FBI and Google Shut Down the Smart TV Botnet Renting Your Home IP to Criminals

FBI and Google dismantled NetNut’s Popa botnet after 316 criminal groups exploited 20-plus apps to hijack residential connections in a single week

Alex Barrientos Avatar
Alex Barrientos Avatar

By

Image: Netnut.io (Now displays a seizure notice)

Key Takeaways

Key Takeaways

  • FBI and Google dismantled NetNut, a botnet routing criminal traffic through millions of smart TVs.
  • Discover how 316 threat clusters exploited NetNut for credential stuffing, ad fraud, and data scraping.
  • Protect your home network by avoiding bandwidth-sharing apps and auditing proxy permissions immediately.

Millions of smart TVs and streaming boxes were quietly routing criminal internet traffic through residential living rooms worldwide — and their owners had no idea. The FBI and Google’s Threat Intelligence Group (GTIG) just dismantled the network responsible: a commercial residential proxy service called NetNut, tracked by security researchers as the Popa botnet. The takedown is significant. What’s more disturbing is how a Nasdaq-listed company allegedly built a cybercrime pipeline disguised as legitimate infrastructure, with bargain streaming boxes as the raw material.

How Home IP Addresses Became a Criminal’s Mask

Residential proxies turn ordinary home connections into cover for criminal activity — and NetNut scaled that concept to industrial proportions.

A residential proxy routes internet traffic through a home connection, making illicit activity look like it’s coming from someone streaming cooking shows on the couch. NetNut sold this access to businesses for ad verification and web scraping. The actual customer list told a different story. According to Google’s Threat Intelligence Group, 316 distinct threat clusters used the network in a single week in June 2026 — for password spraying, credential stuffing, ad fraud, and mass data scraping.

Here’s how the pipeline worked:

  • The Popa SDK was buried inside IPTV and streaming apps — including unofficial clients like SmartTube — without meaningful consent disclosures
  • Popa layered on top of an existing Android botnet called Vo1d; Vo1d managed compromised devices while Popa tunneled their traffic to NetNut’s proxy infrastructure
  • Security firms Synthient, Qurium, Nokia Deepfield, and Spur examined over 20 affected apps — none provided a clear consent prompt explaining that users’ home connections would be secretly tracking users‘ activity and rented out
  • Mirai-variant malware was also deployed on enrolled devices, the same malware class responsible for major DDoS attacks
  • Researchers traced NetNut to Alarum Technologies Ltd., a publicly traded Israeli company on Nasdaq, with documented ties between its executives and Popa’s developers — one of many tech scandals involving corporate exploitation of consumer hardware at scale

Alarum has described its platform as “consensual bandwidth sharing” and pledged full cooperation with law enforcement following the takedown, according to Expert Insights. Independent researchers at Synthient audited more than 20 apps enrolling user devices and found zero meaningful consent prompts — no clear disclosure that a user’s home connection would be rented to third parties. Qurium and Nokia Deepfield reached similar conclusions.

That gap between the press release and the audit findings is exactly what investigators targeted.

What Got Dismantled — and What to Do Right Now

The operation hit NetNut’s backbone hard, but protecting your home network still requires action on your end.

The FBI seized hundreds of domains; netnut.io now displays a seizure notice. Google disabled command-and-control accounts linked to NetNut’s infrastructure, shared indicators of compromise with platforms and law enforcement, and pushed Google Play Protect updates to automatically flag and disable affected apps on Android devices. Google assessed “with high confidence” that multiple white-label residential proxy brands ran on NetNut’s backend — meaning one coordinated takedown degraded several services simultaneously.

This action follows the January 2026 disruption of the IPIDEA proxy network, signaling that enforcement is now targeting proxy infrastructure itself, not just individual criminals buying access. Cybercriminals needed residential IPs because they look like real people to detection systems. Like a ride-share platform that quietly commandeered its drivers’ cars without telling them, NetNut needed consumer hardware to exist — and it took it without asking.

Three practical steps to take now:

  • Avoid any app offering payment for “unused bandwidth”
  • Stick to Play Protect-certified streaming hardware from reputable vendors
  • Audit VPN or proxy app permissions on every device connected to your home network

That smart TV was never just a screen.

Share this

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →