FBI seizes NetNut proxy platform, Google degrades Popa botnet
The FBI seized hundreds of NetNut proxy domains on July 2; Google's Threat Intelligence Group, working with FBI and Lumen, cut the linked Popa botnet's usable device pool by millions the same day.
Confirmed. The FBI on July 2 seized hundreds of domains tied to NetNut, a residential proxy service operated by publicly-traded Israeli firm Alarum Technologies (NASDAQ: ALAR). Same day, Google’s Threat Intelligence Group reported it had degraded the linked Popa botnet — a network Google estimates at roughly two million compromised home devices — by cutting its usable relay pool “by millions,” working with the FBI, Lumen and other industry partners.
Two actions, coordinated. Timeline follows.
What NetNut is
Residential proxy service. Sold access that routes customer traffic through consumer IP addresses — home routers, IoT devices, small-office gear — for money. Attractive to whoever wants to look like a residential user: ad-fraud rings, credential-stuffers, scrapers, sanctions evaders. Also attractive to legitimate customers doing price-monitoring and ad-verification, which is the operator’s public position.
The seizure and Google’s disruption both attribute the pool’s device population, at least in significant part, to the Popa botnet — home devices compromised by malware without their owners’ knowledge. That attribution is the disputed piece. It is what the domain seizure lets prosecutors put on the public record.
Public disclosure timeline
- Roughly two weeks before July 2: KrebsOnSecurity published findings from multiple security firms connecting NetNut’s IP pool to the Popa botnet. Alarum publicly rejected the connection at the time.
- July 2, morning UTC: Google’s Threat Intelligence Group announced coordinated disruption with FBI, Lumen and industry partners. Google’s language treats NetNut and Popa as the same network operating under two names.
- July 2, later same day: FBI seized hundreds of domains and Krebs reported the action.
Confidence on “NetNut and Popa share infrastructure”: high — three named parties (FBI, Google TIG, Lumen) agree. Confidence on the two-million device figure: medium — Google’s number, not independently audited.
What to actually do
If your organization or your clients touched NetNut as a customer — commercial residential-proxy contracts, price-monitoring tooling, ad-verification vendors that resell — assume the service is offline for an indeterminate window. Rotate any API keys issued against the platform. Preserve billing and usage records; they will be discoverable.
If you run a corporate network, this is a reminder that residential IP space cannot be treated as trustworthy signal. NetNut is one of at least a dozen large residential-proxy services; this seizure removes one, not the category. Treating traffic from residential ASNs with the appropriate skepticism — abuse-scoring, per-account rate limits on unauthenticated endpoints, MFA on anything that matters — remains the same job it was last week.
If you own a home router purchased before 2022, a smart TV, or a low-cost IoT device, and firmware updates are available, apply them. Popa’s infection base is the unpatched home-equipment population. The takedown does not fix that; those devices are compromised until reflashed or replaced.
Watching for
- Alarum’s formal legal response, and whether unsealed FBI filings put forensic detail on the record.
- Displacement to other residential proxy providers over the next several weeks. This is the pattern every time.
- Any signal that Popa’s operators have re-established C2 through fresh infrastructure. Unconfirmed at time of publication — treat accordingly.
Sourcing
- Krebs on Security: FBI Seizes NetNut Proxy Platform, Popa Botnet
- The Hacker News: Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices
Found this useful? Share it.