On 2 July 2026, the FBI, working alongside Google, Lumen, and Shadowserver, seized hundreds of domains associated with NetNut, a residential proxy service operated by the publicly-traded Israeli firm Alarum Technologies (NASDAQ: ALAR). The action followed reporting by KrebsOnSecurity and coordinated disclosures from three independent security firms connecting NetNut to the Popa botnet, a network of at least two million compromised consumer devices. This takedown is technically significant not just as a law enforcement action, but as a case study in the structural vulnerabilities of the residential proxy ecosystem and the increasingly blurred boundary between legitimate commercial proxy services and criminal infrastructure.
The Architecture of the Popa Botnet and NetNut's Proxy Stack
Understanding why this seizure matters requires unpacking how residential proxy networks actually function at a systems level. Unlike datacenter proxies, which route traffic through identifiable commercial IP ranges, residential proxies route traffic through IP addresses assigned to ordinary consumer devices. This makes them extraordinarily difficult to block via conventional IP reputation systems, since the exit nodes appear to belong to real households.
NetNut's approach, as documented by Black Lotus Labs at Lumen and corroborated by Synthient and other firms, was to distribute software development kits embedded within apps targeting consumer electronics, particularly Android-based streaming boxes and smart TVs. Once installed, these SDKs enrolled the device as an always-on proxy exit node without meaningful informed consent from the device owner. The Popa botnet is, in effect, the supply-side infrastructure for NetNut's commercial proxy service.
Several architectural properties of this design are worth examining critically:
- SDK-based enrollment: Rather than exploiting zero-day vulnerabilities, Popa relied on SDK distribution through legitimate-looking applications. This is a low-cost, scalable infection vector that is difficult to attribute and even harder to remediate at scale.
- Unofficial Android OS dependency: The compromised devices predominantly run unofficial Android forks that operate outside Google's Play Protect certification framework, meaning standard integrity attestation mechanisms provide no protection here.
- Lateral network exposure: As Google's Threat Intelligence Group (GTIG) noted, when a consumer device becomes a proxy exit node, traffic traverses the local network segment. This gives threat actors a foothold from which to probe other devices behind the NAT boundary, a significant escalation of the threat surface beyond mere traffic obfuscation.
- White-labelling and resale: NetNut's infrastructure was extensively resold under third-party proxy brands. Google assessed with high confidence that many popular residential proxy services were effectively white-labelling the Popa botnet's capacity, complicating attribution and enforcement considerably.
Threat Actor Utilisation and the Scale of Abuse
The GTIG's operational data is striking. During a single week in June 2026, they observed 316 distinct threat actor clusters using suspected NetNut exit nodes. The use cases spanned credential stuffing and password spray attacks, account takeover campaigns, advertising fraud, and large-scale content scraping. State-affiliated espionage groups were also identified among the users, which elevates this beyond a purely cybercrime story.
The residential proxy model is particularly well-suited to these abuse patterns because exit node churn is high and IP reputation signals are weak. A credential stuffing campaign that distributes authentication attempts across millions of residential IPs is essentially invisible to rate-limiting systems calibrated against datacenter traffic. This is a known problem in the anti-fraud research community, but the scale documented here, 316 distinct actor clusters in seven days, gives concrete empirical weight to what has previously been a somewhat theoretical concern.
The connection to large-scale DDoS infrastructure is also analytically important. Synthient's earlier work on the Kimwolf botnet demonstrated that adversaries were tunnelling through IPIDEA proxy connections into local networks of TV box owners to infect additional Android devices. This is a second-order infection chain: the proxy network becomes a pivot point for building an entirely separate botnet. The Popa takedown should, at least in the short term, reduce the available pool of devices for this kind of lateral expansion.
