FBI Seizes NetNut Domains as Google Disrupts 2M Device Proxy Network
FBI and Google seize NetNut domains, disrupting a 2M-device proxy network used by cybercriminals.
Summary
The FBI, with support from Google and other partners, has seized domains belonging to NetNut, a major residential proxy service. This action disrupts a network of over two million devices, including smart TVs and streaming boxes, which were used by cybercriminals for activities like password spraying and espionage. NetNut's infrastructure allowed malicious traffic to appear as legitimate consumer activity, making it harder to detect.
Full text
Cyber Crime MalwareFBI Seizes NetNut Domains as Google Disrupts 2M Device Proxy Network FBI and Google disrupt NetNut after domains linked to its residential proxy network are seized, exposing abuse of 2 million TVs and streaming devices worldwide. byWaqasJuly 3, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening The FBI and IRS Criminal Investigation seized domains linked to NetNut on July 2, replacing the company’s homepage with a federal seizure notice and disrupting one of the largest residential proxy services. The action was carried out with support from Google, Lumen’s Black Lotus Labs, and the Shadowserver Foundation. What is NetNut? NetNut is an Israeli commercial proxy provider owned by Nasdaq-listed Alarum Technologies. The company sells residential proxy services, allowing customers to route internet traffic through IP addresses assigned to ordinary homes and consumer devices. Businesses often use such services for web scraping, price monitoring, and ad verification, though the same infrastructure can also conceal malicious activity. According to Google’s Threat Intelligence Group, NetNut’s network relied on at least two million devices worldwide, many of them Android smart TVs and streaming boxes. Those systems acted as exit nodes, making traffic generated by customers appear to originate from normal household internet connections rather than data centers or corporate infrastructure. The company said the service had become a popular tool for malicious actors. During a single week in June, researchers observed 316 separate threat clusters using suspected NetNut exit nodes, including cybercrime groups and state-backed espionage operations. The activity included password spraying, unauthorized access attempts, and communication with attacker-controlled systems. Residential proxies occupy a complicated space within the internet economy. While legitimate organizations use them for commercial purposes, attackers value them because they make suspicious traffic look like ordinary consumer activity. Requests sent through a residential IP address are less likely to trigger automated defenses than traffic originating from hosting providers already associated with abuse. How NetNut Worked In NetNut’s case, devices joined the network in more than one way. Google said some products reached consumers with proxy components already installed, while others became part of the system after users downloaded applications containing hidden software development kits. In many cases, device owners had little indication that their internet connection could be used to relay third-party traffic. Google responded with a series of technical measures aimed at weakening the network. The company disabled accounts and services associated with NetNut’s command infrastructure, shared intelligence about the platform’s software and backend systems with industry partners, and updated Play Protect to warn Android users and disable applications carrying known NetNut components. Domains Seized The FBI and IRS seized several domains connected to NetNut, including netnut.com, proxyjet.io, and divinetworks.com. The last of those supplied static residential proxies through direct deals with internet service providers. NetNut’s .io domain remained online for a period afterward, and some researchers questioned why. Alarum acknowledged the enforcement action in statements issued after the seizures. The company said it would cooperate with investigators and later disclosed that additional domains had been affected. It also warned investors that a prolonged disruption to NetNut services could materially affect business operations and financial performance. NetNut and Its Links to Popa Researchers have long linked infrastructure associated with NetNut to a botnet known as Popa. Investigations by internet watchdog Qurium connected Popa activity to pirated streaming applications, while Google reported finding NetNut-related components within the Kimwolf DDoS botnet and Badbox 2.0 infrastructure. Although these operations remain distinct, the overlap shows how commercial proxy services and malware networks can intersect. Google disrupted a similar network, IPIDEA, in January. Users should always use a proxy for legitimate purposes, buy connected devices from reputable manufacturers, check that Android products carry Play Protect certification, avoid applications that offer money in exchange for unused bandwidth, and review permissions granted to VPN or proxy software. Those steps reduce the chances that a television, streaming box, or other smart device becomes part of someone else’s residential proxy network. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts AlarumCyber CrimeCybersecurityFBIGoogleIsraelMalwareNetNutPopaProxyResidential Proxy Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Crime USDoD Hacker Behind $3 Billion SSN Leak Reveals Himself as Brazilian Citizen Infamous hacker USDoD, linked to major data breaches, reveals his identity as a Brazilian citizen. Discover the implications… byWaqas Security Cyber Crime Malware Crash Override – The 2nd industrial malware to target Ukraine’s power supply ESET, the Slovakian anti-virus software firm and Dragos, the US-based infrastructure security company recently discovered an industrial malware… byJahanzaib Hassan Read More Security Malware New Malvertising Attack Spreads Crypto Stealing PS1Bot Malware Cisco Talos researchers have discovered a dangerous new malware framework called PS1Bot. Active since early 2025, this sophisticated… byDeeba Ahmed Malware Android Security Technology China-Linked Spyware Found in Google Play Store Apps, 2m Downloads Mobile security solutions provider Pradeo’s security researchers have shared details of the spyware they discovered hiding on the… byWaqas
Indicators of Compromise
- domain — netnut.com
- domain — proxyjet.io
- domain — divinetworks.com