The FBI said it worked with private-sector partners to seize hundreds of domains connected to NetNut, a residential proxy service run by Israeli company Alarum Technologies, listed on Nasdaq as ALAR. The operation also targeted Popa, a botnet that security researchers have linked to NetNut’s infrastructure and to at least two million compromised devices.
The practical effect for affected consumers is ugly: home devices can become rented network exits for other people’s traffic. That traffic may include scraping, ad fraud, account takeover attempts and other abuse, while the customer using the proxy gets to appear as if they are coming from an ordinary household internet connection.
A seizure notice from the FBI and the Internal Revenue Service Criminal Investigation division appeared on NetNut’s homepage. The notice credited Google, Lumen, Shadowserver and other partners with helping dismantle domains tied to Popa.
How the proxy network worked
Three security firms published findings on June 19 connecting NetNut to Popa. Their core claim was that NetNut supplied software for common home devices, including smart TVs and streaming boxes, and that the software converted those devices into residential proxy nodes.
Residential proxies are valuable because many websites treat home internet addresses as less suspicious than cloud servers or data centers. That makes them useful for legitimate testing in some cases, and useful for criminals trying to hide where traffic really starts. The same mechanism does not care about anyone’s intent, which is the usual problem with this market.
Google’s Threat Intelligence Group said NetNut’s network was resold and white-labeled by third-party proxy sellers. Google said that during one week in June 2026 it saw 316 distinct threat actor clusters using suspected NetNut exit nodes, including criminal and espionage groups.
Google said attackers could use NetNut to conceal their source IP addresses while entering victim systems, reaching their own infrastructure or running password spraying attacks. Google also warned that when a consumer device acts as an exit node, unauthorized traffic moves through that household network, potentially exposing other private devices on the same network.
Google said it disabled Google accounts and services used by NetNut for malware command and control. It also said it shared technical details about NetNut software development kits and backend systems with platform operators, law enforcement and researchers, and disabled apps known to bundle NetNut SDKs.
Alarum says it is cooperating
Omer Weiss, legal counsel for Alarum Technologies, said the company knew about the FBI seizure and was cooperating with investigators.
“Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” Weiss said in a written statement.
Benjamin Brundage, founder of proxy tracking company Synthient, said the seizures appear to have disrupted Popa and the NetNut proxy service built on top of it. Synthient was one of the firms that published evidence linking Popa to NetNut and Alarum.
Brundage said NetNut had become especially popular after earlier Google legal action against IPIDEA, another large residential proxy provider. He said NetNut was common among resellers and comparable to IPIDEA in daily traffic, quality, size and price per gigabyte.
Google said the action reduced NetNut’s available pool of devices by millions, but warned that proxy businesses can recover by buying capacity from competitors and reselling it. Google said it has “high confidence” that many residential proxy brands were white-labeling the NetNut botnet.
TV boxes remain a weak spot
The consumer risk is not limited to one proxy company. Researchers have repeatedly found residential proxy software bundled with cheap or unofficial Android TV boxes, or required through apps used to stream pirated media. Google advises buyers to stick with reputable TV box manufacturers and verify Android TV OS and Play Protect certification.
Spur, another proxy tracking company, reported last month that 42 percent of LG webOS smart TV apps it reviewed included SDKs that could turn a television into an always-on residential proxy node. Spur also found similar proxy components in more than a quarter of Samsung Tizen apps it examined.
This story draws on original reporting from Krebs on Security.