Google's Threat Intelligence Group (GTIG), working with the FBI, Lumen and other partners, has disrupted NetNut — a residential-proxy network also tracked by researchers as Popa and estimated by Google to involve more than two million hijacked consumer devices worldwide, many of them Android smart TVs and streaming boxes. Announced in early July 2026, the operation saw Google disable the accounts and services tied to NetNut-related command-and-control activity, flag NetNut's software development kit in Play Protect, and share intelligence with law enforcement and industry partners; Reuters reported that Alarum, NetNut's parent company, was informed of FBI domain seizures. It continues the campaign against this category of abuse that began with the January 2026 disruption of IPIDEA, then one of NetNut's largest competitors.

What a residential proxy botnet actually is

A residential proxy network sells the ability to route internet traffic through IP addresses that belong to ordinary homes rather than data centres. That is valuable to an attacker for a simple reason: traffic coming from a real household connection looks like normal browsing, while traffic from a data centre is exactly what security tools are trained to flag and block. Routing an attack through a hijacked home connection lets the attacker hide their real location — and it means the innocent household's IP address, not the attacker's, is what appears in the logs of whatever was targeted.

To sell that capability at scale, an operator needs millions of real home devices acting as exit nodes, and that requires code running on those devices. According to GTIG, NetNut built its pool by distributing software development kits bundled into ordinary-looking consumer applications — streaming utilities and IPTV apps aimed at smart-TV and Android-streaming-box owners — and independent technical reviews found that the hijacked host applications generally failed to present device owners with any clear notice or consent prompt. Some cheap, off-brand hardware effectively ships pre-enrolled. Google and independent reporting also link NetNut and Popa components to the wider ecosystem of Android-TV-box malware, including the Badbox 2.0 and Vo1d families known for infecting off-brand consumer devices. The result is a class of victim who never sees a symptom: the device keeps working, while in the background it relays other people's traffic.

What GTIG found

The scale figure is an estimate — GTIG is explicit that sizing these networks precisely is difficult — but the abuse it enabled is concrete. In a single week in June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes. Those clusters spanned both cybercriminal and state-linked espionage activity, and they used the network to disguise their origin while running password-spray attacks and reaching into victim environments. That breadth is the point: a residential proxy network is not a single actor's tool but shared infrastructure that many unrelated attackers rent, which is why disrupting it has a wider effect than taking down any one group. The FBI seized NetNut-related domains as part of the action — some reporting describes the number as hundreds — replacing the network's main commercial homepage with a federal seizure notice, and the seizure has been credited to a coordinated effort including the FBI, IRS Criminal Investigation, Lumen and the Shadowserver Foundation.

The company behind the network

NetNut is unusual because the commercial service traces to a publicly traded company. Reuters identifies NetNut's parent as Israel-based Alarum Technologies (Nasdaq: ALAR), and earlier researcher reporting — from Brian Krebs, Qurium and Synthient — linked the Popa botnet to NetNut's residential-proxy service, with some of that reporting describing links between the company's leadership and the developers of the Popa code. Google's intelligence treats NetNut and Popa as connected infrastructure, and in a controlled test one research team reported that traffic sent through NetNut's commercial gateway emerged through a device the researchers had themselves enrolled in Popa. That is evidence of a traffic path and an infrastructure relationship; it is not, by itself, proof of corporate intent or knowledge. Alarum's legal counsel confirmed the company was made aware of the FBI's seizure of some of its domains and said Alarum "takes this matter seriously and will fully cooperate with law enforcement." The company has separately disputed characterisations of its software as a botnet. The accurate way to state it is that Google and independent researchers have documented a technical link between a commercial proxy service and a botnet of non-consenting home devices, that the company contests how that link is characterised and says it will cooperate, and that the question of intent and knowledge is not resolved here.

Why the takedown shrinks the market without ending it

Disruptions of this kind are attrition rather than a finishing blow, and Google has been candid about why. When one proxy operator is degraded, remaining operators tend to buy capacity from competitors and effectively become resellers, so demand simply reroutes. GTIG has also said it assesses with high confidence that many popular residential-proxy brands are white-labelling the NetNut network — meaning the practical reach of this action extends to services that never carried the NetNut name, but also that the underlying pool of compromised devices can be repackaged elsewhere. The residential-proxy industry has continued to expand despite a series of takedowns, of which the January IPIDEA operation and this one are the most recent. The realistic goal is to raise the cost and shrink the supply, not to eliminate the category.

What home users and defenders can do

The people best placed to shrink the device pool are the owners of the devices, even though most have no idea they are affected:

  • Be cautious about cheap, off-brand streaming hardware. No-name Android TV boxes and generic streaming dongles are the devices most often found pre-enrolled or easily enrolled into these networks. Prefer reputable brands and official app stores.

  • Avoid unofficial IPTV and streaming apps and sideloaded utility apps. These are a common delivery vehicle for the bundled proxy SDKs. On Android devices, keep Play Protect enabled.

  • Keep smart TVs and streaming devices updated, and remove apps you do not recognise or no longer use.

  • Watch the home network. Unexplained outbound traffic from a TV or streaming box, or your home IP being flagged or blocklisted for activity you did not perform, can be a sign a device is being used as a relay.

  • Reset or replace suspect devices. For a cheap device you believe is compromised, a factory reset may help — but for off-brand hardware with malicious firmware, replacing the device is the safer fix. Follow Google's published guidance for the latest indicators.

Key Takeaways

  • Google's GTIG and the FBI, with Lumen, the Shadowserver Foundation and IRS Criminal Investigation, disrupted NetNut (also tracked as Popa), a residential-proxy network of an estimated two million-plus hijacked consumer devices — many of them Android smart TVs and streaming boxes. Google disabled the accounts tied to its control infrastructure and flagged its SDK in Play Protect, and Reuters reported that NetNut's parent company was informed of FBI domain seizures.

  • The network enrolled devices via proxy SDKs bundled into streaming and IPTV apps (with, researchers found, no clear consent prompt) and is linked to the wider Badbox 2.0 / Vo1d Android-TV-box malware ecosystem; it rented the devices as exit nodes so attackers could route traffic through real home IPs. In one week in June 2026, GTIG saw 316 distinct criminal and espionage clusters using it.

  • NetNut's parent is Alarum Technologies (Nasdaq: ALAR); Google and researchers (Krebs, Qurium, Synthient) document a technical link between the commercial service and the Popa botnet. Alarum says it will cooperate with law enforcement and disputes the botnet characterisation — the documented link is technical, and knowledge or intent is unresolved.

  • Takedowns of this kind shrink rather than end the market (operators become resellers and white-label each other's networks). Home users can help by avoiding cheap off-brand streaming hardware and unofficial IPTV/streaming apps, keeping devices updated and Play Protect on, watching for odd home-network traffic, and resetting or replacing suspect devices.