PROBABLYPWNED
Threat IntelligenceJuly 3, 20264 min read

FBI Seizes NetNut Proxy Network Built on 2M Hijacked Smart TVs

Google and the FBI dismantled NetNut, a residential proxy network that compromised 2 million smart TVs and streaming boxes. 316 threat groups used it in a single week to mask attack origins.

Alex Kowalski

The FBI seized hundreds of domains tied to NetNut on July 2, dismantling a residential proxy network that turned 2 million smart TVs and streaming boxes into exit nodes for cybercriminals and nation-state actors. Working alongside Google's Threat Intelligence Group, Lumen, and other partners, the coordinated takedown degraded the network's usable device pool by millions.

NetNut—also tracked by Google as Popa—routes traffic through home internet connections, making attacks appear to originate from residential IPs rather than datacenter infrastructure. For threat actors, that's invaluable: it defeats IP reputation systems, makes blocking harder, and obscures their true location.

The Scale of Abuse

During a single week in June 2026, Google identified 316 distinct threat clusters using suspected NetNut exit nodes. These included both cybercriminal groups and espionage operations conducting password spray attacks, accessing compromised environments, and managing their own infrastructure through residential IPs that blend in with normal home traffic.

If one of those 2 million devices is in your home, strangers have been routing traffic through your internet connection. When they attack a target, your IP address gets logged. When they access stolen data, it looks like it's coming from your living room.

How Devices Got Compromised

The infections spread through two primary vectors:

  • Pre-installed on cheap hardware - Off-brand smart TVs and streaming boxes shipped with the proxy code already embedded
  • Deceptive applications - Free apps that buried the proxy functionality without meaningful consent prompts

Google's research found that none of the more than 20 apps examined actually showed users a consent prompt. The "consented bandwidth-sharing" defense that NetNut's parent company later offered doesn't hold up when users never knew they were sharing anything.

Corporate Ties

NetNut traces back to Alarum Technologies, a publicly traded Israeli company (NASDAQ: ALAR). Following the takedown, Alarum rejected the "botnet" label, claiming their software enables legitimate bandwidth-sharing. But researchers found no actual consent mechanisms in deployed applications—users had no idea their devices were being used as proxy nodes.

The NASDAQ listing adds an unusual dimension. Most proxy botnets operate from the shadows. This one had investor relations pages and quarterly earnings calls.

The "Degradation, Not Kill" Reality

Google characterized the action as degradation rather than elimination. These proxy networks prove resilient because operators maintain relationships with rival providers and can pivot capacity quickly. When one network goes down, its operators often become resellers of competing services.

This is the second major residential proxy disruption Google has participated in recently. We covered the Bright Data investigation last week, which exposed similar proxy software on LG and Samsung devices. The residential proxy ecosystem is larger than any single network, and takedowns create temporary disruptions rather than permanent solutions.

Protecting Your Network

If you own a smart TV, streaming box, or other IoT device, you may be an unwitting participant in attack infrastructure. Signs include:

  • Unexplained network slowdowns
  • Higher data usage than your watching habits explain
  • Unfamiliar outbound connections in router logs

Protective steps:

  1. Buy from established manufacturers - Off-brand devices with suspiciously low prices often come with unwanted software
  2. Use official app stores only - Sideloaded apps bypass vetting processes
  3. Enable Google Play Protect - Automatically scans for malicious behavior
  4. Verify app permissions - Any app requesting network or proxy permissions without clear justification is suspicious
  5. Avoid apps promising payment for "unused bandwidth" - That's the consent fig leaf proxy operators hide behind

The most effective protection remains network segmentation: isolate IoT devices on a separate VLAN where their traffic can't reach your primary systems even if compromised. Your smart TV doesn't need access to your work laptop, and keeping them separated limits the blast radius when—not if—an IoT device gets pwned.

Related Articles