The FBI, in coordination with Google's Threat Intelligence Group and industry partners, has seized hundreds of domains connected to NetNut, a residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action targets a network that security firms have tied to the Popa botnet, a collection of at least two million compromised devices used to relay malicious traffic with little or no victim consent.

NetNut's infrastructure turned home routers and IoT devices into unwitting proxies, routing traffic for customers seeking anonymity. Google's Threat Intelligence Group says it significantly degraded the network, reducing its pool of usable devices by millions. The Popa botnet, which KrebsOnSecurity linked to NetNut roughly two weeks ago, has been described as a sprawling system of infected endpoints generating revenue for Alarum through leased access.

Technical analysis reveals that the botnet spreads through malware that embeds itself deep in consumer routers and connected devices, often persisting across reboots. The compromised machines serve as exit nodes, masking the origin of traffic for clients ranging from marketers to malicious actors. KrebsOnSecurity and The Hacker News both report that victims are typically unaware their devices have been co-opted.

The FBI's seizure of domains, combined with Google's disruption efforts, effectively dismantles a key part of the Popa network. No patches or user-level mitigations have been announced, but law enforcement advises consumers to reset router credentials and check for unexplained activity. Alarum Technologies has not publicly commented on the seizure.

Attribution remains focused on the corporate operator rather than individual hackers. The case underscores how legitimate commercial proxy services can be repurposed for botnet operations, raising questions about regulatory oversight of residential proxy providers.