The FBI is investigating whether a subsidiary of the data-collection firm Alarum Technologies Ltd. had a role in linking customers’ home internet devices without their consent into a network that people can use to disguise their locations, according to documents seen by Bloomberg News and confirmed by people familiar with the situation.
The investigation involves what are known as residential proxy networks that are capable of routing internet traffic for users in a way that appears as if it’s coming from a different location. Businesses routinely use these networks to customize their websites for different regions. Sports fans might also take advantage of them to stream games only available for viewing in other places.
For more than a year, US Federal Bureau of Investigation agents have been examining potential links between NetNut, the Israel-based Alarum subsidiary that sells access to such networks, and software known as Popa that’s allegedly used to co-opt people’s devices, according to records and people familiar with the matter who asked not to be identified discussing an active investigation.
The Department of Justice said Thursday that the FBI seized multiple internet domains as part of a “coordinated law enforcement targeting infrastructure associated with NetNut’s residential proxy platforms, its administrators and its users.”
Omer Weiss, corporate legal counsel for Alarum, said in a statement that the company was made aware Thursday that the FBI had seized some of its domains.
“Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” Weiss said in the statement.
The FBI declined to comment on the investigation.
These networks run off specialized code installed on everyday devices such as laptops, smartphones,routersand TV streaming boxes. Sometimes device owners agree to install the software in exchange for a few dollars a month. In other instances, devices are enrolled into residential proxy networks without their owners’ knowledge, according to cybersecurity experts.
“I think of residential proxy like thousands of anonymous strangers sneaking into your home to get unlimited internet access,” said Craig Labovitz, head of technology for the network security platform Nokia Deepfield. “Most users may not even notice the uninvited proxy internet squatters until the police come to their door investigating cybercrime coming from the home.”
The FBI investigation, which hasn’t been previously reported, is part of a broader law enforcement effort to scrutinize the uses of residential proxy networks. Internet service providers and cybersecurity firms alike have warned that the networks have been used to ensnare millions of devices globally.
Residential proxy networks have legitimate business uses. They’re regularly used by companies to test products in different geographies and to scrape websites for data. But in the hands of a hacker, they’re like stolen passports. Cybercriminals can use them to put a local disguise on malicious traffic that could in reality be coming from anywhere in the world.
The FBI investigation involving NetNutis among a number of probes that a group of officials from different federal law enforcement agencies pored over during a meeting about proxy networks in Colorado late last year, according to the records and people. Federal investigations often run for years and many end without charges of wrongdoing.
Last year, Comcast Corp. said that behind the “veneer” of the legitimate uses of residential proxy networks “lies a murky, deeply entrenched supply chain that is connected with cybercrime and other nefarious activities.” The FBI in March said that they are “a standard tool criminals use to look like ordinary users online” while making illegal purchases, carrying out bank fraud and launching otherkr cyberattacks.
There are devices in hundreds of millions of homes around the world powering proxy networks, and the vast majority are doing so without their owners’ knowledge, said Labovitz, of Nokia Deepfield. While the use of these networks is difficult to determine, he said the large majority of traffic over them appears to be malicious.
Popa in particular can be used to commandeer a device for a proxy network without the owner’s consent, according to June analyses by security firms Synthient and Qurium.
Synthient said in its report that NetNut and Popa “share operational infrastructure and telemetry.” Qurium said it had “identified multiple technical and historical overlaps” between the technology behind NetNut and that of Popa that are “unlikely to be coincidental.”
Separately, according to a report by the security firm Spur, NetNut allegedly requires little verification of its customers and allegedly provides access to networks of institutions whose users never agreed to participate.Krebs on Security previously reported on the research from Synthient, Qurium and Spur. Alarum told Krebs on Security that the Synthient and Qurium’s reports contained “demonstrably inaccurate assertions and flawed deductions rather than verified facts.”
“Netnut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use of its services,” the company told the security publication, adding that it places “significant emphasis on appropriate notice and consent mechanisms, conducts customer due diligence, monitors for potential misuse, and takes steps intended to detect and mitigate suspicious or unauthorized activity.”
Popa software has been found on Android-based devices around the world, particularly on smart TV boxes. The number of devices in the Popa service is in constant flux and estimates of its size vary.
Months before researchers from the cybersecurity firms published their findings on NetNut, an agent based out of the FBI’s Houston office had been quietly looking into its operations, according to the documents and the people familiar with the investigation. The agent had been evaluating internet traffic records and questioning people to try to determine how, if at all, NetNut was involved with the Popa software, according to the people and records.
There are multiple versions of Popa software. It wasn’t clear if the FBI probe was focused on a specific variant.
In December, the agent’sefforts were showcased during the gathering of law enforcement officials and industry experts just outside Denver, according to the people and records.
Among those present at the meeting, held in a US Defense Criminal Investigative Service building, were military investigators, agents from several FBI field offices and officials from the bureau’s Washington-based cyber division, according to the people and records. They’d convened for a three-day “ResProxy Sprint” to evaluate several probes related to proxy networks and examine what could be done about them.
The Defense Criminal Investigative Service declined to comment.
The investigations are primarily focused on a market that has formed out of selling and reselling packaged access to millions of devices on proxy networks for as little as a few dollars per gigabyte of data. Analysts have estimated that this market generates anywhere from $100 million to $3 billion in sales annually and that it will continue to grow in part because AI software developers have a voracious appetite for data scraped from websites.
“We’ve gone from a market in the tens of millions of dollars to the billions,” Labovitz said. “This largely seems to be due to AI companies.”
NetNut, which was acquired by what is now Alarum in 2019, presents itself as a major player in this market, offering tens of millions of proxy addresses in a system that ensures “complete anonymity and high speed.”
In May, Alarum reported $11.7 million in first-quarter revenue, a 64% jump from the year earlier, saying “the growth was driven mainly by strong demand for the company’s proxy solutions, as well as increased sales of new products.”
Photo: The Alarum Technologies logo. Photographer: Thomas Fuller/SOPA Images/LightRocket/Getty Images
Was this article valuable?
Here are more articles you may enjoy.

Camp Mystic Seeks Bankruptcy to Settle Texas Flood Wrongful Death Claims
Why Are Property & Casualty Carriers So Profitable?
Bayer’s Supreme Court Win in Roundup Case No ‘Silver Bullet’
US Cyber Insurance Market Sees Flat Premium, More Third-Party Claims Hit Loss Ratio 

