Google and the FBI have disrupted NetNut, a large residential proxy network that security researchers say drew capacity from at least 2 million compromised consumer devices, including smart TVs and streaming boxes. The operation, announced July 2, targeted a proxy ecosystem also tracked as Popa and shows how ordinary home entertainment hardware can become infrastructure for password spraying, fraud, scraping, and espionage traffic.
The Google Threat Intelligence Group said it acted with the FBI, Lumen, and other partners to disable Google accounts and services used for command-and-control activity, share technical intelligence on NetNut software development kits and backend infrastructure, and use Google Play Protect to warn users and disable known apps that incorporated NetNut SDKs. KrebsOnSecurity reported that the FBI and IRS Criminal Investigation replaced NetNut’s homepage with a seizure banner and seized hundreds of domains associated with the service.
Google estimates that NetNut controlled at least 2 million devices worldwide and said suspected NetNut exit nodes were used by 316 distinct threat clusters in a single week in June 2026. Those clusters included both cybercriminal and espionage groups. The company also said NetNut was resold and white-labeled by other residential proxy brands, which means the takedown could affect more than the service name visible to customers.
How the Proxy Network Worked
A residential proxy network sells access to real home internet connections. Instead of routing traffic through a cloud server or a known VPN range, a customer can make requests appear to come from ordinary broadband addresses. That makes residential proxies attractive for legitimate market research, but also valuable for attackers trying to evade reputation filters, rate limits, and geography-based controls.
In the NetNut case, the problem was not merely that attackers used proxy services. Google and multiple security researchers tied the network to consumer devices that had proxy code running on them through trojanized apps, preinstalled software, or SDKs presented as bandwidth-sharing technology. Google said it identified NetNut botnet plugin components for Badbox 2.0, a malware ecosystem associated with compromised Android-based devices.
Once a TV box, streaming stick, or smart TV becomes an exit node, other people’s traffic can pass through the owner’s home IP address. That can cause the household’s normal traffic to be flagged by online services or internet providers. More importantly, Google warned that unauthorized traffic passing through an infected device can expose other private devices on the same home network to internet threats.
Why Smart TVs and Streaming Boxes Are Attractive Targets
Smart TVs and streaming boxes are almost perfect botnet infrastructure when they are poorly secured. They stay plugged in, often run for years without much attention, sit on trusted home networks, and may never receive security updates after a cheap device maker abandons support. Users also tend to treat them as appliances, not as Android computers with apps, permissions, network access, and update risk.
The risk is highest around off-brand Android TV boxes, unofficial streaming apps, sideloaded APKs, and apps that offer payment or rewards for “unused bandwidth” or “sharing your internet.” Google urged consumers to stick with official app stores, review VPN and proxy permissions, keep Google Play Protect active, and verify whether connected TV hardware is built on official Android TV OS with Play Protect certification.
This does not mean every smart TV is infected or that Android TV itself is the issue. The pattern is narrower: devices and apps outside the normal certified ecosystem are attractive places to hide proxy code because they can reach millions of homes while attracting far less scrutiny than phones and laptops.
What Home Users Should Check
The first step is to inventory the devices connected to the home network. Many households know their phones and laptops but forget older HDMI streaming boxes, smart TVs in spare rooms, cheap projectors, set-top boxes, and sideloaded media devices. Anything that runs Android-based software and has internet access deserves a second look.
- Remove streaming apps, VPNs, proxy apps, and bandwidth-sharing apps from unknown developers.
- Check whether Android TV or Google TV devices are Play Protect certified and still receiving updates.
- Turn on Google Play Protect where available, then scan installed apps and remove anything it flags.
- Factory reset or replace off-brand boxes that cannot be updated, cannot verify app sources, or arrived with suspicious preinstalled software.
- Put smart TVs and streaming boxes on a guest or IoT network when the router supports segmentation.
- Watch for repeated account blocks, CAPTCHA spikes, ISP warnings, or online services flagging the home IP address as suspicious.
Factory resets are useful, but they are not magic. If a device ships with unwanted proxy software, lacks firmware updates, or depends on sideloaded apps to function, replacing it with supported hardware from a reputable manufacturer may be safer than trying to clean it repeatedly.
What Defenders Should Take From the NetNut Case
For security teams, NetNut is a reminder that attacker infrastructure increasingly blends into consumer networks. A login attempt from a residential ISP is not automatically benign. It may be a compromised TV box in someone’s living room acting as the last hop for a password-spray campaign, account takeover attempt, scraper, or reconnaissance workflow.
That makes detection harder than simply blocking data-center IP ranges. Defenders need to combine source reputation with behavior: impossible travel, repeated low-volume failures across many accounts, unusual user agents, mismatched device fingerprints, abnormal session timing, and residential IPs that appear across unrelated tenants or attack campaigns. Residential proxy traffic is designed to look normal at the network layer, so identity, endpoint, and application telemetry become more important.
The takedown also suggests why one-off disruptions rarely end the problem. Google said proxy operators can buy capacity from competitors when their own botnets are degraded, effectively turning into resellers. That makes malicious residential proxy networks less like isolated malware families and more like a connected market for abused home devices.
A Bigger Consumer-Device Security Problem
The NetNut disruption follows earlier action against IPIDEA and comes after security researchers linked compromised routers, Android boxes, and other always-on home devices to proxy and denial-of-service infrastructure. The recurring lesson is not that consumers need to become malware analysts. It is that cheap connected devices can create real risk when buyers cannot verify their software supply chain, update path, or app behavior.
For now, the practical standard is simple: treat streaming boxes and smart TVs as computers on the network, not harmless accessories. Buy devices with clear update support, avoid unofficial app ecosystems, isolate entertainment hardware where possible, and be skeptical of any app that wants to monetize a home internet connection. NetNut shows why that caution is no longer theoretical.
Sources: Google Threat Intelligence Group, KrebsOnSecurity, BleepingComputer, and SecurityWeek.