Google and FBI cut off NetNut, a two-million-device botnet hidden inside smart TVs

The residential proxy service let hundreds of criminal and spy groups route attacks through ordinary homes.

ThreatVectr Newsdesk· 4 min read
Full-frame edge-to-edge photoreal news-editorial image of a dimly lit living room with a wall-mounted smart TV glowing pale blue, a small black streaming box on
Share

Key points

  • Google, the FBI and Lumen Technologies disrupted NetNut, a residential proxy network built on an estimated two million infected devices worldwide.
  • The FBI seized netnut.com and other domains tied to the operation, which Google's Threat Intelligence Group calls one of the largest proxy networks in the world.
  • In a single week last month, Google counted 316 separate hacking groups routing traffic through NetNut, including criminal gangs and state-linked spies.
  • Many of the infected devices are Android smart TVs and cheap streaming boxes, often loaded with a malware family known as Badbox 2.0.
  • Google Play Protect, the built-in security tool on Android phones, is now warning users and disabling the tainted apps.

A joint operation led by Google and the FBI has knocked out NetNut, a sprawling criminal service that let hackers hide their tracks by bouncing attacks through millions of ordinary people's home internet connections.

NetNut, also known as Popa, is what security researchers call a residential proxy network. In plain terms: crooks quietly install software on a home device, then rent out its internet connection to other criminals who want their attacks to look like they came from a normal household.

Google's Threat Intelligence Group estimates NetNut controlled at least two million infected devices globally. Many were smart TVs and cheap streaming boxes running Android.

These devices were roped in through what the industry calls trojanised apps — normal-looking software secretly carrying malware, sometimes pre-installed on the device before it was even sold. One of the main malware families involved is known as Badbox 2.0, which quietly bundles a proxy plugin so the device can be used as a relay.

Why should ordinary people care about this?

Because if your smart TV or a no-name streaming stick is part of a botnet, criminals are using your home internet address to attack other people — and your connection can end up flagged or blocked by online services.

Customers can also see their devices slow down, burn extra data, or get locked out of streaming services that treat the address as suspicious. If you bought a cheap Android TV box from an unfamiliar brand, it is worth checking whether the manufacturer is reputable and keeping the device updated. On Android phones and tablets, leave Google Play Protect switched on so it can flag dangerous apps.

How the takedown worked

The operation pulled together Google, the FBI, Lumen Technologies, The Shadowserver Foundation and other industry partners, according to reporting first published by BleepingComputer.

The FBI seized netnut.com along with other domains the operators used to run the service. Mandiant communications manager Mark Karayan confirmed the .com domain was one of several taken down.

Google, for its part, shut down accounts and services on its own systems that NetNut used to control the malware — the so-called command-and-control channel, meaning the servers the criminals used to send orders to infected devices. It also handed technical details of NetNut's software components and backend to law enforcement and other researchers.

On Android, Google Play Protect is now automatically warning users and disabling the infected applications.

Who was actually using NetNut?

A lot of people, and not just petty criminals.

In one week last month, Google says it counted 316 distinct hacking clusters using suspected NetNut exit nodes. That mix included cybercrime crews and espionage groups linked to nation-states.

According to Google, they used the network for three main jobs: reaching their own criminal infrastructure without being traced, running password-spraying attacks (where hackers try common passwords against many accounts at once), and quietly connecting into victim networks.

Will this actually dent the proxy industry?

Google thinks so, because NetNut sat near the top of the food chain. It ran a reseller programme that let other companies rebrand its network and sell it on, meaning many familiar proxy services were quietly powered by NetNut underneath.

But Karayan warned the industry is tangled. Operators routinely buy and resell each other's capacity, so when one network goes down, competitors often step in. The action against NetNut follows Google's earlier disruption of another proxy service, IPIDEA, this year.

© 2026 Threat Vectr