3 July 2026
Yesterday, the FBI seized key domains of NetNut’s residential proxy network where millions of malicious Popa bots operate, marking a major disruption of one of the largest known residential proxy botnets affecting Smart TVs and other Android connected devices. The take-down operation represents an important milestone in the international effort to identify those responsible and dismantle malicious residential proxy networks’ infrastructure.
The operation followed months of work by security researchers and journalists across the globe and around the clock, including Spur, Nokia Deepfield Emergency Response Team, Synthient, and Qurium. During the last month, Qurium has released four investigations on NetNut’s practices including the hijack of customer traffic of Divinetworks and their Popa botnet. In one of the investigations Qurium identified NetNut as the operator of the Popa infrastructure by self-infecting a large quantity of Android devices, and documenting how compromised consumer devices were enrolled into the residential proxy network.
The FBI, acknowledged in their seizure notice that Google, Lumen’s Black Lotus Lab, and the Shadowserver Foundation, with assistance from their partners, had disrupted other domains and infrastructure used by the NetNut residential proxy platform in separate and independent operations. As the seizure unfolded, visitors to divinetworks.com and netnut.com could observe the sites being replaced with the FBI seizure notice.
Having previously gained deep visibility into the Popa network (see Popa.live), Qurium was able to observe the impact of this take-down operation in real time. As control domains were taken over one after another, Qurium could see a sharp decline in active NetNut proxy traffic, providing strong evidence that substantial portions of the Popa infrastructure had been successfully disrupted.
While yesterday’s operation represents a symbolic victory for the cybersecurity community and law enforcement, major parts of NetNut’s infrastructure are still in operation, mainly in European data centers.
We should not forget that NetNut is just one of many malicious residential proxy providers in operation. However, the FBI’s swift action should send a chilling message to other residential proxy providers.
On 2 July, Alarum issued a press release stating “we were made aware of the seizure of certain domains associated with NetNut by the FBI. Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.”
Qurium discovered NetNut after “taking very seriously” being targeted by numerous opaque scraping attacks from an unknown infrastructure. To ensure that “any misuse of any infrastructure is thoroughly investigated and those responsible are held to account“, we traced the unknown infrastructure to the notorious Popa botnet.
We have tried to reach NetNut multiple times to discuss this matter. When we finally received an answer from Moshe Kramer (SVP NetNut) he wrote “I will review your questions more carefully and may provide additional comments once I have had an opportunity to revisit the historical information you reference.“. He never got back to us. Seriously.
For a complete timeline of NetNut investigation and take-down operation, please see #Op Nutcracker.

Qurium’s investigations
Media Coverage
Reuters, “Google disrupts NetNut proxy network used in malware operations“
The Hacker News, “Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices“
KrebsonSecurity, “FBI Seizes NetNut Proxy Platform, Popa Botnet“
Bloomberg, “FBI Probes Whether Alarum unit is behind co-opted home devices“
Press Contacts
Digital forensics
Tord Lundström <t at virtualroad.org>
Technical Director
Media
Clara Zid <info at virtualroad.org>
Outreach and Media manager
About Qurium
Qurium Media Foundation is an international non-profit organization that provides secure hosting, digital forensics, incident response, and infrastructure protection for journalists, human rights defenders, and public-interest media organizations worldwide. Its investigations focus on censorship, surveillance, digital attacks, and the infrastructures that enable them.
