Skip to main content
Back to Blog
FBI Seizes NetNut Proxy Platform Linked to Popa Botnet of Two Million Devices
BOTNETJul 6, 20265 min read

FBI Seizes NetNut Proxy Platform Linked to Popa Botnet of Two Million Devices

On July 2, 2026, the FBI announced it had seized hundreds of domains belonging to NetNut, a residential proxy service operated by the publicly-traded Israeli company Alarum Technologies. According to Krebs on Security, the action followed an investigation connecting NetNut to the Popa botnet, a network of at least two million compromised devices.

What Happened

The FBI, working with industry partners, took down the infrastructure behind NetNut roughly two weeks after KrebsOnSecurity published findings from multiple security firms linking the service to the Popa botnet. Popa is described as a large-scale collection of devices infected with malicious software, with little or no consent from the owners of those devices.

NetNut marketed itself as a legitimate residential proxy network, meaning it routed customer traffic through real home and business IP addresses. The allegation is that many of those IP addresses belonged to ordinary users whose devices had been quietly enrolled in the botnet without their knowledge. Alarum Technologies, the parent company, is publicly listed on NASDAQ under the ticker ALAR.

Why This Matters to Small Teams

Residential proxy botnets do not just affect the device owners whose machines get conscripted. They also affect the websites and APIs those proxies are used to attack. When adversaries route traffic through millions of legitimate home IP addresses, rate limits, IP reputation blocklists, and geographic filters all become much less effective. A solo developer running a SaaS app or an e-commerce store can face credential stuffing, scraping, or account takeover attempts that look like organic traffic from real users.

Free Scan

Run the exact check on your domain

See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.

Scan my site free →

Small teams also face exposure on the supply side. Many developers use third-party SDKs, browser extensions, or free utility apps during development and testing. Some of these have historically been the delivery mechanism for botnet agents. If a development machine gets enrolled in a botnet, it can leak credentials, session tokens, API keys, or internal network details without any obvious sign of compromise.

The NetNut case is also a reminder that a legitimate-looking, publicly-traded company can still operate infrastructure that harms end users. Brand recognition and a stock listing are not substitutes for due diligence when evaluating third-party services that touch your users or your network.

How to Stay Protected

  1. Audit your rate limiting and bot detection. Make sure your login endpoints, signup flows, and APIs have rate limits in place. Consider a CAPTCHA or behavioral challenge on sensitive actions. Residential proxy traffic is hard to block by IP, so behavioral signals matter more.

  2. Check your third-party dependencies. Review browser extensions, free utilities, and SDKs installed on developer machines and servers. Remove anything you no longer actively use or cannot verify the source of.

  3. Monitor for anomalous traffic patterns. Unusually distributed traffic that comes from many different residential IPs but follows the same behavior pattern is a botnet signal. Set up logging and alerting on your authentication endpoints.

  4. Rotate credentials and API keys regularly. If a developer machine has been compromised, attackers may already hold credentials. Regular rotation limits the window of exposure.

  5. Use a reputable threat intelligence feed or IP reputation service. Even though residential proxies are hard to block entirely, many botnet exit nodes do appear on threat intelligence lists. Layering this into your WAF or application firewall adds friction for attackers.

  6. Follow security researchers and agencies. Actions like this FBI seizure are often preceded by weeks of published research, as was the case here. Reading sources like Krebs on Security gives you early warning before law enforcement moves.

How UNPWNED Helps

UNPWNED scans your web properties for exposed security controls and misconfigurations that make botnet-driven attacks easier to execute. Our checks cover missing or weak HTTP security headers, open or unauthenticated endpoints, and the absence of standard protective controls, all of which raise your attack surface when adversarial traffic is being routed through residential proxies. While we do not perform live botnet traffic analysis, identifying and closing these surface-level gaps is a meaningful first line of defense against automated threats.


This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.

Discussion (0)

Leave a comment

Comments are moderated. Be respectful. Spam and self-promotion will be removed.

Is your site exposed to issues like these?

SCAN YOUR SITE FREE