#Op NutCracker


This page provides a timeline of core events surrounding the operation NutCracker.

July 2026

[3 Jul 2026] Alarum Technologies provides update regarding recent law enforcement action, stating that as a result of yesterday’s development, they are currently experiencing disruptions to a portion of its services. Neither Alarum nor NetNut have been formally contacted by the FBI or any other governmental or regulatory authority in connection with this matter.

[3 Jul 2026] Based on analysis of raw data, Qurium estimates that 60% of the infected devices have been disconnected as a result of yesterday’s coordinated disruption operation. The graph below shows the decline of proxy activity in the Popa botnet over the past 24 hours. The decline started around 15:50–16:00 PM UTC with the steepest drop around 16:05–16:25 PM UTC.

[3 Jul 2026] Alarum Technologies issues a Press Release in response to the take-down operation stating “Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.”

[2 Jul 2026] The FBI announces the seizure of NetNut domains (netnut.com, divinetworks.com) and acknowledges the disruption of NetNut infrastructure implemented by Google, Lumen’s Black Lotus Labs, and Shadowserver Foundation.

[2 Jul 2026] Google announces that they in coordination with the FBI, Lumen, and “others” have taken action against the NetNut residential proxy network, also known as Popa. The action goes in line with their objective to dismantle malicious residential proxy networks. Practical actions that were taken include (1) disabled Google accounts and services used by NetNut for malware command and control (C2), (2) shared technical intelligence on NetNut software development kits (SDKs) and backend C2 infrastructure with platform providers, law enforcement, and research firms (3) ensured that Google Play Protect, Android’s built-in security protection, automatically warn users and disable applications known to incorporate NetNut SDKs.

[2 Jul 2026] Brian Krebs (KrebsonSecurity) publishes the article “FBI Seizes NetNut Proxy Platform, Popa Botnet” stating that the FBI has together with industry partners seized hundreds of domains associated with NetNut, “a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]”.

June 2026

[23 Jun 2026] Qurium releases the forensic report “The uncomfortable truth behind 10 million Popa proxy requests“.

[18 Jun 2026] KrebsonSecurity releases the article “‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm“, announcing that researchers from multiple security firms have concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].

[18 Jun 2026] Qurium released the forensic report “Finding “Popa”: When Your Smart TV Stops Being Yours

[8 Jun 2026] Qurium released the forensic report “How a Sneaker-Proxy Business Entered the Scraping Industry” linking NetNut to the opaque botnet operations surrounding limited-edition sneaker drops.

May 2026

[29 May 2026] Qurium released the forensic investigation “Opaque Scrapers Hiding in the Crowd“, linking the scraping event to Alarum Technologies residential proxy service NetNut.

[28 May 2026] Alarum Technologies reports 64% revenue growth to $11.7 million in first quarter of 2026.

[14 May 2026] Arab Reporters for Investigative Journalism (ARIJ.net) is hit by a massive scraping event from 1.35 million unique IP addresses. Qurium, ARIJ’s hosting provider, launches an investigation to identify the actor behind the scraping event.

February 2025

[27 Feb 2025] Research post from Chinese XLABLong Live The Vo1d Botnet: New Variant Hits 1.6 Million TV Globally“, linking “Popa” to the notorious Vo1d botnet in SmartTVs.