In short: On 2 July 2026, the FBI and Google took down NetNut — a network of more than 2 million hijacked home devices, mostly cheap Android streaming boxes and smart TVs, that was rented out as "residential proxies" to cybercriminals and state-backed spies. Owners usually had no idea their gadget was part of a botnet. Check your devices and update their firmware.
What happened
On 2 July 2026, the FBI — working with the IRS Criminal Investigation division — seized hundreds of domains tied to the NetNut proxy service, while Google's Threat Intelligence Group (GTIG) disabled the accounts and command-and-control infrastructure the network relied on. Security researchers also track it as the "Popa" botnet.
NetNut was sold as a "residential proxy" service: a client would route traffic through the IP address of an ordinary home device instead of a data center, so their activity looked like a regular user's. The catch is that millions of those "residential" IPs belonged to people who never agreed to it. Investigators link the infrastructure to Alarum Technologies (NASDAQ: ALAR), a publicly traded Israeli firm, including a reseller program that let others white-label access. We explain how residential proxies differ from a VPN on our blog.
How home devices were hijacked
This was not "hacking" in the usual sense but planted software. Cheap Android streaming boxes, TV sticks and off-brand smart TVs shipped with — or quietly downloaded — SDKs: libraries inside apps that silently turned the device into a proxy node. That code often arrived alongside unofficial apps and "enhanced" clients of popular services installed from outside official stores.
The mechanics resemble the Badbox family of malware flagged in earlier warnings: a device is sold or updated with unwanted code already baked in. A user simply switches on a new TV or box — and from that moment their home connection starts carrying someone else's traffic without their knowledge.
Why criminals wanted the botnet
Residential IPs are prized in cybercrime precisely because they are trusted. Traffic coming from a home address is harder to tell apart from a real person's, so security systems block it less often. In a single week of June 2026, Google GTIG counted 316 distinct threat clusters exiting through NetNut nodes.
Both ordinary criminal gangs and nation-state espionage teams used the network to hide their location. Typical scenarios: large password-spray attacks against corporate accounts, account takeover, masking the real IP during attacks on victims, plus mass scraping and ad fraud.
What this means for you and your data
If your device ends up in such a network, the consequences are not abstract. Your home IP and connection get used for other people's attacks: in the worst case, suspicious activity — break-in attempts, fraud — appears to come from you, and your provider sees traffic spikes. The device runs slower, and the "firmware with a surprise" may harvest other data too.
The key point: the devices most at risk are the cheap ones from unknown brands and apps installed outside official stores. Owning a smart TV does not mean it is infected — the risk rises sharply with grey-market hardware and sideloaded APKs.
How to check if a device is infected
There is no reliable indicator for an ordinary user, but watch for: a noticeable, unexplained slowdown of your home internet; an idle box that runs hot with high network traffic; and warnings from Google or your provider. If a device is unbranded and long unpatched, it is safer to replace it with a certified one.
How to protect your devices
Buy from known brands. Choose smart TVs and boxes on official Android TV with Google Play Protect certification, not no-name boxes sold for a suspiciously low price.
Install apps only from official stores. Unofficial clients and "modified" versions of popular apps are the most common way a proxy SDK lands on a device.
Keep firmware and apps updated. Google has already removed some infected apps through Play Protect and warned owners — but updates close other holes too.
Isolate smart devices. Put TVs and IoT gadgets on a separate guest Wi-Fi network so that, if compromised, they cannot see your computers and phones.
Cover the network half. A VPN encrypts your traffic on untrusted networks and hides your real IP from sites and your provider, reducing tracking and interception. To be honest — a VPN will not remove a malicious SDK from an infected TV or replace device hygiene — but it covers the network side of privacy on your phones and laptops. See how we do it on the features page.
Sources
This report is based on coverage by Krebs on Security, SecurityWeek and Infosecurity Magazine from July 2026.
