Skip to content

Your Smart TV Might Be Working for Cybercriminals: Inside Google's Takedown of the NetNut Proxy Network

How a coordinated strike against a 2-million-device botnet exposes the hidden economy of residential proxies, and what it means for anyone with a connected device at home.


On July 2, 2026, Google announced a coordinated action against one of the largest malicious residential proxy networks on the internet: NetNut, also tracked under the name Popa. Working alongside the FBI, Lumen, and other partners, Google's Threat Intelligence Group (GTIG) moved to dismantle infrastructure that had quietly conscripted millions of ordinary home devices into a for-hire network for cybercriminals. You can read Google's full write-up in its Threat Intelligence blog post.

This wasn't a one-off. It follows Google's disruption of the IPIDEA proxy network back in January 2026, and it signals an ongoing campaign rather than a single headline.

What is a residential proxy network, anyway?

Here's the part that surprises most people: the "proxies" being sold aren't rented data-center servers. They're real IP addresses belonging to real homes - yours, potentially - routed through devices sitting in living rooms around the world.

Residential proxy services sell the ability to push internet traffic through IP addresses owned by ordinary consumer internet providers. Because the traffic appears to originate from a genuine home connection, it's far harder to flag as suspicious than traffic from a known data center. That's exactly why it's valuable to bad actors: it lets them mask malicious activity behind the digital fingerprint of an innocent household.

To keep such a network stocked, operators need code running on home devices that quietly enrolls them as "exit nodes." Devices get pulled in one of two ways, either they ship with malware pre-installed before purchase, or their owners unknowingly install an app carrying hidden proxy code. Once enrolled, that device becomes a launchpad for someone else's traffic.

The scale of NetNut

GTIG estimates NetNut spans at least 2 million devices worldwide, a figure that makes it one of the largest and most popular residential proxy networks in operation. Estimating the true size of these networks is notoriously difficult, but the scale here is enormous by any measure.

How does a network grow that big? By targeting the gadgets people rarely think about as computers: smart TVs, streaming boxes, and set-top devices. Reporting from KrebsOnSecurity, confirmed by Google, describes how NetNut distributes software development kits (SDKs) for exactly these kinds of household devices. GTIG also found NetNut plugin components tied to large-scale botnets like Badbox 2.0.

The distribution model has a nasty multiplier effect. Beyond selling access under its own brand, NetNut runs a reseller program that lets other companies whitelabel its network. Google says it has high confidence that many popular "residential proxy" brands are, under the hood, just reselling the NetNut botnet.

Why this should worry ordinary device owners

If your device is quietly acting as an exit node, the consequences land on you:

  • Your home IP becomes an attacker's cover. Criminals can route hacking attempts and other unauthorized activity through your address, meaning your legitimate traffic can get flagged as suspicious or outright blocked by your own service provider.
  • Your home network gets exposed. When unauthorized traffic passes through a compromised device, bad actors can potentially reach other private devices on the same network, turning one hijacked streaming box into a doorway to everything else in the house.

And the abuse is not theoretical. In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, a mix that included both cybercriminal and espionage groups. These actors used the network to hide their origin when breaking into victim environments and to run password-spray attacks, among other activity. Independent researchers at Synthient, Spur, and Nokia Deepfield have documented NetNut being used to infect devices with variants of the Mirai DDoS botnet.

What Google actually did

Google's action against NetNut came down to three concrete moves:

  1. Cut off the command-and-control. Google disabled the accounts and services NetNut had been abusing for malware command-and-control (C2), a direct violation of Google's Terms of Service and Acceptable Use Policy.
  2. Shared the intelligence widely. GTIG passed technical details on NetNut's SDKs and backend C2 infrastructure to platform providers, law enforcement, and research firms, aiming for enforcement across the whole ecosystem rather than a single silo.
  3. Protected Android users automatically. Google Play Protect now warns users about, and disables, apps known to bundle NetNut SDKs, and will keep blocking future install attempts.

Google says these combined actions meaningfully degraded NetNut's network and business, shrinking its available device pool by millions.

The catch: this ecosystem is slippery

Here's the sober note in Google's own assessment. After the IPIDEA takedown, GTIG learned that individual networks can look surprisingly resilient. When operators see their own botnet degraded, they often just start buying capacity from competitors, effectively becoming resellers themselves. The whole industry is deeply interconnected, built on overlapping botnets that are constantly bought and sold.

That means a single point-in-time disruption, however large, isn't a permanent fix. Google frames lasting impact as requiring coordinated pressure on the infrastructure of several interconnected providers at once, and says it will keep watching how NetNut's peers adapt.

How to protect yourself

The practical guidance from Google's team is refreshingly clear:

  • Be deeply skeptical of apps that pay you for "unused bandwidth" or offer to let you "share your internet." These are a primary recruitment channel for malicious proxy networks and can open real security holes on your home network.
  • Stick to official app stores, and review the permissions requested by any third-party VPN or proxy app before installing it.
  • Keep built-in protections on. Make sure Google Play Protect is active on Android devices.
  • Buy connected hardware from reputable manufacturers. For streaming and set-top boxes, Google's Android TV site lists official partners, and you can check whether your Android device is Play Protect certified.

The bigger picture

The residential proxy industry is expanding fast, and Google is explicit that this takedown is not the finish line. Operators lean on shared, resold botnets, which makes the problem structural rather than tied to any single bad actor. Google is calling on mobile platforms, ISPs, and other tech companies to keep sharing intelligence and to take direct action against malicious C2 infrastructure.

For the rest of us, the takeaway is simpler and a little unsettling: the cheap smart TV or no-name streaming box in the corner isn't just a media player. In the wrong supply chain, it's an asset someone else is renting out, and worth a second look before it ends up quietly working for the other side.


Source: Google's Continued Disruption of Malicious Residential Proxy Networks, Google Threat Intelligence Group, July 2, 2026.

Latest