-
The FBI is investigating whether NetNut, an Alarum Technologies subsidiary, helped build a residential proxy network using home internet devices without owners’ knowledge.
-
Federal officials seized domains connected to NetNut, while Google and a few partners took down parts of the network’s infrastructure.
-
Alarum, the company behind NetNut, says they didn’t find out about the domain seizures until July 2. They plan to work closely with law enforcement, and so far, there aren’t any charges against them.
Investigators from the FBI are probing into the role played by NetNut, a subsidiary of Israeli data mining firm Alarum Technologies, in creating residential proxy services that use people’s home computers without their knowledge.
Some documents Bloomberg News reviewed showed that the investigators are examining whether customers’ internet-connected devices had secretly been converted into proxy servers for hiding the location of others online. According to reports, the FBI has been looking into this issue for over a year now.
FBI seizes domains in coordinated operation
On July 2, the FBI swooped in and took control of several NetNut-linked domains as part of a larger crackdown. That same day, Google said it teamed up with the FBI, Lumen Technologies, and others to target the network’s infrastructure.
Google’s Threat Intelligence Group took multiple steps to disrupt the network. The company disabled accounts and services used by NetNut for malware command and control. It also shared technical intel on NetNut’s software development kits with law enforcement, platform providers, and research firms.
Google Play Protect now automatically warns Android users and disables applications known to incorporate NetNut software. The system will continue protecting users against future installation attempts.
The company believes these coordinated actions have significantly degraded NetNut’s proxy network and business operations, reducing the available pool of devices by millions.
What is a residential proxy network?
Residential proxy services route internet traffic through real home internet connections instead of data centers. Many companies use these services for legal reasons. Businesses use residential proxies for all sorts of things, testing websites from other countries, checking online ads, or scraping public web data.
Sometimes, regular folks rely on them to bypass geo-blocks. The abuse of such networks has been a growing concern. Google recently shut down a massive proxy network that was abusing millions of Android phones.
However, criminals can use them to hide their identities during attacks. If dangerous traffic is coming from a residential IP address, it’ll be hard for security teams to detect an attack.
According to Google, threat groups have increasingly relied on residential proxies. Why? Because traffic coming from home internet addresses often appears trustworthy.
Scale of the network and cybercrime activity
According to Google, the network of NetNut includes more than 2 million devices located globally. In one week of June, Google identified 316 distinct threat clusters leveraging NetNut exit nodes that included cybercriminal organizations and espionage agencies.
These groups used the network to mask their origin IP addresses when accessing victim environments, conducting password spray attacks, and reaching their own infrastructure.
When a device turns into an exit node, it can let unauthorized network traffic pass through it. This means that bad actors can gain access to other private devices on the same home network, effectively exposing them to internet threats.
Public reporting tied the network’s growth to software development kits distributed through devices commonly found in homes. Some researchers have reported that attackers use NetNut to infect devices with variants of Mirai DDoS botnets.
Investigators examine links to Popa Botnet
The investigation also focuses on possible ties between NetNut and malware known as Popa. Google’s Threat Intelligence Group said the Popa operation relied on millions of internet-connected devices worldwide. Those devices allegedly acted as exit points for residential proxy traffic, allowing attackers to route activity through unsuspecting users’ internet connections.
Google believes the coordinated effort reduced the available pool of proxy devices by millions, significantly weakening the network. The exact method used to recruit devices remains under investigation. Public reports have not accused Alarum of intentionally infecting devices with malware.
Alarum responds and pledges cooperation
Alarum Technologies has confirmed that the FBI has seized some of the NetNut domains as of July 2. Based on their official statement, it is clear that the firm is taking the issue very seriously. They’re willing to cooperate with the authorities in full capacity. The firm also expressed its willingness to investigate and prosecute those behind it.
However, the FBI didn’t announce any criminal charges against Alarum or NetNut. The authorities have declined to make any comments regarding the ongoing investigation. In the aftermath of the reported investigation, Alarum Technologies’ stock prices dropped dramatically during after-hours trading.
NetNut launched in 2017 as a subsidiary of Alarum Technologies, a cybersecurity company in Israel. The company offers rotating residential, ISP, mobile, and datacenter proxies.
Why this matters
Residential proxy services occupy a gray area in cybersecurity. A lot of organizations use them for entirely legitimate purposes. Meanwhile, it’s also a popular tool among ransomware syndicates, fraud rings, and even government-backed hackers because residential proxies make malicious traffic look like legitimate internet usage. That makes it harder for organizations to rely on internet addresses alone when identifying suspicious behavior.
This particular incident, therefore, opens up discussions regarding how proxy providers gain access to residential internet connections. Should investigators discover that providers enroll devices into their proxy network without approval from the owners, it would change how this sector will be regulated.
For individual customers, this event highlights yet again how important it is to be careful about their internet-connected devices. These devices, including smart TVs, streaming devices, routers, and any other equipment available in homes, which can be used for abusive activities once their software gets hijacked or contains some extra features. Google recommended being wary of applications that compensate people for sharing “unused bandwidth” or “your internet.”
The investigation into the incident continues, and there have been no criminal indictments filed yet. It is unclear what number of consumers may have been affected or whether any developers of malware or third-party software are also being investigated.