The FBI has seized some of the domains associated with NetNut, a major residential proxy service linked to the Popa botnet.
Currently, visiting netnut.com opens an FBI seizure notice. The banner states that the domain was seized by the FBI as part of an operation targeting NetNut, its administrators, and subscribers. It also mentions the U.S. Department of Justice, the Internal Revenue Service, Google, Lumen, and Shadowserver.

At the same time, the service’s public website at netnut.io remains accessible for now. Therefore, this does not appear to be a complete shutdown of NetNut, but rather the seizure of part of its domain infrastructure. In the comments section of the KrebsOnSecurity article, Brian Krebs wrote that, according to his information, authorities are also working to seize the .io domain, but the process is taking longer. He also said that the internal infrastructure of Popa and the proxy network appears to be offline.

According to Google, NetNut is one of the world’s largest residential proxy networks. Google says that NetNut, also known as Popa, covered at least 2 million devices worldwide and used ordinary users’ devices, including Smart TVs and TV boxes/set-top boxes, to turn them into proxy nodes. The proxy code could be installed on devices through applications or pre-installed software.
These nodes could be used to conceal the true source of traffic. According to Google, during just one week in June 2026, it observed 316 threat actor groups using suspected NetNut exit nodes. These included both cybercriminal and espionage groups.
Google, together with the FBI, Lumen, and other partners, disabled related accounts and services used to manage the malicious infrastructure. Google also shared technical data with law enforcement agencies and researchers, while Android security systems began disabling applications containing embedded NetNut proxy code.
Google believes that the operation significantly disrupted the NetNut proxy network and reduced the available device pool by millions.
Alarum Technologies, NetNut’s parent company, confirmed that the FBI had seized several domains associated with NetNut. The company said it would cooperate with law enforcement and investigate potential abuse of its infrastructure.
KrebsOnSecurity reports that devices in such a network could be used for large-scale data scraping, ad traffic fraud, account takeover attempts, and other suspicious traffic.
NetNut positions itself as a provider of residential, mobile, static, and datacenter proxies. The company’s website also states that NetNut is a subsidiary of Alarum Technologies Ltd., whose shares are traded on NASDAQ under the ticker ALAR.











































