Google, the FBI and the IRS Criminal Investigation division have taken down one of the internet’s largest residential proxy botnets. The network was built on more than two million hijacked smart TVs, streaming boxes and Android devices. Researchers tracked it as Popa; commercially, it sold access under the name NetNut. Cybercriminals and espionage groups used it to route traffic through ordinary home internet connections. That hid where their attacks really came from.
What Google and the FBI actually did
On July 2, Google’s Threat Intelligence Group disabled the Google accounts and services NetNut used for command and control. The move cut operators off from a chunk of their infrastructure overnight. The FBI, working with the IRS Criminal Investigation division, separately seized hundreds of domains tied to the network. Lumen Technologies, Shadowserver and other industry partners supplied technical support.
Google also pushed detection into Play Protect. Android devices now get warned about apps carrying NetNut’s proxy code, and known offenders get disabled automatically. The company shared its technical findings on the SDKs and backend infrastructure with platform providers, researchers and law enforcement. That keeps the intelligence working after the initial takedown.
How two million devices became a residential proxy botnet
NetNut’s device pool grew two ways. Some hardware, mostly budget smart TVs and streaming boxes, shipped with the proxy code already installed. Other devices picked it up through free apps that bundled a hidden software development kit. Installing an ordinary app quietly turned a phone or TV into an exit node for someone else’s traffic. Researchers at Spur found the pattern was widespread. Over 20% of Samsung Tizen apps and 42% of LG webOS apps they examined contained a residential proxy SDK. None of them properly disclosed it to the user.
Once compromised, a device becomes an “exit node.” Traffic bought through NetNut gets routed out through that device’s residential IP address rather than a data centre. To the target, it looks like ordinary consumer traffic instead of an obvious bot or VPN. That is exactly what makes residential proxy botnets valuable to attackers, and hard for defenders to block on IP reputation alone.
The same devices weren’t just carrying proxy traffic either. Nokia Deepfield, Spur and Synthient separately documented Mirai DDoS botnet variants riding on NetNut-infected hardware. Researchers also tied a NetNut plugin to Badbox 2.0, the large-scale Android botnet. Google sued Badbox 2.0’s operators in July 2025. One piece of hidden code, several different criminal business models running on top of it.
Who was buying access
Google says its analysts tracked 316 distinct threat clusters using suspected NetNut exit nodes in a single week in June. That mix spanned cybercriminal and espionage-linked groups. The most common use case was password spraying, cycling stolen or guessed credentials against a target. Attackers spread the requests across thousands of different residential IPs, so login-attempt monitoring never sees the volume from one source. Krebs on Security reported the network was also rented out for content scraping, ad fraud and account takeover.
NetNut traces back to Alarum Technologies, a publicly traded Israeli company listed on Nasdaq. Researchers at Qurium, Synthient, Nokia Deepfield and Spur linked the Popa botnet to NetNut through controlled testing in June. Legal counsel for Alarum told Krebs the company “takes this matter seriously and will fully cooperate with law enforcement.” The company has previously described its product as consented bandwidth sharing rather than a botnet. That framing sits awkwardly next to the seizure and the underlying research. Both contradict it for a meaningful share of its device pool.
Why this takedown won’t be the last word
This is Google’s second major residential proxy botnet disruption this year, after it dismantled the IPIDEA network in January. It also follows the July 2025 lawsuit against Badbox 2.0’s operators. That earlier action taught Google something worth knowing: individual proxy providers prove resilient because they lean on each other. They buy spare capacity from rival networks and resell it under their own brand when their own pool takes a hit. Google is describing the NetNut action as “significant degradation” of the network and its business, not a kill. It is deliberately targeting the interconnected infrastructure that lets providers borrow from one another.
For defenders, the practical takeaway is that residential proxy botnet traffic isn’t going away just because one brand name did. Treat unexplained spikes in low-and-slow authentication attempts from diverse consumer IP ranges as a signal worth investigating. That holds on its own merits, independent of any single provider’s reputation. On the consumer side, the advice is simple. Stick to official app stores, and be suspicious of any app or device that promises payment for “unused bandwidth.” Keep Play Protect switched on.
