The Federal Bureau of Investigation (FBI), in coordination with the IRS Criminal Investigation division and several industry partners, has seized hundreds of domains associated with NetNut, a residential proxy service operated by Israeli public company Alarum Technologies (NASDAQ: ALAR). The action dismantles the Popa botnet, which researchers estimate comprised at least two million compromised consumer devices, including smart TVs and streaming boxes.

Background: Linking NetNut to Popa

The seizure follows reporting published roughly two weeks earlier, after three independent security firms released findings on June 19 connecting NetNut directly to the Popa botnet. According to those reports, NetNut distributed software to consumer devices without meaningful user consent, silently enrolling them as always-on proxy nodes. Those nodes were then rented to third parties and used predominantly for mass content scraping, advertising fraud, and account takeover attacks.

Google Documents Widespread Abuse

Google’s Threat Intelligence Group (GTIG) published a blog post alongside the seizure disclosing that during a single week in June 2026, researchers observed 316 distinct clusters of threat actors using suspected NetNut exit nodes, including both cybercriminal and espionage groups. GTIG noted that NetNut’s proxy network is extensively white-labeled and resold by third-party providers, amplifying its reach across the criminal ecosystem.

Google warned that compromised consumer devices acting as exit nodes expose entire home networks to risk: unauthorized traffic passing through a victim’s device can provide threat actors a foothold to reach other devices behind the same firewall. In response, Google disabled accounts and services NetNut used for malware command and control, shared technical intelligence on NetNut’s SDKs and backend infrastructure with law enforcement and platform partners, and disabled apps known to bundle NetNut SDKs.

Impact on the Proxy Ecosystem

Benjamin Brundage, founder of proxy tracking service Synthient and one of the researchers who published evidence linking Popa to NetNut, said the domain seizures appear to have disrupted both the botnet and the proxy network built on top of it. He noted that NetNut had gained significant market share following earlier legal action against its largest competitor, IPIDEA, making this takedown particularly consequential for cybercrime operations that depended on it.

Brundage also pointed to a secondary benefit: reduced capacity for large distributed denial-of-service botnets that have exploited poorly secured residential proxy infrastructure. Synthient had previously documented how attackers built large DDoS botnets by tunneling through IPIDEA proxy connections into local home networks and infecting other Android devices.

Limitations and Ongoing Risk

Google cautioned that the disruption may not be permanent. Following the IPIDEA action, that service rebuilt by purchasing capacity from competing proxy networks, effectively becoming a reseller. GTIG assessed with high confidence that many popular residential proxy brands were already white-labeling NetNut’s botnet infrastructure, and that lasting disruption will require coordinated action against multiple interconnected proxy operators simultaneously.

Alarum Response

Omer Weiss, legal counsel for Alarum Technologies, confirmed the company was aware of the FBI seizure and said it would cooperate with investigators. Google estimates the action has caused significant degradation to NetNut’s proxy network, reducing the available pool of devices by millions.