FBI Seizes NetNut: Analyzing the Popa Botnet Infrastructure Takedown
Huge news breaking today regarding the FBI's seizure of NetNut and the disruption of the Popa botnet. For those who haven't read the report, NetNut was a residential proxy service operated by Alarum Technologies (NASDAQ: ALAR), and it turns out a massive chunk of their "residential" IP pool was actually the Popa botnet—comprising at least two million compromised devices.
The timeline here is critical. KrebsOnSecurity published findings connecting NetNut to Popa roughly two weeks ago, and now we see the tangible law enforcement result. It really highlights the power of industry-public collaboration. From an OpSec perspective, this serves as a stark reminder: when you buy "residential proxies," you are often renting devices that were infected without the owner's consent.
Detecting these compromised endpoints within an enterprise environment can be tricky since the traffic mimics residential user behavior. However, the underlying malware often leaves artifacts. On Linux endpoints—which make up a significant portion of these botnets—you should hunt for suspicious binaries persisting in world-writable directories or non-standard ports.
# Hunt for hidden executables in common world-writable directories
find /tmp /var/tmp /dev/shm -perm -111 -type f -ls 2>/dev/null
You should also monitor for high-volume egress traffic on non-standard proxy ports.
DeviceNetworkEvents
| where RemotePort in (1080, 3128, 8080, 9050)
| summarize TotalBytes=sum(SentBytes + ReceivedBytes) by DeviceName, RemoteIP
| where TotalBytes > 500000000
| top 10 by TotalBytes
The fact that a publicly-traded company was involved makes this a unique case involving corporate governance and liability, not just a shadowy cybercrime group.
How is your team handling the verification of proxy traffic? Are you blocking all residential proxy ranges, or is that too disruptive for your business operations?
This is a massive win for the good guys. We've seen a huge uptick in attackers using residential proxies to bypass basic geo-fencing. To add to your detection methods, keep an eye on iptables modifications. A lot of these IoT botnets add rules to obscure their traffic or open specific tunnels.
# Check for recent iptables rule changes or suspicious saves
iptables -L -n -v | head -20
stat /etc/iptables/rules.v4 2>/dev/null || stat /etc/sysconfig/iptables 2>/dev/null
Cleaning up 2 million devices is going to be a nightmare, though.
We actually used NetNut for some ad verification testing last year (canceling that now). It's scary how effectively these services mask malicious traffic as 'legitimate' user activity. We've started implementing stricter egress filtering.
# Quick PowerShell check for suspicious listening processes on Windows nodes
Get-NetTCPConnection -State Listen | Where-Object {$_.LocalPort -gt 1024} | Select-Object LocalPort, OwningProcess | ForEach-Object { Get-Process -Id $_.OwningProcess | Select-Object ProcessName, Path } | Where-Object {$_.Path -notlike "C:\Windows*"}
This doesn't catch everything, but it helps surface non-standard services.
As a pentester, this takedown is going to shake up the industry. It's getting harder to find clean infrastructure for OSINT testing without touching these grey-market proxy providers. The liability is real—if you're routing attack traffic through a compromised grandma's router, you're part of the problem. I'm curious to see if Alarum faces any FTC fines for this negligence.
Validating internal exposure is the next logical step. If you're auditing logs for potential compromise markers related to residential proxies, look for high-volume traffic on uncommon ports. A quick way to spot outbound proxy attempts in Linux logs is:
zgrep -E ":(1080|8080|3128)" /var/log/syslog* | awk '{print $5}' | sort | uniq
Has anyone started seeing a drop in proxy-based scraping attempts on their perimeter since the seizure?
It’s alarming how many “residential” proxies are actually IoT devices. In ICS environments, we often overlook perimeter routers as potential botnet nodes. If you manage edge infrastructure, auditing for unauthorized proxy processes is critical. You can scan for common proxy ports listening unexpectedly:
netstat -tulnp | grep -E ':(8080|1080|3128)'
With 2M+ devices, some are bound to be critical infrastructure gateways. Have there been any IOCs released specific to router firmware?
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access