The FBI seized hundreds of domains operated by NetNut, a residential proxy service run by Israeli firm Alarum Technologies, following evidence that the platform facilitated botnet activity. The action targeted infrastructure used by the Popa botnet, which compromises at least two million devices through malware installed without proper user consent.

NetNut operated as a legitimate-facing proxy service that allowed customers to route traffic through residential IP addresses. Security firms documented how the platform channeled traffic from infected machines, effectively monetizing compromised endpoints. The Popa botnet operators leveraged this infrastructure to mask malicious activity and distribute additional malware across victim networks.

The FBI's intervention follows reporting by KrebsOnSecurity that connected NetNut directly to Popa's operations. Multiple security researchers corroborated findings showing how compromised devices were integrated into NetNut's proxy network without informed consent from device owners. This dual-purpose abuse turned victim machines into unwilling participants in proxy fraud schemes.

Alarum Technologies, which trades publicly on NASDAQ under ticker ALAR, faced scrutiny over its subsidiary's operations. The company's business model fundamentally relied on residential IPs, making it difficult for platforms to distinguish legitimate proxy traffic from botnet-generated requests. This architecture created natural cover for criminal activity.

The seizure removes a critical infrastructure component that Popa operators used to distribute malware and conduct phishing attacks at scale. Law enforcement also disrupted the monetization pathway that incentivized maintaining the botnet. Without proxy infrastructure, attackers face greater difficulty concealing their malicious traffic from network defenders.

Organizations should assume NetNut customers experienced exposure during the platform's operation. Companies that detected proxy traffic from residential IPs may have interacted with Popa-compromised devices. Reviewing logs for suspicious residential IP patterns helps identify when malicious proxy traffic accessed internal systems.

Device owners with machines infected