Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off
NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off
NEWS

NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off

Google's Threat Intelligence Group and the FBI have dismantled NetNut, a residential proxy network built on 2 million compromised Android smart TVs and...

Dylan H.

News Desk

July 3, 2026
4 min read

Google and FBI Dismantle NetNut Residential Proxy Network

A joint operation led by Google's Threat Intelligence Group (GTIG) and the FBI has disrupted NetNut (also known as "Popa"), a residential proxy network that granted cybercriminals and espionage groups access to approximately 2 million compromised Android devices. Additional partners included Lumen Technologies, the Shadowserver Foundation, and the IRS Criminal Investigation division.

The operation targeted NetNut's command-and-control infrastructure, seized hundreds of domains, and disabled linked Google accounts used for C2 communications — effectively severing the connection between the network operators and the compromised devices.


What NetNut Was

NetNut was operated by Israeli company Alarum Technologies (NASDAQ: ALAR) and functioned as a residential proxy service. It sold access to exit nodes on compromised home and consumer devices, allowing subscribers to route internet traffic through legitimate residential IP addresses — masking their true origin.

This capability is prized by:

  • Cybercriminals evading IP-based detection
  • Nation-state operators conducting espionage
  • Ad fraud operators
  • Credential stuffing and account takeover attackers

How Devices Were Compromised

Two primary infection vectors were identified:

VectorDescription
Pre-installed malwareDevices arrived with malicious proxy software already embedded in firmware before purchase
Trojanized appsUsers downloaded apps containing hidden residential proxy SDKs with no user disclosure

Researchers found that over 20% of Samsung Tizen apps and 42% of LG webOS apps examined contained a residential proxy SDK that operated without user consent. The Badbox 2.0 botnet was among the mechanisms used to deliver proxy plugins to devices.

Affected Device Types

  • Android-based smart TVs
  • Android streaming boxes and sticks
  • General residential Android devices (phones, tablets)

Scale of the Operation

MetricDetail
Devices enrolled~2 million
Infrastructure seizedHundreds of C2 domains
Google accounts disabledNetNut-linked accounts used for C2
Google Play ProtectUpdated to block apps containing NetNut SDKs
Intelligence sharedSDK and infrastructure data shared with platform providers and law enforcement

Why Disruption Is Difficult

The operation is significant, but security researchers caution that the underlying problem persists. When Google disrupted NetNut's largest competitor IPIDEA in January 2026, that network rebuilt to pre-disruption device counts within a single day — underscoring how deeply embedded proxy SDKs are in the consumer device supply chain.

The compromised devices themselves are not remotely wiped or restored. Unless users update firmware or factory reset their devices, the malware remains installed. The disruption targets network infrastructure, not endpoint compromise.


What Happens to Affected Devices

  • Devices remain infected unless users take action (firmware update or factory reset)
  • The C2 channels are cut, meaning devices cannot receive new instructions or route traffic for NetNut operators
  • Google Play Protect now actively blocks apps with NetNut proxy SDKs
  • No automated remediation was pushed to consumer devices

Recommendations

For consumers:

  1. Check whether your smart TV or streaming device received unsolicited firmware updates
  2. Perform a factory reset if you suspect your device may be a Badbox-family device
  3. Purchase smart TV and streaming devices from established retailers — gray-market devices are disproportionately affected
  4. Review app permissions on Android TV and connected TV platforms

For organizations:

  1. Block residential proxy ASNs known to be affiliated with NetNut and similar services in your threat feeds
  2. Investigate anomalous outbound traffic from smart TVs or streaming devices on corporate networks
  3. Review vendor firmware provenance for consumer devices deployed in conference rooms or lobby displays

Key Takeaways

  1. 2 million devices enrolled in the NetNut residential proxy network have been cut off from C2
  2. Joint operation by Google GTIG, FBI, Lumen, Shadowserver, and IRS-CI seized hundreds of domains
  3. Infection vectors include pre-installed firmware malware and trojanized TV apps
  4. Devices remain infected — the operation disrupts infrastructure, not endpoints
  5. The residential proxy ecosystem has demonstrated rapid rebuild capability — sustained enforcement is required

References

  • BleepingComputer — NetNut Proxy Network Disrupted
  • The Hacker News — Google Disrupts NetNut Residential Proxy Network
  • SecurityWeek — Google, FBI Disrupt NetNut Residential Proxy Network
  • Krebs on Security — FBI Seizes NetNut Proxy Platform, Popa Botnet
  • Google Cloud Blog — Google's Continued Disruption of Malicious Residential Proxy Networks
#Google#Android#Botnet#Residential Proxy#FBI#Takedown#Smart TV

Related Articles

Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices

Working alongside the FBI and Lumen Technologies, Google's Threat Intelligence Group has significantly degraded NetNut — one of the largest networks that...

4 min read

FBI and Google Dismantle 'Outsider Enterprise' Phishing Service

A joint FBI and Google operation took down the Outsider Enterprise phishing platform — responsible for over 9,000 fake sites, nearly 4 million stolen...

4 min read

FBI Dismantles Massive AI-Powered Chinese Phishing-as-a-Service Operation

The FBI, Google, and Black Lotus Labs jointly dismantled Outsider Enterprise, a massive Chinese phishing-as-a-service platform that operated over one...

5 min read
Back to all News