Skip to main content
Emerging ThreatsMalware & Ransomware

FBI and Google Disrupt NetNut Proxy Network Used by Cyber Threat Actors

Home network setup with disrupted connections and erratic router lights.

“We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,” Google’s Threat Intelligence Group wrote on July 2.

How the Popa botnet turned smart TVs and boxes into exit nodes

The proxy service traced by security researchers as NetNut relied on a stealth communications layer known as the Popa botnet. According to the reporting, Popa embedded deceptive software development kits into inexpensive, off‑brand Android‑based smart TVs, streaming media boxes and unofficial apps such as the SmartTube client. When consumers plugged those devices into home networks, their internet connections could be quietly rented out as residential proxy exit nodes.

The outcome was large scale: the network co‑opted more than two million consumer devices globally and turned them into traffic‑routing relays for criminal operators and state‑sponsored espionage groups, the coverage says. Using domestic IP addresses in this way allowed malicious traffic to bypass typical data center blocks and many security filters that rely on identifying data center infrastructure.

FBI, Google and industry partners seize infrastructure and take technical steps

The disruption was a coordinated international effort. The FBI and Google’s Threat Intelligence Group worked alongside industry partners including Lumen Technologies, the Shadowserver Foundation, and the U.S. Internal Revenue Service’s Criminal Investigation division to target the digital infrastructure behind the service and seize hundreds of domains.

Google described several immediate technical mitigations it deployed: it disabled Google accounts used for malware command‑and‑control, updated Google Play Protect to automatically warn Android users, and disabled apps containing the compromised SDKs. The company said those steps were aimed at preventing the network from easily rebuilding.

The takedown sequence produced some confusion: the FBI’s seizure banner appeared on netnut.com, while NetNut’s primary commercial domain, netnut.io, temporarily remained active and accessible. Some commentators suggested law enforcement might have targeted the wrong domain, but other security experts clarified that both domains are tied to the same operation and that the botnet’s backend command‑and‑control servers were successfully targeted and dismantled — a move that, by Google’s account, significantly degraded operations.

Alarum Technologies, reporting links, and the reseller model

Independent cybersecurity journalist Brian Krebs reported a link between NetNut and Alarum Technologies Ltd, a publicly traded Israeli firm listed on NASDAQ. That reporting draws on security investigations by firms including Qurium and Synthient, which the coverage says established direct links between Alarum’s executive leadership and the original developers of the Popa SDK.

Alarum has marketed its software historically as a consensual bandwidth‑sharing tool. But independent technical reviews found that hijacked host applications “failed to present users with any clear notice or consent prompt.” In response to the FBI seizure of certain domains associated with NetNut, Alarum Technologies issued this statement: “Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.”

Google’s report did not mention Alarum, but the GITG researchers noted that NetNut operated “a robust reseller program that allows whitelabeling of its network” and assessed with “high confidence” that many popular residential proxy brands are effectively whitelabeling the NetNut botnet.

Observed criminal uses: 316 distinct threat clusters in a single week

Google’s analysis documented concentrated abuse: at least 316 distinct threat clusters used NetNut exit nodes to carry out password‑spraying campaigns, credential stuffing, advertising fraud and sensitive data scraping in a single week in June 2026. Other public reports by Synthient, Spur and Nokia Deepfield are cited as documenting the use of NetNut to install variants of Mirai distributed denial‑of‑service botnets on infected devices.

Notably, reporting contrasts NetNut with more familiar underground botnets: investigators describe it as tied to a commercial residential proxy service rather than solely an illicit, covert hacking collective, raising different questions about business models and accountability.

What this means for technologists, regulators, and consumers

  • Technologists and security teams: Expect continued monitoring for whitelabeled reseller relationships and renewed emphasis on detecting residential proxy traffic; Google’s updates to Play Protect and account takedowns show how platform controls can be used to disrupt SDK‑level abuse.
  • Regulators and law enforcement: The operation involved cross‑sector partners and domain seizures plus legal action; the mixed visibility across registrars (netnut.com vs netnut.io) highlights jurisdictional frictions when targeting commercial proxy infrastructure.
  • Consumers and device vendors: Off‑brand Android devices and unofficial apps were central to the abuse; independent reviews that found apps lacking clear consent prompts underline a persistent risk for users who install third‑party clients or low‑cost media devices.

The coordinated takedown has degraded NetNut’s capacity, but the record in the reporting leaves a clear operational question: with reseller channels and whitelabeling in play, will dismantling public‑facing infrastructure be enough to prevent rapid reconstitution? Google noted the action built on the prior disruption of the IPIDEA proxy network in January 2026, suggesting the work is iterative. For now, the combination of legal seizures and platform mitigations has interrupted a service that, by multiple accounts, turned consumer electronics into a global proxy backbone.

Source: Infosecurity Magazine — FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors