Press play to start listening
The FBI and IRS Criminal Investigation seized domains linked to NetNut on July 2, replacing the company’s homepage with a federal seizure notice and disrupting one of the largest residential proxy services. The action was carried out with support from Google, Lumen’s Black Lotus Labs, and the Shadowserver Foundation.
What is NetNut?
NetNut is an Israeli commercial proxy provider owned by Nasdaq-listed Alarum Technologies. The company sells residential proxy services, allowing customers to route internet traffic through IP addresses assigned to ordinary homes and consumer devices. Businesses often use such services for web scraping, price monitoring, and ad verification, though the same infrastructure can also conceal malicious activity.
According to Google’s Threat Intelligence Group, NetNut’s network relied on at least two million devices worldwide, many of them Android smart TVs and streaming boxes. Those systems acted as exit nodes, making traffic generated by customers appear to originate from normal household internet connections rather than data centers or corporate infrastructure.
The company said the service had become a popular tool for malicious actors. During a single week in June, researchers observed 316 separate threat clusters using suspected NetNut exit nodes, including cybercrime groups and state-backed espionage operations. The activity included password spraying, unauthorized access attempts, and communication with attacker-controlled systems.
Residential proxies occupy a complicated space within the internet economy. While legitimate organizations use them for commercial purposes, attackers value them because they make suspicious traffic look like ordinary consumer activity. Requests sent through a residential IP address are less likely to trigger automated defenses than traffic originating from hosting providers already associated with abuse.
How NetNut Worked
In NetNut’s case, devices joined the network in more than one way. Google said some products reached consumers with proxy components already installed, while others became part of the system after users downloaded applications containing hidden software development kits. In many cases, device owners had little indication that their internet connection could be used to relay third-party traffic.
Google responded with a series of technical measures aimed at weakening the network. The company disabled accounts and services associated with NetNut’s command infrastructure, shared intelligence about the platform’s software and backend systems with industry partners, and updated Play Protect to warn Android users and disable applications carrying known NetNut components.
Domains Seized
The FBI and IRS seized several domains connected to NetNut, including netnut.com, proxyjet.io, and divinetworks.com. The last of those supplied static residential proxies through direct deals with internet service providers. NetNut’s .io domain remained online for a period afterward, and some researchers questioned why.
Alarum acknowledged the enforcement action in statements issued after the seizures. The company said it would cooperate with investigators and later disclosed that additional domains had been affected. It also warned investors that a prolonged disruption to NetNut services could materially affect business operations and financial performance.
NetNut and Its Links to Popa
Researchers have long linked infrastructure associated with NetNut to a botnet known as Popa. Investigations by internet watchdog Qurium connected Popa activity to pirated streaming applications, while Google reported finding NetNut-related components within the Kimwolf DDoS botnet and Badbox 2.0 infrastructure.
Although these operations remain distinct, the overlap shows how commercial proxy services and malware networks can intersect. Google disrupted a similar network, IPIDEA, in January.
Users should always use a proxy for legitimate purposes, buy connected devices from reputable manufacturers, check that Android products carry Play Protect certification, avoid applications that offer money in exchange for unused bandwidth, and review permissions granted to VPN or proxy software. Those steps reduce the chances that a television, streaming box, or other smart device becomes part of someone else’s residential proxy network.
