The FBI and IRS Criminal Investigation replaced NetNut’s homepage with a seizure banner today, taking down hundreds of domains tied to a residential proxy network built on top of the Popa botnet, a collection of at least two million compromised smart TVs and streaming boxes. NetNut is owned by Alarum Technologies [NASDAQ: ALAR], a publicly traded Israeli company.
I read the Google Threat Intelligence Group’s writeup this week, and the number that stands out is 316: distinct threat clusters, including cybercriminal and espionage groups, that GTIG caught riding NetNut exit nodes in a single week of June. Google says the takedown reduced the operator’s usable device pool “by millions.” Alarum’s counsel, Omer Weiss, said the company is “cooperating with law enforcement” and takes the matter “seriously,” the kind of statement that reads a lot like the standard “we are assessing the root cause” language you see in a 483 response, technically true, doesn’t resolve anything.
This is the same playbook Google ran on IPIDEA, NetNut’s biggest rival, in January. Synthient founder Benjamin Brundage told KrebsOnSecurity that NetNut had actually gained share after that IPIDEA disruption, meaning today’s action just knocked out the network that absorbed the last one’s customers. GTIG’s own report admits the pattern: when one proxy botnet gets degraded, operators start reselling capacity from competitors instead of disappearing. Old yardstick was single-network takedowns. New yardstick has to be the whole reseller layer, or this repeats every six months.
Alarum’s SEC filings are worth a look for anyone tracking whether “cooperating with investigators” becomes a disclosed material event.
Rebecca Lauren