In a joint law enforcement and industry effort of remarkable scale, the Federal Bureau of Investigation, in collaboration with Google and a coalition of leading technology companies, has executed a decisive operation that severely disrupted NetNut, a publicly accessible residential network proxy service. This organization had been covertly supporting a global botnet composed of roughly two million Android TVs and other smart home devices. These hijacked devices were silently co-opted to conduct illicit activities such as large-scale password spraying, credential stuffing, and other forms of targeted cyberattacks designed to exploit vulnerabilities in online systems. By taking down NetNut’s infrastructure, the FBI and its partners delivered a major setback to the sprawling underground economy that thrives on digital anonymity and compromised consumer hardware.

Residential proxy botnets such as NetNut’s serve a particularly insidious function within the cybercriminal ecosystem. They are engineered to disguise malicious traffic, making it appear indistinguishable from legitimate user activity traversing everyday home networks. In effect, a cybercriminal can exploit household devices—smart TVs, security cameras, and other connected products—turning them into unwilling partners in unlawful schemes while their owners remain unaware. Many of these infected devices were either shipped from factories with preinstalled malicious firmware or were later compromised by remote intrusion. This preloaded malware allowed criminal actors to bypass conventional cybersecurity defenses, rendering traditional antivirus software or home router protections insufficient to detect the full scope of the breach.

According to a formal statement provided by the FBI to CNET, the agency, on July 2, executed a court-authorized seizure of multiple domain names as part of an expansive and coordinated enforcement initiative undertaken with the Department of Justice and the IRS Criminal Investigation Division. The operation targeted critical components of the network infrastructure linked to the NetNut residential proxy platform, including assets operated by its administrators and affiliated users. To accomplish this, the FBI worked in close synchrony with Google, Lumen Technologies, and the Shadowserver Foundation, harnessing the combined expertise of private-sector cybersecurity researchers and public-sector investigators. Security professionals commonly referred to NetNut’s underlying botnet infrastructure as the “Popa” botnet.

Following the takedown, Google published an official blog post acknowledging that the joint actions had significantly weakened NetNut’s business operations. The measures had reportedly degraded its proxy network capacity by millions of devices—a massive reduction in the scale of its illicitly managed network. Visitors to NetNut’s former website now encounter a standard FBI seizure banner, marking the conclusion of the company’s online presence and the freezing of its once-active services.

Nonetheless, Google cautioned that this enforcement milestone represents only the opening phase of a longer strategic campaign. Proxy service providers often operate in clusters, reselling access to overlapping pools of compromised devices. Consequently, disabling a single network merely drives cybercriminals to rent or purchase nodes from competing networks. To establish a lasting deterrent, Google emphasized the necessity of simultaneously dismantling the infrastructure of multiple interconnected proxy operators—essentially severing the web of supply sustaining these underground operations.

The origins of the network’s compromised devices can be traced to discoveries made earlier in 2024 by researchers from XLab. These cybersecurity specialists unearthed what they named the Vo1d botnet: an immense collection of hacked Android TV devices, many of which were inexpensive, off-brand models. A year prior, a widely circulated fake AI-generated video featuring public figures like Donald Trump and Elon Musk allegedly broadcast across certain television networks had drawn attention—an incident now thought to have been powered by nodes within the Vo1d botnet.

During the same investigation, XLab analysts discovered Popa, a legitimate software component designed to enable voluntary participation in residential proxy networks. Normally, this plug-in would allow a consenting user to share idle bandwidth through a managed proxy system for lawful purposes. However, the variant identified in the field had been stealthily installed on compromised Android TV devices without any form of consent or user awareness. The FBI defines a residential proxy node as an intermediate server that sits between a user and the destination website, masking the true origin of a connection and thereby allowing it to appear as if it emanates from an entirely different location.

In the United States, residential proxy networks themselves are lawful and frequently used by businesses for legitimate endeavors such as verifying advertisements, conducting penetration testing, bypassing geographic content restrictions, and gathering publicly available market intelligence. Their use becomes problematic only when proxy nodes—often everyday consumer IP addresses—are generated through deceit or unauthorized compromise. Since these networks use real household internet connections, external systems interpret such connections as being made by normal users, effectively concealing the criminal actor’s identity while exposing unsuspecting homeowners to considerable risk.

The compromised Android TV devices enrolled in the Vo1d botnet were repurposed into powerful digital tools for cybercriminals. Through NetNut’s infrastructure, attackers could perform a variety of harmful actions—ranging from credential theft and network probing to large-scale automated attacks—under the plausible disguise of ordinary web traffic from residential environments. The resulting effect was a cyber assailant whose activities seemed to originate from the home down the street or the apartment next door.

NetNut, the company at the center of the operation, was a prominent commercial proxy service provider owned by Alarum Technologies, a publicly traded firm based in Israel. It was considered one of the largest residential proxy network operators worldwide. On the surface, NetNut marketed itself as a reputable service, offering subscription-based access to internet proxy routing for enterprise customers through its own website. Yet, following a series of investigations by independent researchers, evidence emerged showing that traffic from the Popa botnet was directly linked to NetNut’s services. This revelation implied that NetNut, perhaps knowingly, was renting access to compromised devices both for legitimate and illegitimate uses—thus providing the crucial grounds for the FBI and partnering agencies to initiate a shutdown of its operations.

From a consumer perspective, the primary takeaway from this incident is the necessity of exercising caution and discernment when purchasing connected home technology. Google and various cybersecurity experts indicated that the majority of devices ensnared in the botnet were low-cost Android TV streamers sold on major online marketplaces such as Amazon, Temu, and AliExpress. Despite their affordability and functionality, many of these products run outdated versions of the Android operating system—lacking essential modern security measures—and therefore represent prime targets for exploitation.

Moreover, numerous cheaply produced streaming boxes are promoted on social media platforms, where influencers advertise them as subscription-free entertainment solutions. Investigations have shown that many of these units come precompromised before sale, already containing concealed botnet software that automatically connects to malicious command-and-control servers upon activation. To safeguard oneself from becoming an unwitting participant in the next global cyber campaign, users should prioritize devices built by established, trusted manufacturers such as Google, Samsung, Sony, or Nvidia. Choosing models that receive regular security patches and avoiding unsolicited “no-subscription” gadgets are among the most effective protective strategies.

The threat is not confined to Android TV systems alone. Smart home products—from connected thermostats and light fixtures to security cameras and digital assistants—are also routinely conscripted into similar botnets. Therefore, all the precautions applied to entertainment devices should extend equally to home automation technology. In addition, consumers and IT professionals alike should stay alert to emerging threats, such as “promptware,” a recent breed of malicious software that manipulates AI-driven interfaces to perform hacking operations on behalf of attackers.

Ultimately, this case reinforces an essential cybersecurity lesson: low-cost technology and seemingly convenient online deals often carry hidden dangers. Users are urged to adhere to solid security fundamentals—employing strong, unique passwords; exercising skepticism toward unsolicited communications; maintaining software updates; and remaining vigilant for phishing tactics. The combined efforts of the FBI, Google, and their partners may have dealt a substantial blow to one major operation, but enduring safety depends on individual awareness and continued digital hygiene.

Sourse: https://www.cnet.com/tech/services-and-software/google-fbi-target-netnut-botnet-smart-home-devices-mask-cybercrime-hackers/