TL;DR: On July 2 and 3, 2026, Google, the FBI, Lumen, and Shadowserver announced a coordinated disruption of NetNut, a residential proxy network also tracked as Popa. Google Threat Intelligence Group (GTIG) estimates the botnet contained at least two million hijacked consumer devices, distributed across the world and weighted toward small TV-streaming boxes. In a single week in June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups. Devices were enrolled either by being shipped with malware pre-installed or by users installing apps that hid proxy code in the background. Google disabled the Google accounts and services used for command and control, and Google Play Protect auto-warned users and disabled the offending apps. The proxy pool itself, the home networks it sat on, remains the surveillance story.
What Happened
On July 2, 2026, Google Threat Intelligence Group published a write-up of a "coordinated action" against NetNut that, in Google's words, "caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions" [1]. KrebsOnSecurity, writing on July 3, described the same operation as a takedown of NetNut carried out with the FBI, Lumen, and Shadowserver, in which the netnut.com domain was replaced with a "this website has been seized" splash page while netnut.io remained online [2].
GTIG put the network's size at "at least 2 million devices, distributed across the world" [1]. The botnet had two names: NetNut was the public marketing brand; Popa was the internal label KrebsOnSecurity tied it to in earlier reporting [1][2].
How Two Million TVs Became Exit Nodes
Google's post is unusually blunt about how consumer devices got pulled into the network. "Home devices become part of proxy networks either because they are pre-installed with malware before purchase or because users unknowingly download applications containing hidden proxy code," GTIG wrote [1]. NetNut did not infect devices itself. It distributed software development kits (SDKs) that resold bandwidth, paid a small fee in exchange for running the code, and then routed the resulting traffic through the home internet connection as an "exit node" [1][2].
Most of the devices were small TV-streaming hardware. KrebsOnSecurity reported the botnet was "comprising mainly small TV-streaming hardware" [2]. GTIG said it identified NetNut botnet plugin components "for large-scale botnets such as Badbox 2.0," and pointed to public research by Synthient, Spur, and Nokia Deepfield documenting signs of NetNut being used to infect devices with variants of the Mirai DDoS malware [1]. The same small TV-streaming hardware that earlier reporting tied to Badbox 2.0 is, on Google's read, also the hardware NetNut sold into.
What the Traffic Was Used For
The point of a residential proxy is to make malicious traffic look like ordinary home browsing. ISP-owned residential IP addresses are exactly what defenders expect to see when a real subscriber opens a banking site, checks a work email, or logs into a SaaS dashboard. Selling that look to the wrong buyer is the business model.
GTIG's read of the customer base: in a single week in June 2026, it observed 316 distinct threat clusters using suspected NetNut exit nodes, "including cybercriminal and espionage groups" [1]. The use cases GTIG named specifically were masking the attacker's origin IP when "accessing victim environments, accessing their own infrastructure, and conducting password spray attacks" [1]. KrebsOnSecurity listed the same pitch deck: standalone proxy networks, mobile proxies, datacenter proxies, scrapers and datasets, and a reseller program that Google suspects is doing real upstream damage [1][2].
Google put a fine point on the reseller angle. "Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet," the post stated [1]. A takedown of NetNut does not necessarily reach the brands reselling its capacity under different names.
The Surveillance Story Is the Home Network
The privacy cost was not the criminal traffic alone. It was the rest of the home.
When a consumer device becomes an exit node, "unauthorized network traffic passes through it," Google wrote. "This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats" [1]. A $30 streaming box enrolled in NetNut was, by Google's description, a routing intermediary that let external attackers reach the laptops, phones, NAS drives, baby monitors, and work-issued devices sitting on the same LAN. The residential IP the proxy was selling was not just a mask. It was a doorway.
That is the surveillance frame. Two million households were turned into unwitting relay points in a paid infrastructure for password spraying, espionage staging, and account takeover. The user never consented to the relay role. The "monetize your spare bandwidth" pitch is the same shape as the data-broker promise that the user owns and controls what is collected. In practice, the traffic flowing through the home is what a paying attacker wants it to be.
What Was Actually Disrupted
Google's action was bounded. The company disabled Google accounts and associated Google services that NetNut was using for malware command and control, citing violation of Google's Terms of Service and Acceptable Use Policy [1]. Google Play Protect was updated to automatically warn affected users and disable apps known to incorporate NetNut SDKs, and to keep warning on future install attempts [1]. Google also shared technical intelligence on NetNut SDKs and backend infrastructure with "platform providers, law enforcement, and research firms" [1]. The FBI's role, Lumen's role, and Shadowserver's role were not detailed in Google's write-up [1]. The netnut.com seizure splash page is the public end of that work [2].
Google also flagged what the disruption does not do. "When faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller," the post noted [1]. The post called out the January 2026 takedown of IPIDEA, a different residential proxy network, as proof: "observations after the disruption of IPIDEA proved that individual networks can appear resilient" [1].
Why It Matters
The technical story is a botnet takedown. The privacy story is the residential proxy business model. NetNut is the clearest example yet of a paid intermediary layer that monetizes hijacked consumer devices into a service that password-spray crews and espionage groups buy by the gigabyte. The same thing, on a smaller scale, is happening in the TV boxes and white-label streaming sticks on store shelves right now. The Google and FBI action cut one operator. It did not change the model.
Two practical implications for readers: an off-brand TV streaming box bought through a marketplace or bargain site is now a documented category of risk, not a hypothetical one. And the apps that pay users for unused bandwidth or for sharing their home internet connection sit on the same supply chain Google just tied to a botnet that sold home-network traffic to password-spray crews.
What to Watch
Whether the resellers respawn. Google says whitelabel resellers powered by NetNut are likely. If those brands keep operating after this disruption, the same traffic will keep flowing under a new label.
Indictment or DOJ press release. Neither Google's write-up nor the KrebsOnSecurity summary referenced a public indictment, criminal complaint, or Department of Justice press release. The FBI is named as a partner; the charges, if any, are not yet public.
Smart-TV supply-chain follow-through. GTIG tied NetNut to Badbox 2.0 plugin components and to Mirai-variant infections documented by Synthient, Spur, and Nokia Deepfield. The pre-installed-malware path is the one that gets decided at the factory, not at the app store.