The FBI Just Unplugged a 2-Million-Device Proxy Botnet. We Published 1,360 IOCs on This Exact Racket in April.
- Patrick Duggan
- 2 hours ago
- 3 min read
On July 2, 2026, Google's Threat Intelligence Group, the FBI, the IRS, and Lumen pulled the plug on NetNut — a residential proxy network, also tracked as Popa, built on at least two million hijacked home devices. Not servers. Smart TVs. Streaming boxes. The stuff in your living room, infected through malicious SDKs the operators baked into apps, so that a stranger somewhere could route their traffic through your internet connection and your address caught the blame. The FBI and IRS seized netnut.com, the sister brand proxyjet.io, and divinetworks.com. It follows the same team's January takedown of IPIDEA. Two down.
Here is the number that should stop you: in a single week in June, three hundred sixteen distinct threat clusters were using NetNut exit nodes — for password spraying, credential stuffing, ad fraud, and bulk data scraping. One proxy pool, three hundred sixteen crews renting it. That is the shape of the modern abuse economy: the botnet is a utility, and the criminals are just customers.
What we had, and what we didn't
We are not going to tell you we called NetNut by name. We didn't, and neither did the FBI when this class first surfaced. What we had was the class itself, with receipts.
On April 28 we published "The Residential Proxy Network the FBI Won't Name. We Have 1,360 IOCs." It was built off FBI advisory PSA260312 from March 12, which warned that criminal and nation-state operators were systematically abusing residential proxy infrastructure — and pointedly declined to name the networks. We didn't have the name either. What we did was put one thousand three hundred sixty concrete indicators against the abuse pattern, so that a defender pulling our feed could block the behavior without waiting for a press release with a brand on it. That is the whole difference between intelligence and news: news needs the name; a feed needs the addresses.
So when NetNut went down this week, the honest claim is not "we predicted it." It is "a defender leaning on our April work was already blocking traffic from this class of infrastructure months before the seizure, and did not need the FBI to name the network to do it."
The reseller trap is why blocking by brand fails
Here is the detail from the takedown that matters most for anyone trying to defend against this, and it is the one most coverage will skip. Google says with high confidence that many popular, seemingly separate proxy brands are really reselling the same NetNut pool. NetNut ran a reseller program. You could buy the exact same two-million-device network under a dozen different logos.
That is precisely why blocking by vendor name is a losing game, and it is the same thing we have been saying since we published that ten hosting providers account for sixty percent of malicious traffic. The brand on the invoice is marketing. The thing that hurts you is the exit node, and the exit node does not care what the reseller called itself. You block the behavior and the density — the addresses that keep showing up doing password spray against your login page — not the brand, because the brand is designed to be swapped the moment it gets a bad reputation. Take down NetNut and the resellers scatter to the next pool. The IOCs travel with the behavior; the names do not.
What to actually do
If you run anything with a login page — which is everyone — residential-proxy abuse is not an exotic threat, it is the delivery mechanism for the credential-stuffing and password-spray traffic already hitting you daily. The takedown of NetNut removes two million nodes from the field, which is real and good, and also temporary: the customers will re-home to the next network, because 316 crews do not retire because their landlord got raided. Block on behavior and density, not brand. Rate-limit and challenge authentication traffic from residential ASNs you have no business relationship with. And feed on indicators tied to the abuse pattern, not to whatever the pool is calling itself this quarter.
Held to about ninety-five percent confidence, as always: our April post did not name NetNut, and we are not retrofitting a claim that it did. What it did was put 1,360 indicators against the class the FBI would not name, in March, four months before the seizure. That is the receipt, stated exactly as large as it actually is.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.




Comments