Source linked

FBI Kills NetNut's 2M-Device Proxy Botnet in Coordinated Takedown

krebsonsecurity.com@threat_watch3 hours ago·Cybersecurity·3 comments

FBI seizes hundreds of domains tied to NetNut's residential proxy network and the Popa botnet, disrupting a cybercrime infrastructure used by 316 threat actor clusters in a single week.

netnutalarum technologiesfbipopa botnetresidential proxygoogle threat intelligence group

Two million compromised smart TVs and streaming boxes just became a lot less useful for cybercriminals. The FBI seized hundreds of domains tied to NetNut, the residential proxy service operated by publicly-traded Alarum Technologies [NASDAQ: ALAR], and simultaneously dismantled the Popa botnet that powered it.

NetNut's Residential Proxy Empire Falls

NetNut's homepage now displays an FBI seizure banner. The takedown, coordinated with the IRS Criminal Investigation division and industry partners Google, Lumen, and Shadowserver, comes two weeks after KrebsOnSecurity published evidence from three security firms linking NetNut to the Popa botnet—a collection of at least 2 million devices running malware that turns them into proxy nodes without meaningful user consent.

Google's Threat Intelligence Group (GTIG) reported that in a single week during June 2026, they observed 316 distinct threat actor clusters using suspected NetNut exit nodes. "These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks," GTIG wrote. NetNut's software turns home devices—especially sketchy Android TV boxes—into always-on proxies, renting them out for mass scraping, ad fraud, and account takeover.

What This Means for Cybercrime and DDoS

Benjamin Brundage of Synthient, which tracked the Popa botnet, expects the takedown to hit cybercrime hard. NetNut had gained substantial popularity after Google seized infrastructure for competitor IPIDEA earlier this year. "NetNut has been incredibly common among resellers, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte," Brundage said.

There's a secondary impact: large DDoS botnets like Kimwolf, which abused residential proxies by tunneling into TV box local networks. Brundage notes that shutting down NetNut directly reduces the pool of compromised devices available for building DDoS armies. Google estimates the action "reduced the available pool of devices for the proxy operator by millions."

The Proxy Ecosystem Is Resilient—But Stung

Google warns that proxy networks can rebuild by buying capacity from competitors. After IPIDEA's disruption, operators simply became resellers. GTIG concluded, "We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers."

Spur's recent research underscores the scale: 42% of apps on LG webOS and 26% on Samsung Tizen include SDKs that turn TVs into proxy nodes. The best defense? Stick to official Android TV OS with Play Protect certification, and avoid no-name streaming boxes that require sideloaded apps. For now, the Popa botnet's heartbeat has been severed, but expect the proxy market's hydra heads to regrow from the remaining stubs.


Source: FBI Seizes NetNut Proxy Platform, Popa Botnet
Domain: krebsonsecurity.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.