken a beating since the FBI action, and is currently trading at $2.62 a share, a roughly 67 percent decline over the past week.
” collection of at least two million devices that have been compromised by malicious software with little or no consent from victims”
OK, I read stuff like this every so often. I do not doubt it to be true. Like most folks, I’d prefer not to be an involuntary participant in that scheme.
So, how does one – despite best efforts to avoid contamination – find out whether a device is captured and if so how to rid it of the crap??
As a first step, Synthient has a page where you can enter your IP and see if they’ve detected it as a proxy. That won’t help you narrow it down to a specific device on your home network though.
Popular residential proxy reseller Live Proxies CEO used to work for netnut, and their current proxy network is entirely using netnut as well. But interestingly enough the netnut website is still up? Did the FBI seize the wrong website. netnuts website is .io and the FBI seemingly has sized the .com
Same question. What’s going on? .io site still advertising residential proxies!!!
I’m told they are working on getting the .io domain as well, but it’s taking more time. In any case, the back end infrastructure for Popa and the proxy network appears to be down.
It’s not like they missed it. It’s jurisdiction problem. First domain was registered using namecheap.
Considering the .io and other details seen in the whois they used they are not going to take this domain anytime soon, maybe in few months. The whole operation seems to be not well prepared, otherwise they’d have it synced and both domains would be taken at the same time like in other FBI ops. Seems there was need to show something off urgently
Interesting. http://whois.nic.io/ shows ns{1,2}.fbi.seized.gov as Name Servers for netnut.io, but in the DNS I still see {betty,cleo}.ns.cloudflare.com. The whois/registry DB entry was updated 2026-07-03T05:04:20Z, and it’s unclear to me why this discrepancy has been persisting for three days.
it can sometimes take a while for nameserver changes to take effect. ISPs tend to cache that stuff…
They started taking down proxies some users use for bad things?
Now they’ve taken away the main domain as well: https://netnut.io/
Shoutout Wealth God Bless!!!
Yes
The same question as someone had asked above. Brian, can you please give instructions in this or in another post on how to detect if your devices are used as residential proxies?
Answers here.
https://www.fbi.gov/investigate/cyber/alerts/2026/evading-residential-proxy-networks-protecting-your-devices-from-becoming-a-tool-for-criminals
It’s not a simple answer. Here was my advice from January
One frustrating aspect of threats like Kimwolf is that in most cases it is not easy for the average user to determine if there are any devices on their internal network which may be vulnerable to threats like Kimwolf and/or already infected with residential proxy malware.
Let’s assume that through years of security training or some dark magic you can successfully identify that residential proxy activity on your internal network was linked to a specific mobile device inside your house: From there, you’d still need to isolate and remove the app or unwanted component that is turning the device into a residential proxy.
Also, the tooling and knowledge needed to achieve this kind of visibility just isn’t there from an average consumer standpoint. The work that it takes to configure your network so you can see and interpret logs of all traffic coming in and out is largely beyond the skillset of most Internet users (and, I’d wager, many security experts). But it’s a topic worth exploring in an upcoming story.
Happily, Synthient has erected a page on its website that will state whether a visitor’s public Internet address was seen among those of Kimwolf-infected systems: https://synthient.com/check
Brundage also has compiled a list of the unofficial Android TV boxes that are most highly represented in the Kimwolf botnet: https://github.com/synthient/public-research/blob/main/2026/01/kimwolf/product_devices.csv
If you own a TV box that matches one of these model names and/or numbers, please just rip it out of your network. If you encounter one of these devices on the network of a family member or friend, send them a link to this story and explain that it’s not worth the potential hassle and harm created by keeping them plugged in.
“If people are asking what they can do to avoid being victimized by proxies, it’s safest to stick with name brands,” Kaye said. “Anything promising something for free or low-cost, or giving you something for nothing just isn’t worth it. And be careful about what apps you allow on your phone.”
Many wireless routers these days make it relatively easy to deploy a “Guest” wireless network on-the-fly. Doing so allows your guests to browse the Internet just fine but it blocks their device from being able to talk to other devices on the local network — such as shared folders, printers and drives. If someone — a friend, family member, or contractor — requests access to your network, give them the guest Wi-Fi network credentials if you have that option.
That list of devices seems useful, thanks.
Did they miss netnut.ru netnut.cn netnut.com netnut.sbs along with a list of others like spiderbox.cn and spiderapi.cn but more importantly the login sites like mulogin.com not to mention armada-grup.ru and the rest ? Inquiring minds wanna know …
If you do a WHOIS lookup at DomainTools on netnut.io, you can see the domain has been moved to the FBI’s DNS server for seized domains. See bottom, ns1.fbi.seized.gov.
Domain Name: netnut.io
Registry Domain ID: REDACTED
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: https://www.namecheap.com/
Updated Date: 2026-07-03T05:04:20Z
Creation Date: 2017-01-10T15:30:53Z
Registry Expiry Date: 2030-01-10T15:30:53Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.9854014545
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED
Registrant Name: REDACTED
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Street: REDACTED
Registrant City: REDACTED
Registrant State/Province: Capital Region
Registrant Postal Code: REDACTED
Registrant Country: IS
Registrant Phone: REDACTED
Registrant Phone Ext: REDACTED
Registrant Fax: REDACTED
Registrant Fax Ext: REDACTED
Registrant Email: REDACTED
Registry Admin ID: REDACTED
Admin Name: REDACTED
Admin Organization: REDACTED
Admin Street: REDACTED
Admin City: REDACTED
Admin State/Province: REDACTED
Admin Postal Code: REDACTED
Admin Country: REDACTED
Admin Phone: REDACTED
Admin Phone Ext: REDACTED
Admin Fax: REDACTED
Admin Fax Ext: REDACTED
Admin Email: REDACTED
Registry Tech ID: REDACTED
Tech Name: REDACTED
Tech Organization: REDACTED
Tech Street: REDACTED
Tech City: REDACTED
Tech State/Province: REDACTED
Tech Postal Code: REDACTED
Tech Country: REDACTED
Tech Phone: REDACTED
Tech Phone Ext: REDACTED
Tech Fax: REDACTED
Tech Fax Ext: REDACTED
Tech Email: REDACTED
Name Server: ns1.fbi.seized.gov
Name Server: ns2.fbi.seized.gov
Sometimes it feels like you writing an article about someone or something is the kiss of death. So many examples
“Spur found 42 percent of apps available for download via the webOS operating system on LG smart TVs include SDKs that turn one’s television into an always-on residential proxy node. More than a quarter of the apps made for Samsung’s Tizen operating system had similar residential proxy components”
So 42% of all available LGwebOS apps and ‘more than 25%’ of all available Tizen apps are ~basically~ trojans!?!
EXACTLY HOW are LG and Samsung allowing these HUGE percentages of their available apps to be TROJANS?
Do they really not check in any depth AT ALL? Am I wrong or should heads be rolling, EULA be damned?

Facts Only

* The FBI worked with industry partners to seize hundreds of domains associated with NetNut.
* NetNut is a residential proxy service operated by Alarum Technologies (ALAR).
* Security firms linked NetNut to the Popa botnet, comprising at least two million compromised devices.
* NetNut’s software turns systems into always-on residential proxy nodes rented to others.
* These nodes are used by others to relay abusive traffic such as content scraping and advertising fraud.
* The Google Threat Intelligence Group observed 316 clusters of threat actors using suspected NetNut exit nodes in June 2026.
* Bad actors use NetNut to mask IP addresses, access infrastructure, and conduct password spray attacks.
* Google disabled Google accounts and services used by NetNut for malware command and control.
* Google shared technical intelligence on NetNut’s SDKs and backend infrastructure with law enforcement and research firms.
* NetNut's domain netnut.io was seized by the FBI, and name servers were changed to ns1.fbi.seized.gov and ns2.fbi.seized.gov.
* Research indicated that 42% of apps on LG webOS and over 25% of Tizen apps included residential proxy SDKs.

Executive Summary

The Federal Bureau of Investigation seized hundreds of domains associated with NetNut, a residential proxy service operated by Alarum Technologies (NASDAQ: ALAR). This action followed findings from security firms linking NetNut to the Popa botnet, a collection of at least two million compromised devices. Security firms reported that NetNut functions as a residential proxy network that populates the Popa botnet and distributes software for home devices like smart TVs into always-on residential proxy nodes rented to others for relaying abusive traffic.
The Google Threat Intelligence Group observed 316 distinct threat actor clusters using suspected NetNut exit nodes during June 2026. These actors use NetNut to mask their origin IP addresses, access infrastructure, and conduct password spray attacks, enabling them to access other private devices on the same home network. Google disabled Google accounts and services used by NetNut for malware command and control and shared technical intelligence regarding NetNut's software development kits with law enforcement and research firms.
NetNut’s parent company, Alarum Technologies, acknowledged the seizure and stated cooperation with investigators. Experts suggest that dismantling NetNut is expected to be disadvantageous for cybercriminals who relied on it, especially since NetNut gained popularity after infrastructure seizures involving its competitor, IPIDEA. Furthermore, the disruption may lessen the impact of large DDoS botnets built on residential proxy services.

Full Take

The narrative centers on the infrastructure vulnerability created by the commodification of residential proxy services for malicious purposes, exposing a cascading effect across the residential ecosystem. The process illustrates how infrastructure, once leveraged for legitimate access, can be repurposed to facilitate large-scale criminal activity, linking compromised consumer hardware directly to botnet operations and subsequent network penetration.
The key pattern is the resilience and adaptability of the proxy ecosystem when faced with targeted disruption. When a core domain or service like NetNut is seized, the observed outcome suggests adaptation rather than total collapse; resellers pivot to acquiring capacity from competitors, indicating that infrastructure control in this fluid market is less about ownership and more about immediate operational continuity. This moves the focus from stopping the initial source to targeting the interconnected layers of distribution, suggesting that systemic control requires addressing the entire chain of custody for proxy assets across different registration authorities and services.
The implication for consumer devices—smart TVs and other IoT systems—is critical. The high prevalence of proxy SDKs embedded within operating systems suggests a structural failure in ensuring the security baseline of end-user hardware, where functionality and privacy are secondary to software availability or ease of installation. Questioning why major platform vendors permit such deep integration of potentially compromised components necessitates moving beyond addressing individual network intrusions toward demanding systemic accountability for the software layers that define contemporary device interaction.
Bridge Questions: If infrastructure fragmentation is the norm, how can regulatory bodies enforce unified security standards across disparate domain registrars and platform ecosystems? What are the long-term consequences if specialized threat intelligence becomes the primary method for detecting residential proxy exploitation rather than end-user awareness? Does focusing enforcement on upstream providers or downstream consumers offer a more resilient strategy against distributed infrastructure attacks?

Sentinel — Human

Confidence

The text functions as an investigative synthesis, blending factual reporting on a security event with expert analysis and personal rhetorical questioning about systemic vulnerabilities in the smart TV ecosystem.

FBI Seizes NetNut Proxy Platform, Popa Botnet — Arc Codex