← Back to Blog

FBI and Google Take Down NetNut: 2 Million Hacked Smart TVs in Residential Proxy Network

On July 2-3, 2026, the FBI, the IRS, and the Google Threat Intelligence Group dismantled NetNut β€” one of the largest residential proxy networks, which turned out to be the Popa botnet consisting of 2 million hacked Smart TVs and TV boxes. Over the course of a week, 316 groups operated through it. Let's analyze how it works and how to distinguish a legitimate residential proxy from a criminal one.

πŸ“…July 4, 2026
FBI and Google Take Down NetNut: 2 Million Hacked Smart TVs in Residential Proxy Network

On July 2-3, 2026, the FBI, the IRS Criminal Investigation, and the Google Threat Intelligence Group jointly dismantled NetNut β€” one of the largest residential proxy networks in the world. Behind the attractive facade of a "legal provider" lay the Popa botnet, consisting of over 2 million compromised home devices: Smart TVs, set-top boxes, and Android gadgets. This marks the second public takedown of a major market player in six months, definitively drawing a line between legitimate residential proxies and criminal infrastructure.

What Happened

On July 2, the Google Threat Intelligence Group (GTIG) disabled the Google accounts and services that NetNut used to manage its botnet (command-and-control). Simultaneously, the FBI, along with the IRS Criminal Investigation unit, seized hundreds of domains associated with the network. The main domain netnut.com now redirects to an FBI seizure notice, while the domain netnut.io has had its DNS server changed to the characteristic ns1.fbi.seized.gov. Related brands β€” proxyjet.io and divinetworks.com β€” were also seized.

NetNut is backed by the publicly traded Israeli company Alarum Technologies Ltd (NASDAQ: ALAR) β€” indicating that this is not an underground group, but a publicly traded business. The company's lawyer, Omer Weiss, stated that "Alarum takes the situation seriously and will fully cooperate with law enforcement to ensure that any abuse of its infrastructure is thoroughly investigated."

According to Google, the coordinated actions inflicted "significant damage to the NetNut proxy network and its business, reducing the operator's available pool of devices by millions." This is a classic scenario: back in January 2026, Google similarly dismantled the competing network IPIDEA.

How a Botnet of 2 Million TVs Posed as "Residential Proxies"

The Popa botnet has been operational at least since 2020. Devices were compromised in three ways:

  • Trojanned applications. Users downloaded seemingly harmless IPTV, streaming, and "utility" applications that contained hidden proxy SDKs. This was also how the large botnet Badbox 2.0 operated, with plugins overlapping with NetNut.
  • Factory pre-installation. Some budget Smart TVs and set-top boxes arrived at the customer with proxy code already embedded β€” the device became an exit-node immediately after unpacking.
  • Compromised app stores. The scale of the problem is enormous: researchers estimate that proxy SDKs were present in 42% of LG webOS applications and over 26% of Samsung Tizen applications.

The result: millions of real home IP addresses that are indistinguishable from those of "live" users β€” exactly what the market pays a premium for. However, the owners of these TVs did not consent to anything and received no compensation.

316 Groups in One Week: What They Were Used For

The most alarming figure from the GTIG report: in just one week of June 2026, Google recorded 316 separate threat clusters originating from NetNut nodes. This was a mix of cybercriminals and groups involved in espionage. The main scenarios included:

  • Password spraying. Attackers cycled through stolen and guessed passwords, spreading login attempts across thousands of different residential IPs. Monitoring systems do not detect abnormal volumes from any single source β€” the classic protection "based on the number of attempts from one IP" becomes blind.
  • Masking during attacks. The residential IP concealed the actual location when accessing compromised environments of victims and the attackers' own infrastructure.
  • Account takeover, ad fraud, and mass scraping β€” all under the guise of "home" addresses.

A separate danger for owners of compromised devices: foreign traffic passing through your TV is tied to your IP. Your legitimate requests may be flagged as suspicious and blocked by neighboring services β€” and the attacker can establish a foothold in your home network if desired.

Why This Affects the Entire Proxy Market

NetNut not only sold its services but also operated on a whitelabel model: many popular "brands" of residential proxies were actually reselling its infrastructure under their own names. GTIG directly describes the market mechanics with the quote: "When an operator's own botnet degrades, proxy operators begin to purchase capacity from competitors, becoming resellers." This means that under someone else's attractive branding, you could unknowingly be using the same compromised TVs.

The second systemic failure is weak KYC. Access to the infrastructure could be purchased without providing a real name, which opened the door for hundreds of criminal clusters. Even the "clean" part of the business suffered: NetNut had a DiviNetworks division with ISP proxies under direct contracts with providers (this is a legitimate model), but the network's dismantling affected everything.

For the honest user, the takeaway is simple: the origin of IP addresses is not an abstract "ethics" issue, but a matter of your operational resilience. A botnet provider can be seized overnight, its pool of addresses poisoned by the reputation of hundreds of criminals, and the mere fact of using such a network poses legal risks. That is why it is crucial to understand the difference between types of proxies and their sources: how residential proxies and mobile proxies are structured, and when a fast and predictable datacenter proxy is sufficient without all this residential drama.

How to Distinguish a Legitimate Residential Proxy from a Botnet

The dismantling of NetNut is a good reason to reassess your provider selection checklist. Here’s what to look for:

  1. Transparent IP origin. Legitimate residential and ISP addresses are obtained either through direct contracts with providers or through clearly documented user consent for real compensation. If a provider is evasive about the source of their pool, that’s a red flag.
  2. No "money for unused traffic." Google explicitly advises against applications that offer payment for "sharing internet" or "unused bandwidth" β€” this is the main vector for botnet proxy infections. If your proxy network is fed by such applications, you are part of the problem.
  3. Real KYC and usage rules. A provider that does not ask who you are and why is equally likely to sell access to both you and a password-spraying group.
  4. Pool resilience. Addresses flagged in hundreds of attacks quickly end up on anti-fraud blacklists. A clean, managed pool is more stable where a botnet has already burned out.

We have already discussed in detail how such shadow networks operate from the perspective of compromised devices in our article about Smart TVs as exit-nodes for residential proxies β€” the story of NetNut is precisely that scenario taken to its logical conclusion with an FBI warrant.

What This Changes in Practice

For teams engaged in web scraping, multi-accounting, SMM automation, or simply bypassing geo-blocks, the main signal is this: the residential proxy market is undergoing painful "sanitation." In six months, two major networks have been publicly dismantled (IPIDEA in January, NetNut in July), and Google is methodically shutting down C2 infrastructure while warning users through Play Protect. Cheap "residents from nowhere" are not a good deal, but a ticking time bomb: the network can be shut down, the pool is poisoned, and the connection to criminal traffic creates reputational and legal risks.

The winners will be those who treat proxies as infrastructure rather than as a gray commodity: choosing a transparent provider, understanding the origin of addresses, and selecting the appropriate type for each task β€” residential where a "live" IP is needed, mobile for the most sensitive platforms, and server-based where speed and cost are crucial. The sanitation of the market is unpleasant in the moment, but in the long run, it makes honest work more resilient β€” and returns TVs to their rightful owners.