You guys β€” something huge just dropped in a story I posted back in July! The FBI teamed up with Google, Lumen, Shadowserver, and others to seize hundreds of domains from NetNut (the Israeli company Alarum Technologies) because it was powering the Popa botnet β€” 2 million compromised devices making themselves always-on residential proxies for criminals. Since then there's been a massive update: the parent company's website now also has an FBI seizure banner, and its stock crashed roughly 67% in one week down to about $2.62 per share! Google didn't just seize domains; it also disabled every account used by NetNut for malware command-and-control and shared technical intelligence on their SDKs with law enforcement and research firms. This isn't a small hit β€” NetNut was the dominant player after its rival IPIDEA got raided earlier this year, so hitting this target sends shockwaves through the entire residential proxy market where cybercriminals rely on it for everything from password spraying to mass content scraping.

The fallout reaches way beyond just seizing domains and has serious implications for wider cybersecurity too. The Popa botnet was a massive source of traffic that criminals leveraged for large-scale DDoS attacks β€” with one estimate putting their size at the "world's largest" before this takedown disrupted those channels. Google even flagged 316 distinct threat actor clusters using NetNut exit nodes in just ONE week of June, including espionage groups and other criminal organizations. The real win here is that taking down these proxy networks also reduces the footprint available for botmasters to build stealthy DDoS infrastructure on top of them later β€” although Google warns the market can adapt by whitelabeling different services. This story actually matters to you because it highlights how your own devices might be compromised without notice: the company's founder at Spur found that 42% of webOS apps on LG smart TVs and over a quarter of Tizen apps on Samsung Smart TVs contain SDKs that turn them into always-on proxy nodes.

For everyone reading β€” take Google's advice seriously and check your own gear before you become the next unconsenting server node for some Russian botherer. If you have any smart TV or streaming boxes at home, confirm your device runs official Android TV with Play Protect certification rather than an unofficial OS, which is how these kinds of SDKs get pushed onto consumer hardware in the first place. Keep your app installs tight and stick to well-known manufacturers instead of buying those knockoff all-in-one units that ship preloaded with dodgy software. You can verify whether your device is officially certified by checking Google's official documentation β€” worth five minutes now so you don't end up as an anonymous hop for a credential theft operation next month! This story has been a massive win against the cybercrime ecosystem, and it's one of those rare cases where federal action actually knocked out significant infrastructure rather than just making some headlines.

Source: https://krebsonsecurity.com/2026/07/fbi-seizes-netnut-proxy-platform-popa-botnet/