Why the FBI Takedown of NetNut Threatens the Cybercrime Pipeline
Law enforcement and tech giants dismantle a massive residential proxy network operating right inside consumer living rooms.
Imagine sitting down to stream a movie on your budget smart TV, unaware that your television is actively participating in a global cyberattack. While you watch, remote attackers are renting your home internet connection to bypass corporate firewalls, scrape web data, or launch automated password spray attacks. This silent enlistment of consumer hardware forms the unseen backbone of cybercrime, turning private residences into anonymous relays for digital malfeasance. However, a coordinated offensive by federal law enforcement and technology giants has dismantled one of the largest facilitators of this underground economy, shining a light on the severe security vulnerabilities lurking inside modern consumer entertainment systems.
The residential proxy market has long operated in a legal gray area, marketing itself as a tool for legitimate data gathering and geo-unblocking. Yet, the line between business utility and criminal enterprise often blurs when providers seek cheap, persistent network nodes. Rather than acquiring bandwidth transparently, some operations rely on malicious software bundled into third-party software development kits, converting streaming boxes and smart TVs into proxy nodes without user consent. This thriving parasitic ecosystem exploits a highly fragmented device market where off-brand television hardware routinely bypasses standard security protections.
On July 2, 2026, the FBI and the Internal Revenue Service Criminal Investigation division seized hundreds of domains connected to NetNut, a massive residential proxy platform operated by Alarum Technologies, an Israeli company traded on the NASDAQ under ALAR. This action followed reports on June 19 linking NetNut to the Popa botnet, a collection of compromised devices. The Google Threat Intelligence Group observed 316 distinct threat actor clusters using suspected NetNut exit nodes in a single week in June 2026. "These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks," Google’s GTIG wrote . "Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats." Following the takedown, Omer Weiss, legal counsel for Alarum Technologies, stated: "Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account," Weiss said in a written statement. Benjamin Brundage, founder of tracking service Synthient, stated: "I think this takedown is going to have a big impact, because NetNut gained significant popularity after the IPIDEA takedown," he said. "Also NetNut has been incredibly common among resellers, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte, all of it."
By the numbers, the Popa botnet commandeered at least two million devices to build its network. Previously, threat actors used such infrastructure to build Kimwolf, the largest DDoS botnet in the world. Research from Spur showed how pervasive these integrations are: 42 percent of apps on LG’s webOS and over a quarter of Samsung Tizen apps turned smart TVs into proxy nodes. The financial fallout was immediate: by July 8, 2:34 p.m. ET, the parent firm's site alarum.io also displayed a seizure notice, and its stock crashed to $2.62 a share, representing a 67 percent decline over one week.
Why it matters is the systemic vulnerability this reveals for the average household. When smart TVs are compromised, home firewalls are bypassed, exposing local devices. Additionally, the ecosystem is highly fluid, as the GTIG report warned: "Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet," the GTIG report concludes. "While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient. What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers." Despite these challenges, Brundage notes: "In terms of all these TV box devices getting compromised from the proxy network, it will have an impact on the DDoS botnets out there," he said. Ultimately, consumers must audit what they connect to their home routers.