FBI Seizes NetNut Proxy Domains in Crackdown on Popa Botnet

The FBI said it has seized hundreds of domains linked to NetNut, a residential proxy service tied by multiple security researchers to the Popa botnet. The operation also involved the IRS Criminal Inve...

The FBI said it has seized hundreds of domains linked to NetNut, a residential proxy service tied by multiple security researchers to the Popa botnet. The operation also involved the IRS Criminal Investigation division and several private-sector partners.

The seizure comes about two weeks after researchers said NetNut’s software was being used to enlist at least 2 million devices into a botnet built from consumer electronics and other home devices. Those systems, once compromised, were reportedly turned into residential proxy nodes that could be rented out to obscure the origin of online traffic.

How the network was used

According to Google’s Threat Intelligence Group, suspected NetNut exit nodes were being used by a wide range of threat actors, including cybercriminals and espionage-linked groups. Google said these proxy servers helped conceal the source of password-spraying campaigns, access to victim environments and traffic to attacker-controlled infrastructure.

The company also said it disabled Google accounts and services linked to malware command-and-control activity, shared technical information with law enforcement, and removed applications that bundled NetNut-related software components.

Company response and broader impact

NetNut parent Alarum Technologies said it was aware of the seizure and would cooperate with investigators. Legal counsel for the company said Alarum intended to help identify any misuse of its infrastructure and determine who may be responsible.

Security researchers said the disruption could be significant because NetNut was widely used by resellers and had become a major supplier in the residential proxy market. Some experts noted that the action may also reduce the scale of distributed denial-of-service operations that rely on compromised devices behind residential connections.

  • Google said the action removed millions of devices from the available proxy pool.
  • Researchers warned that proxy networks can be rebuilt by buying capacity from other providers.
  • Consumers were advised to avoid untrusted TV boxes and unofficial app stores.

Security firms have also warned that some smart TVs and streaming devices can be enrolled in proxy networks through third-party apps or bundled software. Analysts recommend using reputable hardware, keeping software limited to trusted sources and checking whether a device carries official certification before installation.