What we know so far: A coordinated effort by US law enforcement and private-sector researchers has disrupted a major residential proxy network that turned everyday consumer devices into tools for cybercrime. The operation, led by the FBI and Google's Threat Intelligence Group, focused on NetNut, a commercial proxy service that researchers also track as the Popa botnet. According to Google, the network co-opted more than two million devices globally, routing internet traffic through residential connections.
The Popa botnet relied on a malicious software development kit embedded in low-cost Android-based devices, including smart TVs and streaming boxes, as well as unofficial apps such as SmartTube. Once those devices were connected, they began acting as proxy exit points without clearly informing users. That setup allowed attackers to send traffic through residential IP addresses, making it harder for security systems to detect or block malicious behavior.
Google said that in one week in June 2026, at least 316 distinct threat clusters used NetNut's network for password spraying, credential stuffing, advertising fraud and sensitive data scraping.
The way NetNut operated set it apart from the usual underground botnets. Rather than being run solely by underground actors, it appears to have had ties to a commercial entity.
Cybersecurity journalist Brian Krebs reported that the network is linked to Alarum Technologies Ltd., a publicly traded Israeli firm listed on Nasdaq. He cited research from firms including Qurium and Synthient, which reported direct links between Alarum's executive leadership and the developers of the Popa SDK.
Alarum has previously described its platform as a consensual bandwidth-sharing service. However, independent technical reviews found that users were not clearly notified or asked for meaningful consent before their devices were used as part of the proxy network.
After domains linked to NetNut were seized, Alarum Technologies issued a statement saying, "Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account."
Google did not address those corporate links directly but pointed to how the network operated. Researchers said NetNut supported a reseller model that allowed other companies to rebrand and sell access to the same infrastructure. The team said it assessed "with high confidence" that many popular residential proxy brands are built on top of NetNut's network.
Authorities seized hundreds of domains tied to the service, while Google disabled accounts used for command-and-control and pushed Play Protect updates to flag affected apps. Applications containing the compromised SDK were also shut down. "We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions," Google said.
The effort builds on a January 2026 disruption of the IPIDEA proxy network and signals a broader push to target proxy infrastructure, not just its users. There was some initial confusion around the domain seizures. While the FBI placed a seizure notice on netnut.com, another domain, netnut.io, remained live for a time. Some observers wondered if the wrong domain had been seized, but others pointed out that the key target was the backend command-and-control infrastructure. Security researchers said the command-and-control infrastructure had been disrupted, limiting the network's ability to operate regardless of which websites remained online.
