FBI Dismantles NetNut Residential Proxy Operation Linked to Popa Botnet Infrastructure
US federal law enforcement seized NetNut, an Israeli residential proxy service operated by publicly-traded Alarum Technologies, following security research linking it to the Popa botnet comprising at least two million compromised devices. The action represents significant progress in disrupting a major abuse infrastructure that enabled attackers to mask malicious traffic through residential IP addresses.
Affected
The FBI seizure of NetNut domains follows a pattern of law enforcement targeting infrastructure that enables distributed abuse. NetNut positioned itself as a legitimate residential proxy service for web scraping and security testing, yet security researchers connected the platform to Popa botnet operations. This suggests either that NetNut's verification processes failed to prevent compromised devices from being recruited into the botnet, or that the company knowingly facilitated the arrangement.
Residential proxy services occupy a grey zone in. They are genuinely used by security researchers and legitimate businesses for tasks like website performance testing and geo-locked content access. However, the same attributes that make them useful for those purposes, such as using residential IP addresses, make them exceptionally valuable for attackers seeking to evade detection and abuse detection systems. The Popa botnet's integration with NetNut infrastructure suggests attackers deliberately targeted a service that provided plausible deniability and scale.
The two million compromised devices represent a significant attack surface. Devices in residential proxy botnets are typically recruited through malware distribution chains, drive-by downloads, or supply-chain compromises. Each compromised machine becomes an exit node for malicious traffic, enabling credential stuffing attacks, distributed denial of service operations, reconnaissance, and fraud. The victims, unaware their devices are participating in attacks, provide implicit cover for the actual threat actors.
KrebsOnSecurity's prior reporting connecting NetNut to Popa appears to have triggered the enforcement action, demonstrating the continued value of public security research in prompting government intervention. Organisations using residential proxies should audit their providers' abuse controls and verify that traffic is not being misused. The seizure does not necessarily eliminate the underlying botnet, which will likely migrate to alternative infrastructure.
This case illustrates how companies positioned as service providers can become force multipliers for botnet operators when verification and monitoring systems are insufficient. The Alarum Technologies seizure is meaningful progress but represents a single point of disruption rather than a solution to the broader abuse-for-hire market in proxy services.
Sources