A joint operation by the FBI and Google’s Threat Intelligence Group has dismantled a large residential proxy network that secretly turned millions of consumer devices into tools for cyberattacks. The network, identified by researchers as the Popa botnet and sold commercially as NetNut, compromised more than two million devices worldwide, routing malicious internet traffic through unsuspecting home connections.
The botnet spread through a malicious software development kit (SDK) embedded in low-cost Android-based devices, including smart TVs, streaming boxes, and unofficial apps such as SmartTube. Once installed, the malware turned those devices into proxy exit nodes without users’ knowledge or meaningful consent. Cybercriminals then used residential IP addresses to disguise their activities, making them more difficult for security systems to detect and block.
During a single week in June 2026, Google identified at least 316 separate threat clusters using NetNut’s infrastructure to conduct password spraying, credential stuffing, ad fraud, and sensitive data scraping.
NetNut differed from many underground botnets because of its reported links to a legitimate business. Cybersecurity journalist Brian Krebs reported that the network is connected to Alarum Technologies Ltd. He cited research from Qurium and Synthient, which found direct ties between Alarum’s senior leadership and the developers behind the Popa SDK.
Alarum has maintained that its platform operates as a consensual bandwidth-sharing service. However, independent technical analyses found that users were neither clearly informed nor meaningfully asked for consent before their devices became part of the proxy network.
After authorities seized domains associated with NetNut, Alarum Technologies released a statement saying, “Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated, and those responsible are held to account.”
Google declined to comment on the reported corporate connections, instead focusing on how the operation was structured. Researchers said NetNut used a reseller model that allowed other companies to rebrand and market access to the same underlying infrastructure. They added that they have “high confidence” that many well-known residential proxy services rely on NetNut’s network.
As part of the operation, authorities seized hundreds of domains linked to the service. Google also disabled command-and-control accounts, updated Play Protect to detect affected apps, and removed applications containing the compromised SDK. The company said the coordinated effort significantly disrupted NetNut’s operations, cutting its pool of available devices by millions.
The takedown comes just months after authorities disrupted the IPIDEA proxy network in January 2026. Together, the two operations suggest a growing focus on shutting down the infrastructure that supports cybercrime instead of only going after the people using it.
The domain seizures caused some confusion after the takedown. The FBI seized netnut.com, but netnut.io stayed online for a while, leaving some people wondering if authorities had targeted the wrong website. Security researchers said that wasn’t the main issue. They explained that the real goal was to disable the backend command-and-control systems, which had already been disrupted, making it much harder for the network to keep operating.
Maybe you’d like some other interesting articles?

