Google Disrupts NetNut Proxy Network That Used Two Million Smart TVs for Cybercrime

Google and the FBI dismantled a proxy network that secretly turned over 2 million smart TVs into relays for cybercriminal traffic.

Jul 3, 2026
4 min read
Technobezz
Google Disrupts NetNut Proxy Network That Used Two Million Smart TVs for Cybercrime

Don't Miss the Good Stuff

Get tech news that matters delivered weekly. Join 50,000+ readers.

Your smart TV could be routing hacker traffic without your knowledge. Google just proved it at scale.

Working with the FBI and Lumen Technologies, Google's Threat Intelligence Group disrupted NetNut, a residential proxy network that turned more than 2 million home devices into rented relays for cybercriminal traffic. The Google Cloud blog estimates the botnet spans at least 2 million devices worldwide, many of them smart TVs and streaming boxes.

NetNut, also tracked as Popa, sells access to residential IP addresses that let buyers route traffic through real home connections. That makes malicious activity look like ordinary browsing instead of datacenter traffic that security tools block. In a single week in June, Google observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups running password spray attacks.

The FBI seized several NetNut domains as part of the operation, according to PCMag. NetNut's NetNut.io site remains up.

Google took three actions. It disabled Google accounts and services NetNut used for malware command and control.

It shared technical intelligence on NetNut's SDKs and backend infrastructure with platform providers, law enforcement, and research firms. And it activated Google Play Protect to automatically warn users and disable apps carrying NetNut SDKs.

"These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks," Google's report warns. "When a consumer device becomes an exit node, unauthorized network traffic passes through it.

This means bad actors can access other private devices on the same home network."

NetNut is owned by Alarum Technologies Ltd., an Israeli firm listed on the Nasdaq. Unlike most proxy botnets, it traces to a public company.

In June, researchers at Qurium, Synthient, Nokia Deepfield, and Spur tied Popa to NetNut. Synthient reported that none of the more than 20 apps it examined showed users a consent prompt.

Alarum rejects the botnet label. It called the research "demonstrably inaccurate assertions and flawed deductions rather than verified facts" and said its software supports consented bandwidth sharing. But Alarum told PCMag it will fully cooperate with law enforcement.

Google framed this as degradation, not a kill shot. NetNut runs a reseller program that lets other companies sell its network under their own brand names.

Google says it has high confidence that many popular, seemingly separate proxy brands are white-labeling the same NetNut pool. After Google disrupted the China-based IPIDEA network in January, operators simply bought capacity from rivals.

Real disruption, Google says, means going after several connected providers at once.

"Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account," the company said in a statement.

Share

More in News