The NetNut Botnet Takedown: How the FBI Seized 2 Million Hijacked Devices

The NetNut botnet takedown explained: how the FBI seized NetNut after Krebs tied it to Popa, a 2M-device proxy botnet, and why proxy sourcing decides all.

HProxy Team 8 min read
Proxy.Comparison

Free proxies won't hold up here.

Shared datacenter IPs get flagged and dropped fast. When it has to hold, gaming, streaming, accounts, you need mobile and residential IPs that read as a real device, from $0.65/GB, pay as you go.

See plans & pricing

The NetNut botnet story broke on July 2, 2026, when the FBI and IRS Criminal Investigation seized hundreds of NetNut domains (netnut.io among them) after KrebsOnSecurity tied the NetNut residential proxy service to a botnet tracked as "Popa." That botnet was built from more than 2 million hijacked smart TVs and streaming boxes, quietly rented out as residential proxy exit nodes, and it is the clearest case yet of why the only proxy spec that actually matters is where the IPs come from.

We run a proxy network, so this one is close to home. A residential proxy is only ever as clean as the way its IPs were sourced, and the NetNut takedown is what happens when nobody asks that question hard enough. Here is what is confirmed, who owns what, and how to make sure the pool you are paying for is not a botnet with a billing page.

What the FBI actually seized

On July 2, 2026, the FBI and IRS Criminal Investigation (IRS-CI) seized hundreds of domains belonging to NetNut, including its main site netnut.io. NetNut was one of the larger names in the residential proxy market, the kind of provider that sells access to millions of "real" home IP addresses for scraping, ad verification, and similar work.

The seizure followed reporting by KrebsOnSecurity, which connected NetNut to a botnet that researchers had been tracking under the name "Popa." The distinction matters, so be precise about it: the botnet is Popa, and NetNut is the proxy service that allegedly monetized Popa's infected devices. The government did not move on NetNut because it sold proxies. It moved on NetNut because of where a large part of its proxy pool allegedly came from.

Popa: two million hijacked living rooms

According to KrebsOnSecurity, the Popa botnet infected more than 2 million smart TVs and streaming boxes. It did not spread through some exotic zero-day. It spread through apps: ordinary-looking software that secretly bundled NetNut's SDK. (An SDK is a code package a developer drops into an app to add a feature. Here, the feature was turning your device into someone else's proxy.)

Once one of those apps was installed, the device quietly became a residential proxy exit node. Every scrape, ad-fraud impression, and account-takeover attempt a NetNut customer pushed through that node came out of a real family's smart TV, wearing that household's IP address. That is the entire appeal of residential proxies to the buyer, and the entire problem with sourcing them this way: the traffic looks human because it is literally coming out of a human's living room, except the human never agreed to any of it. "Account takeover" here means attackers using those clean-looking home IPs to log into other people's accounts, and "ad fraud" means faking real viewers to drain advertising budgets. Neither is a victimless side effect. Both are the product.

Google took independent action. It disabled apps that bundled the NetNut SDK, and it reported observing 316 distinct threat-actor clusters using NetNut exit nodes in a single week in June. Read that number again: 316 separate groups, one week, one provider's exit nodes. That is what "residential proxy" quietly meant on this network.

Follow the ownership: Alarum Technologies (Nasdaq: ALAR)

NetNut is not some anonymous offshore shell. According to Alarum's own filings, NetNut is operated by Alarum Technologies, an Israeli company listed on the Nasdaq under the ticker ALAR. Alarum was formerly named Safe-T Group, and it acquired NetNut in 2019.

The market reaction was fast. Alarum stock fell roughly 67% to $2.62 by July 8, 2026, erasing most of the company's value in days. A publicly traded, regulated company had a proxy business at its center, and that business is now alleged to have been running partly on a two-million-device botnet. If you ever assumed that "big, established, publicly listed provider" guarantees clean sourcing, this is your answer: it does not. Scale and a stock ticker tell you nothing about how the IPs got into the pool.

The one spec that decides everything: sourcing

Every honest conversation about residential proxies eventually lands on the same question, and almost every marketing page dodges it: how did these IPs get into the pool? There are really only two answers, and they could not be further apart.

Consented sourcingHijacked sourcing (the NetNut/Popa model)
How the device joinsOwner opts in: a paid app, a rewards program, or a clearly disclosed SDKA secret SDK slipped into an app, or outright malware
Does the owner know?Yes, it is disclosedNo
Can they leave?Yes, uninstall or opt outNot knowingly, they do not know they are in it
What you rentTraffic the owner agreed to shareA stranger's hijacked device
Reputation you inheritThe pool's own, kept clean on purposeThe same IPs used for ad fraud and account takeover
Legal exposureA normal commercial serviceRenting infrastructure built from a crime

The difference is not cosmetic. When you route a request through a residential proxy, you inherit that exit node's reputation. If 316 threat-actor clusters spent the week running ad fraud and account takeover through the same NetNut nodes you are renting, then to every fraud-detection system on the internet your traffic looks exactly like theirs. We wrote a whole breakdown of how websites detect proxies, and IP reputation sits near the top of that list. A botnet-sourced pool is pre-burned before you send a single request, which is the practical reason sourcing is not an ethics footnote: it is a performance spec too.

Why "free residential" is where this hides

Here is the uncomfortable part for anyone hunting a bargain. The NetNut model (get onto real devices through bundled SDKs, then rent them out) is exactly how most "free residential proxy" pools are built. Residential IPs cost real money to acquire honestly, so when someone hands them out for free, the device owners are usually the ones paying, without ever knowing it.