The Resilience Problem: Why Single Takedowns Are Insufficient
The GTIG's post-seizure assessment is candid about the limitations of this intervention. Following the earlier disruption of IPIDEA, NetNut actually grew in prominence precisely because cybercriminal customers migrated to it. Proxy operators facing infrastructure degradation have responded by purchasing capacity from competitors, effectively becoming resellers themselves. This creates a highly fluid, interconnected market where the disruption of one node redistributes demand across the remaining network rather than eliminating it.
This dynamic is well-understood in network economics and is analogous to the Hydra problem observed in darknet market takedowns. The academic literature on this, including work examining Silk Road's successors and subsequent darknet market disruptions, consistently shows that single-node takedowns produce temporary displacement rather than permanent suppression unless they are accompanied by sustained, coordinated action against multiple interconnected providers simultaneously. Google explicitly acknowledges this, stating that creating lasting disruption requires scaling efforts to target the infrastructure of several interconnected providers at once.
There is a deeper structural issue here as well. The commercial proxy industry occupies a genuinely ambiguous legal and ethical position. Legitimate use cases for residential proxies exist, including academic web crawling, ad verification, and geo-restricted content access. The same infrastructure that serves these purposes also serves the abuse cases documented above. Regulatory frameworks have not kept pace with this duality, and the legal liability of a publicly-traded company like Alarum Technologies for the downstream use of its proxy infrastructure remains an open and contested question.
Smart TV and Streaming Box Exposure: A Systemic Consumer Risk
Perhaps the most underappreciated finding in the surrounding research concerns the prevalence of proxy SDKs in mainstream smart TV applications. Data from Spur found that 42 percent of apps available via LG's webOS platform include SDKs that enrol the television as a residential proxy node. Over a quarter of Samsung Tizen apps contained similar components. These are not obscure sideloaded applications; they are apps distributed through the official storefronts of two of the world's largest consumer electronics manufacturers.
This represents a systemic failure of the app review and supply chain integrity processes at major platform operators. The SDK-level embedding of proxy functionality is difficult to detect through static analysis alone, particularly when the SDK is designed to be quiescent until activated by a remote command-and-control signal. Dynamic analysis at scale is computationally expensive and rarely applied comprehensively to smart TV app ecosystems, which have historically received far less security scrutiny than mobile platforms.
The consumer guidance here is straightforward in principle but difficult in practice. Sticking to name-brand devices with Google Play Protect certification reduces risk substantially, as does avoiding apps from unknown developers. The problem is that the average consumer has no mechanism to audit SDK composition, and the app stores themselves have demonstrably failed to enforce meaningful restrictions. This is a platform governance failure as much as a consumer behaviour problem.
What Comes Next for the Residential Proxy Ecosystem
The NetNut seizure is the most significant action against the residential proxy industry to date, but it is unlikely to be the last. Several trajectories seem plausible over the next twelve to eighteen months.
First, the white-labelling network that GTIG identified means that enforcement actions will need to extend to downstream resellers, many of whom may be operating in jurisdictions with limited cooperation frameworks. The legal coordination required for that kind of multi-jurisdictional action is substantially more complex than seizing domains registered to a single publicly-traded company.
Second, the technical community should expect proxy operators to evolve their SDK distribution strategies. The current reliance on streaming app ecosystems is well-documented now, and operators will likely seek new infection vectors, potentially targeting IoT devices with weaker update mechanisms or exploiting supply chain insertion points earlier in the device manufacturing process.
Third, there is a real research opportunity here for the security community. The Popa botnet's architecture, particularly its use of SDK-based enrollment and its relationship to the Kimwolf DDoS infrastructure, raises questions about how proxy networks and traditional botnets are converging. Mapping this convergence systematically, using passive DNS analysis, traffic fingerprinting, and SDK provenance tracking, would produce genuinely useful threat intelligence and help calibrate future enforcement priorities.
The FBI's action against NetNut is a meaningful intervention. It disrupts real criminal infrastructure and imposes real costs on Alarum Technologies. But it is best understood as one data point in what will need to be a sustained, technically sophisticated campaign against an ecosystem that has proven adept at reconstituting itself after disruption.