Infected smart TVs and Android streaming boxes were being exploited by cybercriminal clusters to launch attacks and conceal server locations
The “NetNut” residential proxy network, a system that investigators say relied on hijacked consumer devices to hide cybercriminal activity, has finally been disrupted.
Working with the FBI, a team from Google Threat Intelligence Group had launched an operation to take down the network that had reduced the pool of usable smart devices, according to a Reuters report on 2 July 2026.
NetNut, also known as Popa, is described as a residential proxy service built on compromised home devices, including smart TVs and Android streaming boxes. Researchers said the network likely reached at least 2m infected devices worldwide, making it one of the larger proxy operations under active use by criminals and other threat actors. In a single week in June 2026, Google had seen 316 distinct threat clusters, including cybercriminal and espionage groups, using suspected NetNut exit nodes to conceal their locations while targeting victims with activity such as password-spraying attacks.
During the takedown operation, the firm disabled accounts and services tied to NetNut’s malware command-and-control activity, and shared technical details about the network’s software development kits and backend infrastructure with law enforcement and platform operators, among other routine diligence processes.
This action followed the firm’s earlier disruption of the IPIDEA residential proxy in January. According to its threat researchers, the residential proxy market is tightly interconnected, with operators buying capacity from one another when botnets are degraded. That means pressure on one network can ripple outward as criminals shift to other providers, which is why Google said it plans to keep targeting related infrastructure. Also, some home devices end up in proxy networks because malware is installed before purchase, while others are added when users install apps that quietly contain proxy code.
The firm has urged consumers to be cautious of apps that promise payment for “unused bandwidth” or “sharing your internet”, since those offers can be a sign that the software is turning a device into part of a proxy scheme.
