The FBI, the IRS Criminal Investigation division, and Google have dismantled NetNut, a residential proxy network built on top of the Popa botnet: a collection of at least two million hijacked smart TVs, streaming boxes, and routers that quietly relayed other people's internet traffic for years without their owners' knowledge. The takedown, announced on July 2, 2026, followed weeks of research tying NetNut to malware distributed through pre-loaded firmware and bundled software development kits on budget consumer devices.
What Was the NetNut Residential Proxy Botnet
NetNut was operated by Alarum Technologies, a publicly traded Israeli company (NASDAQ: ALAR), and marketed as a commercial "residential proxy" service, letting paying customers route web traffic through millions of real home IP addresses instead of easily blocked data-center servers. Security researchers at Google, Lumen, Shadowserver, Synthient, and Spur found that a large share of that IP pool came from the Popa botnet: devices infected without consent and silently turned into exit nodes for anyone willing to pay for access.
How Two Million Devices Got Hijacked
Investigators traced two separate infection paths. Some budget smart TV boxes shipped from the factory with proxy code already built into the firmware. Others picked up the same capability through free mobile and TV apps that bundled a hidden software development kit, found by Google's analysis in roughly 42 percent of scanned LG webOS apps and more than a quarter of Samsung Tizen apps at various points. Once installed, the code turned an ordinary television or router into a silent relay for someone else's traffic, with the device owner seeing nothing unusual on the screen.
A Favorite Tool for Hackers and Spies
Google says it tracked 316 distinct threat clusters using suspected NetNut exit nodes in a single week in June 2026, spanning both cybercriminal groups and state-linked espionage operations. Password spraying was the most common use case: attackers spread login attempts across thousands of different residential IP addresses so that no single one ever triggers rate-limiting or abuse alerts on the targeted service. NetNut's infrastructure was also resold and white-labeled by several smaller proxy providers, meaning the same hijacked devices ended up powering services that never carried the NetNut name at all.
The Takedown
The FBI and IRS Criminal Investigation seized hundreds of domains tied to NetNut and replaced the company's homepage with a seizure banner. Google disabled the Google accounts NetNut used for malware command-and-control, updated Google Play Protect to automatically flag apps carrying the hidden SDK, and shared technical indicators with the wider security community to speed up cleanup on already-infected devices. The scale of the response, coordinated across a federal agency, a major platform, and independent security firms, reflects how central residential proxy abuse has become to modern cybercrime and espionage alike.
Not the Same as a VPN
It is worth being precise about what NetNut actually was: not a VPN, but a residential proxy network built by monetizing bandwidth from devices whose owners never agreed to the arrangement. A legitimate VPN service publishes who owns it, discloses its logging policy and jurisdiction, and routes only the traffic of the person who chose to install it, through servers the provider actually operates and is accountable for. Services like NetNut instead harvest bandwidth from strangers' hardware and resell access to it, leaving the device owner with no visibility into who is using their connection or why. That distinction matters for anyone weighing a "free" traffic-routing tool against a paid, audited privacy service: cutting corners on cost with an obscure proxy app is exactly how a smart TV ends up as part of a botnet in the first place.
Why This Keeps Happening
NetNut is not the first residential proxy operator linked to hijacked hardware, and researchers say it will not be the last. The business model itself, paying for access to real home IP addresses at scale, creates a constant incentive to look the other way on how that access was obtained. Google's disruption removes one major supplier, but the demand from spammers, credential-stuffing crews, and ad-fraud operators for hard-to-block residential IPs has not gone away, which is why security teams expect white-labeled successors to surface within months.