Skip to main content
TechnologyJul 8, 2026· 3 min read

Global Botnet Disrupted, Alleged Links to Nasdaq-Listed Israeli Company

Global Botnet Disrupted, Alleged Links to Nasdaq-Listed Israeli Company

A joint operation between Google, the FBI, and cybersecurity researchers has led to the disruption of activities of NetNut, a commercial residential proxy service also identified by experts as the Popa botnet. According to analyses, the network exploited over 2 million Android devices globally, transforming them into outgoing Internet traffic proxies used for illicit activities.

At the core of the system was a malicious SDK integrated into low-cost Android devices, including smart TVs and media boxes, as well as in some unofficial applications, such as SmartTube. Once connected to the Internet, these devices began to route traffic through their respective home connections without consent and without the users’ awareness.

The use of residential IP addresses made it significantly harder for security systems to detect malicious activities. According to Google, during just one week in June 2026, at least 316 different threat groups utilized the NetNut infrastructure to conduct password spraying, credential theft, ad fraud, and the collection of sensitive data.

One of the most unusual aspects of the network concerned its nature. Unlike traditional botnets controlled solely by cybercriminals, NetNut had connections to a commercial entity. Specialized journalist Brian Krebs reported that the network could be traced back to Alarum Technologies Ltd., an Israeli company listed on Nasdaq. Research conducted by Qurium and Synthient also identified links between the company's management and the developers of the Popa SDK.

In the past, Alarum described its platform as a service for consensual bandwidth sharing. However, independent technical checks revealed that users did not receive sufficiently clear information about the use of their devices within the proxy network, nor was truly informed consent obtained.

After the seizure of domains linked to NetNut, Alarum Technologies stated that it takes the matter very seriously and wishes to fully cooperate with the authorities. "Alarum takes the matter seriously and will fully cooperate with law enforcement to ensure that any misuse of its infrastructure is thoroughly investigated and that those responsible are held accountable," the company said in a press release.

Google did not directly comment on the alleged corporate relations, instead focusing on the operation of the network. The company's researchers explained that NetNut supported a reselling model, allowing other companies to market the same service under different brands. According to experts, numerous residential proxy services currently available would derive from this same infrastructure.

The operation led to the seizure of hundreds of domains, the deactivation of accounts used for command and control (C2), and the update of Google Play Protect, which now identifies applications affected by the compromised component. Apps containing the malicious SDK have also been disabled.

Google believes that the coordinated intervention has reduced the number of available devices for network operators by millions, substantially limiting both the operation of the infrastructure and its commercial activities.

The operation represents a continuation of initiatives already launched in January 2026 against the proxy network IPIDEA and confirms a strategy aimed at directly targeting the infrastructures used by proxy services rather than merely pursuing those who use them.

In the early stages of the intervention, there was also some confusion regarding the seizure of domains: while the site netnut.com displayed the FBI notice, netnut.io remained accessible for a brief period. Researchers clarified that the true target was the command-and-control infrastructure, whose disruption compromised the network's operation regardless of the availability of individual websites.