This is the distinction people miss. Most free proxies you find on a list are datacenter IPs, not residential at all. In our own study of 47 million proxy checks, the free pool is overwhelmingly datacenter, and those IPs die within minutes to hours with only a small fraction alive at any given moment. But the "free residential" category specifically is a different animal, and it is far more likely to be someone's home connection turned into an exit node without consent. We take that trap apart in free residential proxies: what is real and what is a trap, and the broader safety mechanics in are free proxies safe. NetNut is that same trap at industrial scale, with a Nasdaq ticker bolted on.

If you want the plain definition of what a residential IP even is and why it carries value, we cover it in what is a residential proxy. The short version: the value comes entirely from the IP belonging to a real ISP customer. The NetNut case is what happens when the industry chases that value and stops caring how it gets the customer's IP.

What this means if you were a NetNut customer

If you were routing traffic through NetNut, two things are true at once. First, the service is practically down: with the domains seized, the endpoints your tooling pointed at are gone, so anything depending on it broke on July 2. Second, and more important long term, every request you sent through those exit nodes shared IP space with 316 threat-actor clusters, per Google's own count. Any target you scraped or logged into from those IPs may have flagged the address already, so do not be surprised if accounts or scrapers tied to that traffic get extra scrutiny.

The move is not to scramble for the nearest "cheap residential" replacement, because that is how you land in the next Popa. The move is to switch to a pool you can actually ask questions about, and to verify what you are handed instead of trusting a label.

How to not accidentally rent a botnet

You cannot audit a provider's entire supply chain from the outside, but you can ask the questions that make a shady one squirm, and you can check the IPs you are given.

  • Ask how the pool is sourced. A provider that sources residential IPs through consented, disclosed opt-in should be able to say so plainly. Vagueness is itself an answer.
  • Be suspicious of "free residential." Honestly sourced residential bandwidth has a real cost. Free residential almost always means the device owner is the unwitting supplier.
  • Check the network behind an IP before you trust it. Our free proxy checker makes a real connection through a proxy and reports the exit location, the anonymity grade, and the network the IP actually belongs to, so a datacenter IP wearing a "residential" label gets caught on the spot.
  • Watch the reputation signal. If an IP is already flagged across fraud databases, you are renting straight into someone else's mess, and the target site sees it before you do.

None of this makes residential proxies bad. It makes unsourced residential proxies bad. The technology is neutral. The supply chain is where the crime lives, and NetNut is the proof.

The honest takeaway

The NetNut botnet takedown is not a story about proxies being evil. It is a story about one specific, avoidable failure: renting out real people's devices without their consent and dressing it up as a normal product. A Nasdaq-listed company did it at two-million-device scale, Google watched 316 threat-actor groups pour through the result in a single week, and the FBI and IRS-CI seized the domains. The lesson for anyone buying proxies is short: sourcing is not a footnote, it is the product.

If you just need to test the machinery or run a low-stakes, throwaway task, our free proxy list re-checks and refreshes every few minutes across 100+ countries and HTTP, HTTPS, SOCKS4, and SOCKS5, and it is honest about what it is (mostly short-lived datacenter IPs, verified live). When you need residential IPs that hold up, we sell them at $0.99/GB pay as you go with no KYC, and the whole point of this article is the thing we would rather compete on: being able to tell you where they come from.

Frequently asked questions

What is the NetNut botnet?

NetNut is a residential proxy service, and the "NetNut botnet" refers to the Popa botnet that KrebsOnSecurity tied to it. According to Krebs, Popa infected more than 2 million smart TVs and streaming boxes through apps that secretly bundled NetNut's SDK, turning each device into a residential proxy exit node without the owner's knowledge. On July 2, 2026, the FBI and IRS Criminal Investigation seized hundreds of NetNut domains, including netnut.io.

Is NetNut shut down?

Its main domains were seized. On July 2, 2026, the FBI and IRS-CI seized hundreds of NetNut domains including netnut.io, so the public-facing service went dark. NetNut is operated by Alarum Technologies (Nasdaq: ALAR), whose stock fell about 67% to $2.62 by July 8, 2026. Whether any part of the business returns is unresolved as of this writing.

Who owns NetNut?

NetNut is operated by Alarum Technologies, an Israeli public company listed on the Nasdaq as ALAR. According to Alarum's filings, the company was formerly named Safe-T Group and acquired NetNut in 2019. This was not an anonymous offshore operation: a regulated, publicly traded company had the proxy business at its center.

How were smart TVs turned into proxies?

Through bundled SDKs. Per KrebsOnSecurity, ordinary-looking apps secretly included NetNut's SDK, and once installed on a smart TV or streaming box that code turned the device into a residential proxy exit node. Google later disabled apps carrying the SDK and reported seeing 316 threat-actor clusters using NetNut exit nodes in a single June week. The device owners were never meaningfully asked.

How do I know my residential proxies aren't sourced from a botnet?

Ask the provider how the pool is sourced and treat vague answers as a red flag, because consented, disclosed opt-in is the standard to look for. Be especially wary of "free residential," which almost always means someone's device is the unwitting supplier. You can also verify any IP you are given with a proxy checker to see the real network behind it and whether it already carries a bad reputation.

HProxy Team
We run a residential proxy network and study how the industry sources its IPs

Keep reading

Proxies that don't die mid-job

Residential, ISP, datacenter and mobile, verified by the same engine that runs tens of millions of checks. They read as a real device and hold up under load. Pay as you go, and your balance never expires.

47M+ proxy checks run · 100+ countries · HTTP / HTTPS / SOCKS · re-checked every few minutes · no signup