FBI Seizes NetNut Proxy Network Built on 2M Hijacked Smart TVs
Google and the FBI dismantled NetNut, a residential proxy network that compromised 2 million smart TVs and streaming boxes. 316 threat groups used it in a single week to mask attack origins.
The FBI seized hundreds of domains tied to NetNut on July 2, dismantling a residential proxy network that turned 2 million smart TVs and streaming boxes into exit nodes for cybercriminals and nation-state actors. Working alongside Google's Threat Intelligence Group, Lumen, and other partners, the coordinated takedown degraded the network's usable device pool by millions.
NetNut—also tracked by Google as Popa—routes traffic through home internet connections, making attacks appear to originate from residential IPs rather than datacenter infrastructure. For threat actors, that's invaluable: it defeats IP reputation systems, makes blocking harder, and obscures their true location.
The Scale of Abuse
During a single week in June 2026, Google identified 316 distinct threat clusters using suspected NetNut exit nodes. These included both cybercriminal groups and espionage operations conducting password spray attacks, accessing compromised environments, and managing their own infrastructure through residential IPs that blend in with normal home traffic.
If one of those 2 million devices is in your home, strangers have been routing traffic through your internet connection. When they attack a target, your IP address gets logged. When they access stolen data, it looks like it's coming from your living room.
How Devices Got Compromised
The infections spread through two primary vectors:
- Pre-installed on cheap hardware - Off-brand smart TVs and streaming boxes shipped with the proxy code already embedded
- Deceptive applications - Free apps that buried the proxy functionality without meaningful consent prompts
Google's research found that none of the more than 20 apps examined actually showed users a consent prompt. The "consented bandwidth-sharing" defense that NetNut's parent company later offered doesn't hold up when users never knew they were sharing anything.
Corporate Ties
NetNut traces back to Alarum Technologies, a publicly traded Israeli company (NASDAQ: ALAR). Following the takedown, Alarum rejected the "botnet" label, claiming their software enables legitimate bandwidth-sharing. But researchers found no actual consent mechanisms in deployed applications—users had no idea their devices were being used as proxy nodes.
The NASDAQ listing adds an unusual dimension. Most proxy botnets operate from the shadows. This one had investor relations pages and quarterly earnings calls.
The "Degradation, Not Kill" Reality
Google characterized the action as degradation rather than elimination. These proxy networks prove resilient because operators maintain relationships with rival providers and can pivot capacity quickly. When one network goes down, its operators often become resellers of competing services.
This is the second major residential proxy disruption Google has participated in recently. We covered the Bright Data investigation last week, which exposed similar proxy software on LG and Samsung devices. The residential proxy ecosystem is larger than any single network, and takedowns create temporary disruptions rather than permanent solutions.
Protecting Your Network
If you own a smart TV, streaming box, or other IoT device, you may be an unwitting participant in attack infrastructure. Signs include:
- Unexplained network slowdowns
- Higher data usage than your watching habits explain
- Unfamiliar outbound connections in router logs
Protective steps:
- Buy from established manufacturers - Off-brand devices with suspiciously low prices often come with unwanted software
- Use official app stores only - Sideloaded apps bypass vetting processes
- Enable Google Play Protect - Automatically scans for malicious behavior
- Verify app permissions - Any app requesting network or proxy permissions without clear justification is suspicious
- Avoid apps promising payment for "unused bandwidth" - That's the consent fig leaf proxy operators hide behind
The most effective protection remains network segmentation: isolate IoT devices on a separate VLAN where their traffic can't reach your primary systems even if compromised. Your smart TV doesn't need access to your work laptop, and keeping them separated limits the blast radius when—not if—an IoT device gets pwned.
Related Articles
FBI Dismantles Outsider — AI-Powered Phishing Ring Behind $1.9B
Operation Ghost Hook takedown seizes 9,000 fake websites and $100K in crypto from Chinese phishing-as-a-service ring that weaponized Gemini AI to steal 3.8 million credit cards.
Jun 14, 2026Google Dismantles IPIDEA Proxy Network Used by 550+ APTs
Google Threat Intelligence Group disrupts one of the world's largest residential proxy networks, cutting off infrastructure used by nation-state actors from China, Russia, Iran, and North Korea.
Jan 31, 202634% of LG and Samsung TV Apps Hide Residential Proxy SDKs
Spur Intelligence finds over 2,000 smart TV apps embedding Bright Data proxy code—turning your living room TV into an exit node for web scraping traffic.
Jun 29, 2026FBI: Russian Spies Now Steal Signal Backup Keys for Persistent Access
Russian intelligence groups UNC5792 and UNC4221 have evolved their Signal phishing campaign to harvest backup recovery keys, enabling access even after victims change phones.
Jun 28, 2026