The FBI has seized hundreds of domains associated with NetNut, a residential proxy service operated by Israeli company Alarum Technologies, after security researchers linked the platform to the Popa botnet. The botnet comprises at least two million compromised devices — predominantly smart TVs and streaming boxes — that are turned into always-on proxy nodes without meaningful user consent.
The seizure, coordinated with Google, Lumen, and Shadowserver, follows reporting that connected NetNut to Popa. Google’s Threat Intelligence Group said it observed 316 distinct threat actor clusters using NetNut exit nodes in a single week, including cybercriminal and espionage groups. NetNut’s proxy network has been widely resold and white-labeled by third-party providers.
Experts warn that when consumer devices become exit nodes, unauthorized traffic passes through home networks, potentially exposing other private devices. Google disabled accounts and apps used by NetNut for command-and-control operations. Omer Weiss, legal counsel for Alarum Technologies, said the company is cooperating with investigators.
