FBI and Google Shut Down NetNut: 2 Million Smart TVs Were Spy Tools
Quick summary
FBI and Google seized NetNut domains July 2, cutting off a 2M-device botnet that rented infected smart TVs to cyberspies and ransomware operators.
Read next
- AWS UAE Went Dark After Drone Strike: 60+ Services Down, What to DoAWS UAE and Bahrain went offline for 6+ hours in March 2026 after drone strikes. EC2, S3 and Lambda affected. Developer guide to Gulf region failover and multi-region resilience.
- China Hacked 53 Organisations Using Google Sheets as Its Command-and-Control Server. Google Just Shut It Down.Chinese espionage group UNC2814 used Google Sheets to hide C2 traffic as normal cloud document activity. Mandiant caught it. Here is how the attack worked.
Your smart TV may have been routing espionage traffic through your home network for years. On July 2, 2026, the FBI seized domains belonging to NetNut, a residential proxy service owned by Israeli-listed Alarum Technologies (NASDAQ: ALAR), and Google dismantled the underlying botnet infrastructure powering it. The Popa botnet that fed NetNut had quietly hijacked at least 2 million Android devices worldwide, mostly budget smart TVs and streaming boxes.
In a single week during June 2026, Google Threat Intelligence Group counted 316 distinct threat clusters using suspected NetNut exit nodes. Nation-state espionage groups, ransomware operators, and credential-stuffing gangs all paid to route their traffic through your living room.
What Is NetNut and How Did the Proxy Business Work?
NetNut is a residential proxy service that sold access to IP addresses of real home devices to businesses and threat actors. Legitimate use cases exist: market research, ad verification, scraping around geo-blocks. The problem is that NetNut did not disclose to the device owners that their internet connections were being sold. The devices were compromised, not opted in.
Alarum Technologies, the Israeli company that owns NetNut, is publicly traded on NASDAQ under the ticker ALAR. The company describes NetNut as a "premium residential proxy network." The FBI describes it differently: a botnet-powered proxy infrastructure used by cybercriminals and foreign intelligence services to hide their location.
Omer Weiss, Alarum's corporate legal counsel, confirmed the company learned of the FBI domain seizure on July 2, 2026 and stated it would fully cooperate with law enforcement.
How Devices Got Infected: Badbox 2.0 and Trojanized SDKs
Two infection pathways fed the Popa botnet that powered NetNut.
The first was hardware-level. Budget Android TV boxes and streaming sticks from manufacturers in China shipped from the factory with proxy code already installed in firmware. These devices, sold through online marketplaces at prices well below market rate, activated the proxy agent on first boot. Badbox 2.0, the malware framework tracking this supply chain compromise, is estimated to have pre-infected hundreds of thousands of devices that were sold as legitimate consumer products.
The second pathway was apps. Developers building for Samsung Tizen and LG webOS platforms had been unknowingly packaging third-party SDKs that included a hidden proxy component. Google's analysis found that over 20% of Samsung Tizen apps and 42% of LG webOS apps it examined contained a residential proxy SDK. Developers who included legitimate-looking analytics or monetization SDKs in their apps had no visibility into what the SDK was doing at the network layer.
Once installed, the proxy agent ran silently in the background. Device owners saw no notification. The infected device performed its normal function (streaming video, running apps) while simultaneously acting as an exit node for third-party internet traffic.
The Scale: 316 Threat Clusters in One Week
Google Threat Intelligence Group tracked NetNut activity over June 2026 before the takedown. In a single seven-day window, they observed 316 distinct clusters of threat actors using NetNut exit nodes, a number that represents the breadth of abuse rather than the volume.
The clusters included financially motivated criminal groups running password-guessing attacks against corporate login portals, espionage actors from multiple countries using residential IPs to disguise state-sponsored reconnaissance, and malware operators using infected home devices as command-and-control relay points. Residential IPs bypass many enterprise defenses that block data center IP ranges. A login attempt from a residential IP address in the same city as the target looks like a legitimate remote employee, not an attack.
