FBI Seizes NetNut Domains, Dismantling the Popa Botnet's Proxy Empire
Federal agents pulled down hundreds of domains tied to Alarum Technologies' NetNut service in mid-2026, exposing how over two million hijacked consumer devices quietly funneled cybercriminal traffic across the internet.

The Takedown
The FBI seized hundreds of domains belonging to NetNut, a residential proxy service operated by Alarum Technologies, replacing the company's homepage with a federal seizure banner in a joint operation credited to Google, Lumen, and Shadowserver.
NetNut was not merely a shady proxy reseller. Security researchers had spent months building the case that it was the commercial face of the Popa botnet, a sprawling infection that quietly conscripted smart TVs, set-top boxes, and other consumer devices into a for-hire traffic relay. By June 2026, that botnet had compromised more than two million devices worldwide.
The Popa Botnet: Everyday Devices, Criminal Infrastructure
On June 19, 2026, three independent security firms published coordinated findings on the Popa botnet, describing how it transforms ordinary household gadgets into proxy nodes. Attackers running traffic through those nodes could obscure their origin for activities ranging from advertising fraud and content scraping to account takeovers.
The mechanism is grimly straightforward. Most infected smart TVs run unofficial builds of Android, devices that never pass through Google's Play Protect verification. Malicious apps—sometimes bundled with legitimate-looking utilities—embed a proxy SDK that silently routes third-party traffic without the device owner's knowledge. A report by proxy-tracking firm Spur identified significant SDK presence inside apps targeting LG and Samsung smart TV ecosystems, illustrating just how embedded this infrastructure had become in living rooms around the world.
Consumers almost never notice. Their internet slows slightly, maybe. Their IP address becomes an exit node for credential-stuffing campaigns or distributed denial-of-service probes. They receive no warning.
Google's Intelligence Picture
Google's Threat Intelligence Group (GTIG) provided the clearest statistical snapshot of NetNut's criminal reach. In a single week in June 2026, GTIG analysts identified 316 distinct clusters of threat actors using NetNut exit nodes to conduct operations. That figure is not an estimate of total users over the service's lifetime. It is one week.
GTIG also flagged that NetNut's proxy network had been extensively white-labeled, meaning dozens of residential proxy brands were effectively reselling access to the same botnet infrastructure without advertising that fact. This daisy-chain of resellers made attribution difficult and gave cybercriminals multiple entry points even if one brand got taken down.
Following the seizure, Google disabled Google accounts and applications associated with NetNut's SDKs and shared its intelligence with industry partners. The company also issued a public warning about proxy network resilience, pointing to IPIDEA — a major NetNut competitor Google had previously disrupted — as a cautionary example of how quickly these services can reconstitute themselves after a blow.
What the Seizure Actually Disrupted
Benjamin Brundage of Synthient, a proxy-tracking service, described the action as unusually high-impact because it simultaneously hit two targets: the Popa botnet's command infrastructure and NetNut's commercial proxy operations. These do not always overlap. Taking down both at once compressed the window during which operators could migrate infrastructure and reopen for business.
The disruption affected DDoS capabilities as well. Residential proxies are increasingly popular as launch points for low-volume, distributed denial-of-service campaigns because traffic appears to originate from legitimate home IP addresses rather than obvious data-center ranges. Defenders filtering by autonomous system number or hosting provider miss it entirely.
Control Failures That Made This Possible
This incident did not hinge on a zero-day exploit or nation-state sophistication. It grew from two mundane, persistent failures that defenders can actually fix.
First: device identity hygiene at the consumer and enterprise level collapsed. Most infected devices ran Android firmware that had never been certified by Google, meaning no automated security baseline existed. Organizations that allow employee-owned or guest smart TVs on their networks have almost certainly imported the same risk. Network segmentation policies that isolate IoT and smart-home devices from corporate traffic are not optional hardening. They are table stakes. The Verizon 2024 Data Breach Investigations Report found that 14 percent of breaches involved exploitation of internet-facing assets, a category that increasingly includes embedded and consumer-grade devices that IT departments simply do not inventory.
