
FBI Domain Seizures Disrupt NetNut Residential Proxy Tied to Popa Botnet
FBI seizures targeted NetNut's domain infrastructure supporting the Popa botnet and its white-labeled resale to threat actors. Evidence from Google and independent researchers shows direct integration with compromised consumer devices and espionage-adjacent activity. The action exposes concentrated supply chains in residential proxy services previously insulated by corporate structures.
Home network exposure creates secondary risks as compromised nodes allow lateral access to other devices on the same LAN. The operation highlights recurring gaps in app store vetting and SDK provenance tracking that enable persistent proxy networks. Next indicators will appear in shifts of exit node counts tracked by passive DNS and sinkhole telemetry over the coming weeks.
Shadowserver: observed Popa exit nodes will fall below 400,000 unique IPs within 45 days of the June 2026 seizures.
Sources (3)
- [1]KrebsOnSecurity(https://krebsonsecurity.com/2026/07/fbi-seizes-netnut-proxy-platform-popa-botnet/)
- [2]Google Threat Intelligence Group(https://blog.google/threat-analysis/2026-netnut-popa/)
- [3]Synthient Proxy Tracking Report(https://synthient.com/reports/netnut-popa-2026)