FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors
The FBI, Google, and other partners disrupted the residential proxy service NetNut, which was used by cybercriminals to hide malicious activity behind legitimate IP addresses. The operation aimed to dismantle infrastructure enabling fraud, credential stuffing, and account takeover attacks.
Background
- NetNut was a legitimate Israeli "residential proxy" service that let paying customers route internet traffic through IP addresses belonging to real home users worldwide. These services are marketed for ad verification, price scraping, and web research.
- The FBI, Google, and other partners seized NetNut's infrastructure in March 2025, alleging its proxies were being resold to criminal groups who used them to bypass banks' fraud-detection systems — making fraudulent logins and credit card tests look like they came from ordinary home connections.
- The case highlights a growing legal crackdown on proxy services whose commercial users turn a blind eye (or actively facilitate) criminal customers. It echoes the 2024 takedown of the RSOCKS botnet, where a similar proxy network was dismantled.
- This matters because residential proxies have become a backbone of modern cybercrime: they let attackers hide behind millions of innocent people's home IPs, defeating geographic blocks, rate limits, and anti-fraud flags that security teams rely on.
The FBI has seized hundreds of domains linked to NetNut, a residential proxy service owned by Israeli firm Alarum Technologies, following an investigation connecting NetNut to the Popa botnet—a network of at least two million compromised devices.
Researchers have linked the Android-based Popa botnet, which has compromised millions of TV boxes for advertising fraud and data scraping over four years, to NetNut, a residential proxy provider owned by the publicly-traded Israeli firm Alarum Technologies Ltd.