Lumen Technologies, which operates a significant portion of US internet backbone infrastructure, and The Shadowserver Foundation, a non-profit that tracks botnet infrastructure, joined Google and the FBI in the coordinated takedown.
Who Was Responsible: Alarum Technologies and the Proxy Industry
NetNut operated in a grey zone that proxy providers have exploited for years. Selling access to residential IPs is legal in most jurisdictions. The question is how those IPs are obtained.
Alarum Technologies, incorporated in Israel and publicly traded in the United States, generated revenue by reselling access to 2 million devices whose owners did not know they were part of the network. The company marketed NetNut to enterprise clients as a tool for legitimate business use while the same infrastructure was being actively used by criminal and espionage groups.
The FBI seizure of NetNut domains on July 2 is a direct escalation against proxy providers who obtain their IP pools through malware rather than opt-in consent. The DOJ has not announced charges against Alarum executives as of this writing, but the seizure establishes a clear enforcement posture.
What the Takedown Actually Disrupted
Seizing NetNut domains does not remove the Popa malware from infected devices. The 2 million smart TVs and streaming boxes that were part of the botnet still have the proxy agent installed. Without the NetNut command infrastructure to route traffic through them, the agents are currently dormant. But the devices remain compromised and are susceptible to reconnection to new infrastructure.
Google's takedown of the proxy routing infrastructure cut off the revenue stream. Alarum Technologies' stock dropped on the news of the FBI seizure. But the technical cleanup, removing the malware from 2 million devices distributed across home networks in dozens of countries, is not something a domain seizure accomplishes.
The Shadowserver Foundation has been notifying internet service providers about infected devices on their networks, which is the standard notification path for botnet cleanup. ISPs can then push notifications to affected customers, but enforcement depends on users actively resetting or replacing compromised hardware.
What Developers Should Do Now
If you have published apps to Samsung Tizen or LG webOS, audit every third-party SDK in your dependency chain. The 20% Tizen and 42% webOS figures from Google's analysis are not attributable to specific SDK vendors publicly, but the scale suggests that commonly used SDKs in those ecosystems were the vectors.
Run a network traffic audit on any SDK that has background permissions. An analytics SDK that makes outbound connections on ports unrelated to analytics is a red flag. Check for SDK versions that were updated silently without corresponding documentation.
If your services accept traffic from residential IP ranges and do not currently apply behavioral analysis, the NetNut takedown is a reminder that residential IP reputation is meaningless as a trust signal. 316 threat clusters used NetNut in one week. Your login pages and APIs were their targets.
For organizations that used residential proxy services for legitimate testing or research, verify that your provider obtains IPs through informed opt-in consent and can document the consent mechanism. Services that cannot explain their IP sourcing should be treated as potentially tainted.
Key Takeaways
- 2 million devices compromised in the Popa botnet powering NetNut, mostly Android smart TVs and streaming boxes
- 316 distinct threat clusters used NetNut exit nodes in a single week in June 2026
- 20% of Samsung Tizen apps and 42% of LG webOS apps examined by Google contained a residential proxy SDK
- FBI seized NetNut domains on July 2, 2026; Alarum Technologies (NASDAQ: ALAR) owns NetNut and pledged cooperation
- Badbox 2.0 pre-installed the proxy agent in firmware on budget Android TV hardware at the factory level
- For developers: audit every third-party SDK in Samsung Tizen and LG webOS apps for hidden network activity; residential IP reputation is not a valid trust signal for access control
- What to watch: DOJ charging decisions against Alarum Technologies executives and whether ISPs successfully push remediation to the 2 million affected devices
FAQ
Frequently Asked Questions
What is the NetNut botnet and what happened to it in July 2026?
