FBI Seizes NetNut Proxy Platform in Popa Botnet Disruption
KrebsOnSecurity reported that the FBI seized domains tied to NetNut and the Popa botnet, following research linking the residential proxy ecosystem to millions of compromised devices.

On July 2, 2026, KrebsOnSecurity reported that the FBI worked with industry partners to seize hundreds of domains associated with NetNut, a residential proxy service operated by Alarum Technologies. Krebs tied the action to prior research connecting NetNut to Popa, a botnet made up of at least two million devices compromised by software installed with little or no meaningful consent from victims.
The story is important because residential proxy services are now part of the cybercrime supply chain. Attackers use them to hide the source of activity, distribute login attempts across ordinary home IP addresses, and make malicious traffic look like normal consumer traffic.
Why this matters
Krebs reported that NetNut software and related SDKs were found in apps and devices commonly present in homes, including smart TVs and streaming boxes. Google Threat Intelligence Group also said NetNut exit nodes were used by hundreds of threat actor clusters in a single week in June 2026.
That makes this more than a consumer-device story. If a compromised home device becomes an exit node, the homeowner's network can become cover for password spraying, scraping, account takeover, and reconnaissance.
Google's related residential-proxy research explains why this class of infrastructure is dangerous: SDKs embedded inside ordinary applications can turn devices into exit nodes, while tiered command-and-control systems assign proxy tasks and route traffic through consumer networks. Google also warned that when a device becomes an exit node, traffic can reach other devices on the same private network.
Krebs reported that Google disabled accounts and services used by NetNut for malware command and control, shared technical intelligence with platform providers and law enforcement, and disabled apps known to bundle NetNut SDKs. That combination matters because residential proxy networks are not dismantled only by seizing a homepage; defenders have to disrupt apps, SDK distribution, command-and-control, reseller paths, and customer access.
What makes residential proxy takedowns hard
Residential proxy ecosystems are messy by design. They can involve the original SDK developer, app publishers, white-label proxy sellers, resellers, payment intermediaries, and end customers. A single device owner may never know their bandwidth is being sold.
That means a takedown has to target several layers:
- Domains and C2 servers that register and task devices.
- Apps and SDKs that enroll devices into the proxy pool.
- Accounts and cloud services used to operate the network.
- Resellers and white-label brands that continue selling access.
- Abuse pathways used by customers for credential attacks and scraping.
What defenders should do
- Reduce reliance on IP reputation alone.
- Detect distributed password spraying across residential networks.
- Correlate source IP with device fingerprint, session history, and user behavior.
- Require phishing-resistant MFA for high-risk accounts.
- Treat unknown streaming boxes and sideloaded TV apps as security risks on home and small-business networks.
- Educate remote workers that home network hygiene affects corporate identity security.
The takeaway
The NetNut seizure is a reminder that attacker infrastructure can live inside ordinary homes. Security teams should assume that "residential" does not automatically mean "trusted."