Second: supply-chain visibility into third-party SDKs remains near zero for most organizations. Developers integrating advertising or analytics SDKs into apps rarely audit what those libraries do at runtime. NetNut's SDK spread precisely because it rode inside other software that looked legitimate. An organization building or distributing apps has a responsibility to vet every dependency. Security teams should require a software bill of materials (SBOM) for any internally distributed application. NIST's guidance on software supply chain security, published as part of its Cybersecurity Framework 2.0, provides a practical starting point for teams that have not yet formalized this process.
The human dimension matters too. Employees who sideload apps on personal devices connected to corporate Wi-Fi, or who plug unvetted smart devices into office networks, are expanding the attack surface in ways that no perimeter firewall catches. Security-awareness training that specifically addresses IoT risk, sideloading behavior, and why residential-looking IP addresses are dangerous — not just phishing simulations — gives employees the mental model they need to make better decisions. Organizations can explore training programs calibrated to real threat scenarios rather than generic compliance checkboxes.
What Defenders Should Do Now
The seizure is a win, but the underlying conditions that allowed NetNut to flourish have not changed. Proxy networks will reconstitute. Botnets will find new consumer devices to infect. Defenders need durable process changes, not just relief at the news cycle.
Audit your network for unexpected proxy traffic. GTIG's data showed 316 threat-actor clusters in a single week. Your perimeter logs may already contain anomalies. Look for high outbound connection counts to unusual port ranges, or devices initiating connections rather than receiving them.
Inventory every device on your network, including those you did not provision. Smart TVs in conference rooms, streaming sticks plugged into monitors, and BYOD devices on guest Wi-Fi all represent potential Popa-style vectors.
Enforce firmware source verification for any Android-based device in your environment. Devices running uncertified Android builds cannot be trusted to enforce any security policy you apply at the application layer.
Require SBOMs for app dependencies. If your development team ships apps containing third-party SDKs, you must know what those SDKs do. The NetNut case shows what happens when that accountability gap is left open.
Review our full breakdown of control frameworks relevant to supply-chain and device security for structured guidance. Teams looking to assess their current security posture can also explore pricing for organization-wide awareness programs calibrated to the specific risk profile of their industry.
How awareness training could have reduced this risk
- Teach employees to recognize sideloading risks and the danger of connecting unverified smart devices to corporate or home-office networks.
- Run scenario-based training modules focused on IoT and supply-chain threats — not just phishing — so staff can identify the behaviors that enable botnet spread.
- Use simulated security exercises to test whether employees escalate unusual device behavior, the first human signal that a Popa-style infection may be present.
Train2Secure offers scenario-based modules built around real incident patterns like the Popa botnet case, so your team learns from actual threat actor behavior rather than generic examples.
Start free — no card requiredSources & further reading
Frequently asked questions
What is the Popa botnet and how does it work?
The Popa botnet infects consumer devices — primarily smart TVs running uncertified Android firmware — with a proxy SDK that silently routes third-party internet traffic through the victim device. The device owner typically notices nothing, while their IP address is used to mask cybercriminal activity such as ad fraud, credential stuffing, and content scraping.
Was my device infected by the Popa botnet?
Devices most at risk run unofficial Android operating system builds and have installed apps from outside certified app stores. Signs of infection can include unexpectedly high network usage or sluggish performance. If you own a smart TV from a lesser-known brand, check your router for unusually high outbound traffic from that device and consider a full factory reset using verified firmware from the manufacturer.
What does the FBI domain seizure actually accomplish?
Seizing NetNut's domains disrupted both the commercial proxy service and the Popa botnet's command infrastructure simultaneously. This compressed the operators' ability to migrate and resume operations quickly. However, researchers note that proxy networks have historically shown resilience, and full recovery of the botnet remains possible without sustained follow-on enforcement.
How can organizations protect themselves from residential proxy abuse?
Key steps include segmenting IoT and smart-home devices onto isolated network segments, auditing outbound traffic for proxy-like connection patterns, requiring software bills of materials (SBOMs) for any apps using third-party SDKs, and training staff on the risks of connecting unverified devices to corporate networks.



