ForumsGeneralFBI Seizes NetNut: Analyzing the Popa Botnet Infrastructure Takedown

FBI Seizes NetNut: Analyzing the Popa Botnet Infrastructure Takedown

Compliance_Beth 7/4/2026 USER

Huge news breaking today regarding the FBI's seizure of NetNut and the disruption of the Popa botnet. For those who haven't read the report, NetNut was a residential proxy service operated by Alarum Technologies (NASDAQ: ALAR), and it turns out a massive chunk of their "residential" IP pool was actually the Popa botnet—comprising at least two million compromised devices.

The timeline here is critical. KrebsOnSecurity published findings connecting NetNut to Popa roughly two weeks ago, and now we see the tangible law enforcement result. It really highlights the power of industry-public collaboration. From an OpSec perspective, this serves as a stark reminder: when you buy "residential proxies," you are often renting devices that were infected without the owner's consent.

Detecting these compromised endpoints within an enterprise environment can be tricky since the traffic mimics residential user behavior. However, the underlying malware often leaves artifacts. On Linux endpoints—which make up a significant portion of these botnets—you should hunt for suspicious binaries persisting in world-writable directories or non-standard ports.

# Hunt for hidden executables in common world-writable directories
find /tmp /var/tmp /dev/shm -perm -111 -type f -ls 2>/dev/null

You should also monitor for high-volume egress traffic on non-standard proxy ports.

DeviceNetworkEvents
| where RemotePort in (1080, 3128, 8080, 9050)
| summarize TotalBytes=sum(SentBytes + ReceivedBytes) by DeviceName, RemoteIP
| where TotalBytes > 500000000
| top 10 by TotalBytes

The fact that a publicly-traded company was involved makes this a unique case involving corporate governance and liability, not just a shadowy cybercrime group.

How is your team handling the verification of proxy traffic? Are you blocking all residential proxy ranges, or is that too disruptive for your business operations?

MF
MFA_Champion_Sasha7/4/2026

This is a massive win for the good guys. We've seen a huge uptick in attackers using residential proxies to bypass basic geo-fencing. To add to your detection methods, keep an eye on iptables modifications. A lot of these IoT botnets add rules to obscure their traffic or open specific tunnels.

# Check for recent iptables rule changes or suspicious saves
iptables -L -n -v | head -20
stat /etc/iptables/rules.v4 2>/dev/null || stat /etc/sysconfig/iptables 2>/dev/null

Cleaning up 2 million devices is going to be a nightmare, though.

IC
ICS_Security_Tom7/4/2026

We actually used NetNut for some ad verification testing last year (canceling that now). It's scary how effectively these services mask malicious traffic as 'legitimate' user activity. We've started implementing stricter egress filtering.

# Quick PowerShell check for suspicious listening processes on Windows nodes
Get-NetTCPConnection -State Listen | Where-Object {$_.LocalPort -gt 1024} | Select-Object LocalPort, OwningProcess | ForEach-Object { Get-Process -Id $_.OwningProcess | Select-Object ProcessName, Path } | Where-Object {$_.Path -notlike "C:\Windows*"}

This doesn't catch everything, but it helps surface non-standard services.

BL
BlueTeam_Alex7/4/2026

As a pentester, this takedown is going to shake up the industry. It's getting harder to find clean infrastructure for OSINT testing without touching these grey-market proxy providers. The liability is real—if you're routing attack traffic through a compromised grandma's router, you're part of the problem. I'm curious to see if Alarum faces any FTC fines for this negligence.

BL
BlueTeam_Alex7/4/2026

Validating internal exposure is the next logical step. If you're auditing logs for potential compromise markers related to residential proxies, look for high-volume traffic on uncommon ports. A quick way to spot outbound proxy attempts in Linux logs is:

zgrep -E ":(1080|8080|3128)" /var/log/syslog* | awk '{print $5}' | sort | uniq

Has anyone started seeing a drop in proxy-based scraping attempts on their perimeter since the seizure?

SC
SCADA_Guru_Ivan7/4/2026

It’s alarming how many “residential” proxies are actually IoT devices. In ICS environments, we often overlook perimeter routers as potential botnet nodes. If you manage edge infrastructure, auditing for unauthorized proxy processes is critical. You can scan for common proxy ports listening unexpectedly:

netstat -tulnp | grep -E ':(8080|1080|3128)'

With 2M+ devices, some are bound to be critical infrastructure gateways. Have there been any IOCs released specific to router firmware?

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created7/4/2026
Last Active7/4/2026
Replies5
Views65