NetNut is a residential proxy service owned by Israeli company Alarum Technologies (NASDAQ: ALAR) that obtained its IP pool from a botnet of 2 million compromised Android smart TVs and streaming boxes, tracked by researchers as Popa. On July 2, 2026, the FBI seized NetNut domains and Google dismantled the supporting infrastructure in a coordinated operation also involving Lumen Technologies and The Shadowserver Foundation. The action cut off active routing through the botnet but did not remove the malware from infected devices.
How did the Popa botnet infect 2 million smart TVs?
Two methods were used. First, budget Android TV boxes and streaming sticks manufactured in China shipped from the factory with the proxy agent pre-installed in firmware, a campaign tracked as Badbox 2.0. Second, developers building apps for Samsung Tizen and LG webOS unknowingly packaged third-party SDKs that contained a hidden proxy component. Google's analysis found over 20% of Tizen apps and 42% of LG webOS apps examined contained such an SDK.
Were Samsung and LG smart TV users affected by the NetNut botnet?
Yes. Google Threat Intelligence Group found that more than 20% of Samsung Tizen apps and 42% of LG webOS apps it examined contained a residential proxy SDK that enrolled devices into the Popa botnet. Affected devices ran the proxy agent silently in the background without the owner's knowledge, routing third-party internet traffic through the home connection. Devices with these apps installed remain technically compromised even after the NetNut domain seizure.
Who used NetNut and for what types of attacks?
Google Threat Intelligence Group identified 316 distinct clusters of threat actors using NetNut exit nodes in a single week during June 2026. The users included financially motivated criminal groups running credential-stuffing and password-spray attacks against corporate login portals, nation-state espionage actors using residential IPs to disguise reconnaissance activity, and malware operators routing command-and-control traffic through home devices. Residential IPs bypass IP-reputation defenses that filter data center IP ranges.
What should developers do after the NetNut takedown?
Developers who have published apps to Samsung Tizen or LG webOS should audit all third-party SDKs for hidden network activity, particularly SDKs with background execution permissions that make outbound connections on unexpected ports. For organizations using residential proxy services, verify that your provider obtains IPs through explicit opt-in consent and can document the consent mechanism. Treat residential IP reputation as an unreliable trust signal for access control given the scale of botnet-sourced residential proxy abuse.
Free Weekly Briefing
The AI & Dev Briefing
One honest email a week — what actually matters in AI and software engineering. No noise, no sponsored content. Read by developers across 30+ countries.
No spam. Unsubscribe anytime.
More on Security
All posts →AWS UAE Went Dark After Drone Strike: 60+ Services Down, What to Do
AWS UAE and Bahrain went offline for 6+ hours in March 2026 after drone strikes. EC2, S3 and Lambda affected. Developer guide to Gulf region failover and multi-region resilience.
China Hacked 53 Organisations Using Google Sheets as Its Command-and-Control Server. Google Just Shut It Down.
Chinese espionage group UNC2814 used Google Sheets to hide C2 traffic as normal cloud document activity. Mandiant caught it. Here is how the attack worked.
SSL Certificates Drop to 200-Day Validity on March 15, 2026. Here's What Developers Must Fix.
From March 15, 2026, public SSL/TLS certificates can be valid for only 200 days. Renewals double, outages become more likely, and manual tracking dies. What developers and DevOps teams need to change now.
Hackers Used a React Frontend Vulnerability to Break Into LexisNexis AWS Infrastructure. 400K Users Exposed Including Federal Judges.
The LexisNexis data breach exploited a React2Shell vulnerability to pivot into AWS infrastructure, exposing 53 plaintext AWS Secrets Manager credentials and 400K user profiles including federal judges and DOJ staff. Here is how the attack worked.
Written by
Software Engineer based in Delhi, India. Writes about AI models, semiconductor supply chains, and tech geopolitics — covering the intersection of infrastructure and global events. 996+ posts cited by ChatGPT, Perplexity, and Gemini. Read in 167 countries.
