Skip to content
Security & Trust

Google and the FBI Dismantled a 2-Million-Device Proxy Botnet. Most Victims Were Smart TVs.

NetNut enrolled smart TVs and streaming boxes into a residential proxy network via pre-installed SDKs. 316 distinct threat clusters used it in a single week. Google disabled the C2 infrastructure. The supply chain was the infection vector.

· 5 min read
Share on X LinkedIn
Google and the FBI Dismantled a 2-Million-Device Proxy Botnet. Most Victims Were Smart TVs.

The Network Behind the Network

On July 3, 2026, Google disclosed the disruption of NetNut, a residential proxy network operating across an estimated 2 million devices. Google disabled Google Accounts and services used for NetNut's command-and-control infrastructure, coordinating with the FBI and Lumen. Google Play Protect automatically warned users, disabled applications containing NetNut SDKs, and blocked future installations. The proxy pool shrank by millions of devices in a single action.

2,000,000+
Devices in NetNut proxy network
Source: Google Threat Intelligence (July 3, 2026)
316
Threat clusters using NetNut in one week
Source: Google Threat Intelligence, June 2026 observation window
Google, FBI, Lumen
Coordinating agencies
Source: Google Cloud Blog (July 3, 2026)

The Infection Vector Was the Factory

NetNut did not compromise devices through phishing or exploit kits. It shipped inside them. Smart TVs and streaming boxes arrived to consumers with NetNut SDKs pre-installed, embedded in the device firmware before the box was opened. Users who connected these devices to their home networks unknowingly enrolled their household IP addresses into a commercial proxy service. The device worked normally. The proxy operated silently.

The second distribution channel was application-layer. Users downloaded apps from various sources that contained hidden proxy code. Once installed, the application functioned as advertised while simultaneously routing third-party traffic through the device. The user saw a weather app or a media player. The network saw a residential exit node available for rent.

What 316 Threat Clusters Look Like

In a single week in June 2026, researchers observed 316 distinct threat clusters routing traffic through suspected NetNut exit nodes. The traffic included password spray attacks, credential stuffing campaigns, and automated reconnaissance. Every request appeared to originate from a legitimate residential IP address, bypassing geographic restrictions, rate limits, and IP reputation systems designed to detect bot activity.

This is the operational value of a residential proxy network: the traffic is indistinguishable from a human browsing from home. Web application firewalls, bot detection systems, and framework-level rate limiting all treat residential IPs with higher trust. A password spray routed through 2 million residential exit nodes looks like 2 million individual humans typing wrong passwords. The attacker's infrastructure is invisible because it is someone else's living room.

The Badbox 2.0 Connection

NetNut's infrastructure overlapped with Badbox 2.0, a large-scale botnet previously documented by security researchers. Badbox 2.0 devices carried NetNut plugin components, creating a layered infection where compromised hardware served multiple criminal operations simultaneously. Mirai DDoS variants were also documented as NetNut infection vectors, meaning devices could be conscripted for proxy services, DDoS attacks, and credential theft in parallel.

KrebsOnSecurity reported that NetNut, also known as Popa, was linked to a publicly-traded Israeli firm operating a whitelabel reseller program. Customers purchased proxy bandwidth without knowing the exit nodes were compromised consumer devices. Research firms Synthient, Spur, and Nokia Deepfield independently documented the network's scale and malicious use before Google's disruption.

The Layer Nobody Audits

Security teams evaluate frameworks, patch CVEs, deploy WAFs, and monitor application logs. What they do not audit is the network layer beneath their users. When 57.5% of web traffic is non-human and a meaningful fraction of that traffic routes through compromised residential devices, every assumption about IP reputation, geographic access controls, and rate limiting is built on contaminated data.

Google's disruption of NetNut follows its January 2026 takedown of the IPIDEA proxy network. Two major residential proxy botnets dismantled in six months suggests the problem is structural, not isolated. The supply chain infection model scales because device manufacturers face no liability for shipping compromised firmware, and consumers have no way to audit what their smart TV does when the screen is off. The 2 million devices in NetNut's network were not hacked. They were sold.

Share this insight