Google and FBI dismantle NetNut proxy botnet that hijacked 2 million smart devices

Google’s Threat Intelligence Group, the FBI, and industry partners have dismantled NetNut, a massive residential proxy network that secretly hijacked over 2 million smart TVs, streaming boxes, and Android devices to launder cybercriminal traffic.

Also known as Popa, the botnet infected devices through trojanized applications and malware such as Badbox 2.0, infecting everything from off-brand Android TV boxes to digital picture frames and car infotainment systems. Once compromised, the devices were pressed into service as residential proxies, allowing subscribers to route malicious traffic through innocent homeowners’ IP addresses.

Scale of the operation. In a single week in June 2026, Google observed 316 distinct threat clusters using suspected NetNut exit nodes, including both cybercriminal and espionage groups. Customers used the network to mask their origin IPs during password-spray attacks, access victim environments, and disguise their use of compromised infrastructure.

NetNut is tied to the publicly-traded Israeli firm Alarum Technologies. Legal counsel Omer Weiss said the company was aware of the FBI seizure and is cooperating with investigators.

How the takedown worked. Google disabled accounts and services used by NetNut for malware command and control, disabled infected apps via Google Play Protect, pushed warnings to victims, and shared technical intelligence on NetNut’s software development kits with platform providers and law enforcement. The FBI seized multiple domain names tied to the network.

“We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,” Google said.

The operation follows a string of similar disruptions. Google previously targeted the original Badbox campaign and has pursued legal action against residential proxy operators. KrebsOnSecurity and Synthient both published evidence linking Popa to NetNut and Alarum Technologies prior to the takedown.

Source: KrebsOnSecurity, SecurityWeek, Google Threat Intelligence Group

Scroll to Top