The FBI just seized a 2-million-device botnet hiding in home smart TVs
NetNut, tracked as the Popa botnet, rented hijacked home internet to cybercriminals. The roughly 2 million compromised devices, mostly off brand Android TVs, are still in homes.
NetNut, tracked as the Popa botnet, rented hijacked home internet to cybercriminals. The roughly 2 million compromised devices, mostly off brand Android TVs, are still in homes.
When the FBI unplugged NetNut on July 2, it knocked a major residential-proxy service offline. The roughly 2 million hijacked home devices it ran on are still in place, mostly cheap Android TVs, and the market that supplied them has not changed.
On July 2, 2026, the FBI, alongside DOJ and IRS Criminal Investigation, carried out a court-authorized seizure of hundreds of domains tied to NetNut, a residential-proxy service that rented ordinary home internet connections to paying customers so that malicious traffic would look like normal household browsing. The action was coordinated with Google, Lumen Technologies, and the Shadowserver Foundation; NetNut's homepage now displays a seizure banner (Krebs on Security). Google Threat Intelligence Group (GTIG) sizes the network at roughly 2 million compromised devices, the bulk of them consumer smart-home hardware infected either through apps sideloaded from third-party stores or by software preloaded at the factory (Google Cloud).
NetNut, also tracked by researchers as the Popa botnet, was not a single app. It was a software development kit (SDK) bundled into popular sideloaded apps and embedded in some preloaded firmware, with each infected box acting as an exit node for paying customers. As part of the coordinated action, Google disabled the Google accounts and services the malware used for command-and-control, blocked installation attempts through Play Protect on certified Android devices, and warned that many other "residential proxy" brands in the broader market are, in Google's assessment, really whitelabeling NetNut capacity (Google Cloud).
Google's own write-up supplies the reason a single takedown rarely sticks. Threat actors routinely use multiple residential proxy services at the same time, and Google assesses that many "residential proxy" brands in the market are whitelabeling NetNut capacity rather than running their own networks. A seizure at one provider pushes criminal traffic to whichever competitor has room. The pattern already has a proof point. In January 2026, GTIG and partners disrupted IPIDEA, then the largest residential proxy network on its measure, and the displaced traffic largely migrated to NetNut and its peers (Google Cloud). Lasting impact, Google argues, requires coordinated action against several providers at once.
During a single week in June 2026, GTIG observed 316 distinct threat clusters routing traffic through suspected NetNut exit nodes, spanning financially motivated cybercrime groups and espionage operators. The clusters used the exits for credential attacks, including password-spraying, where attackers try the same guessed password across many accounts at once; for account creation at scale; for web scraping; for ad fraud; and for masking the infrastructure behind larger intrusions (Google Cloud). The 316-cluster count is a one-week observation, not a network census; Google's confidence is high where it observed traffic directly and lower where it inferred use through resellers.
The blast radius for the device owners is larger than a few extra ad impressions. Residential exit nodes route paying customers' traffic through the device's home network, putting any other device on the same Wi-Fi one pivot away from whoever rented that connection. Independent researchers at Synthient, Spur, and Nokia Deepfield have documented NetNut and Popa variants tied to or overlapping with Mirai-class DDoS botnets, including a strain called Kimwolf (Krebs on Security). For a consumer who never asked for any of this, the practical signal sits at the network layer: unusual outbound traffic from a streaming box, a router that runs hot while idle, or a TV that phones home to unfamiliar destinations.
NetNut's parent company is Alarum Technologies Ltd., a small Israeli firm traded on NASDAQ under the ticker ALAR. Alarum has confirmed it was aware of the seizure and said it is cooperating; legal counsel Omer Weiss issued a written statement (Krebs on Security). As of the seizure date, no U.S. charges against the parent have been filed. The cleanest window into any operational or financial hit will be Alarum's next SEC disclosure.
The July 2 seizure knocks one node out of a market that absorbed the previous one. The fix its backers describe, a coordinated takedown of several residential proxy providers in the same enforcement window, has not landed yet.