The smart TV or streaming box in your living room — the one you bought to stream movies — may have spent the last year quietly renting out your internet connection to password-spraying crews, scraping operations, and espionage groups. Nobody asked you in any meaningful way. It happened through software bundled into an app or device you treated as entertainment hardware.
On July 2, 2026, the FBI seized hundreds of domains tied to NetNut, a residential proxy service run by publicly traded Israeli company Alarum Technologies (NASDAQ: ALAR). Google and multiple security firms say NetNut was linked to Popa, a botnet of at least two million consumer devices enrolled with little or no meaningful consent. Alarum has disputed that characterization. This is the story of how the ecosystem worked, why it is part of a much bigger pattern, and what defenders and home users can actually do about it.
TL;DR
- The FBI seized domains behind NetNut, with the seizure notice crediting IRS-CI, Google, Lumen, Shadowserver, and other partners for help dismantling infrastructure tied to Popa.
- Nearly half of LG webOS apps and over a quarter of Samsung Tizen apps analyzed by researchers contained proxy SDKs that turn viewers’ devices into traffic relays without meaningful consent.
- In one week in June 2026, Google observed 316 distinct threat clusters — criminal and espionage groups alike — using NetNut exit nodes to hide their real location.
- This follows major disruption work against IPIDEA and BadBox 2.0, showing that residential-proxy botnets behave like a connected market rather than isolated malware families.
- Defenders should treat “free” streaming and TV apps as an unmonitored network segment, not a trusted device.
Why this matters to you
If you’re a defender, NetNut and Popa explain why attacker IP addresses in your logs can resolve to random residential ISPs instead of known-bad hosting providers — because the traffic may really be coming from someone’s house. If you’re a home user, it means an app or streaming box you trusted may have turned your network into part of someone else’s infrastructure, with your other local devices exposed as collateral risk.
Table of contents
- What is NetNut, and what did the FBI actually seize?
- Meet Popa: the botnet underneath the proxy service
- How a smart TV becomes a proxy node
- Who was using it, and for what
- Not an isolated incident: IPIDEA, BadBox, and Kimwolf
- What you can do today
What is NetNut, and what did the FBI actually seize?
A residential proxy network routes internet traffic through real home internet connections instead of a data center. That makes the traffic look like it’s coming from an ordinary residential IP address — router, ISP, geography, and all — instead of an obviously suspicious server range. Marketing companies use these services legitimately to check localized ads or prices. Attackers use them to disappear into the noise.
NetNut sold exactly this kind of access, and it was not a fringe operation. According to Google’s threat intelligence team, NetNut was one of the largest and most popular residential proxy networks. Synthient’s Benjamin Brundage told KrebsOnSecurity it was on par with IPIDEA in daily traffic, quality, size, and price per gigabyte. Google also said NetNut was widely resold and white-labeled, meaning other proxy brands may have been reselling the same underlying network under different names.
On July 2, 2026, the FBI seized hundreds of domains tied to NetNut. Visitors to the main domain were greeted with an official FBI seizure banner instead of the service’s dashboard, and the banner credited the IRS Criminal Investigation division, Google, Lumen, Shadowserver, and other partners. Alarum Technologies’ legal counsel confirmed the company was aware of the seizure and said it would “fully cooperate with law enforcement.”
Meet Popa: the botnet underneath the proxy service
Here’s the part that should concern anyone with a smart TV or Android-based streaming box: Google and security researchers say NetNut’s proxy capacity was tied to Popa, a botnet of at least two million real consumer devices enrolled with little or no meaningful user consent.
Researchers first connected Popa to NetNut in June 2026. Security firm Qurium found the link while investigating unrelated denial-of-service attacks and traced control infrastructure back to pirated streaming apps. Synthient, Lumen’s Black Lotus Labs, Nokia Deepfield, Spur, and Include Security published overlapping findings. Synthient summarized its assessment bluntly: Popa was “actively continuing to operate as part of NetNut’s proxy service.” Alarum rejected that framing, saying the SDKs at issue were designed for bandwidth sharing and did not turn devices into malware-controlled systems.
The mechanism is simple and cynical. An app — often a free streaming, game, screensaver, or “TV tuning” app — bundles a proxy SDK (software development kit, a bundle of pre-built code developers drop into their own app instead of writing it themselves). The SDK may ask for permission once, but researchers found many implementations where consent was absent, vague, or easy to miss. From then on, the TV or streaming box can become an exit node: a device where outside network traffic enters and leaves under your home IP address, whether or not the app is visibly open.
How a smart TV becomes a proxy node
Researchers at Spur Intelligence analyzed 6,038 apps across LG’s webOS and Samsung’s Tizen smart TV platforms. Out of that total, 2,058 apps — roughly a third — contained a proxy SDK. Broken down by platform, the numbers are striking:
| Platform | Share of apps with a proxy SDK |
|---|---|
| LG webOS | 42.5% |
| Samsung Tizen | 26.9% |
The most common SDKs identified were Bright Data (found in 367 apps), Massive, and Honeygain/Oxylabs — all commercial “get paid for your unused bandwidth” proxy providers that TV app developers can integrate with a few lines of code. Analysts confirmed the SDKs by finding their fingerprints directly in app code, such as Bright Data’s brd_api.js and brd_sdk services and Massive’s .massivesdk components.
Once active, the SDK forwards third-party network requests through the television’s internet connection so they appear to originate from your home. The user consents once, if at all, and the proxy keeps running even after the app is closed. Not every provider exposes the same local-network risk: Bright Data’s sample included private-IP-range filtering, while researchers found local Massive and Honeygain/Oxylabs samples without comparable private-range blocklists. Without that kind of control, a compromised TV can become a foothold for anything else listening on the local network — router admin panels, NAS boxes, printers, IP cameras, and developer machines. We covered exactly this class of blind spot in The EDR Dead Zone: How Attackers Pivot Through Cameras and NAS Devices: your EDR watches laptops and servers, not the smart TV sitting three feet from your router.
Platform policy is where the story splits. Amazon explicitly bans proxy-facilitating apps under its Device and System Abuse Policy, and Roku pulled the Bright SDK and similar services once researchers flagged them. LG and Samsung have published no equivalent policy — leaving the exact software category their competitors prohibit free to operate on their platforms.
Who was using it, and for what
This wasn’t a handful of opportunistic scammers. Google’s Threat Intelligence Group (GTIG) observed 316 distinct threat clusters — a mix of cybercriminal and espionage groups — using suspected NetNut exit nodes in a single week in June 2026. That maps directly to MITRE ATT&CK’s External Proxy (T1090.002) technique: using a proxy you don’t own as an intermediary to your command-and-control infrastructure, so defenders see a residential IP instead of your real one.
GTIG documented three concrete abuse patterns:
- Masking C2 traffic and origin IPs when reaching victim environments or an attacker’s own infrastructure
- Password spraying — Brute Force: Password Spraying (T1110.003), trying a small set of common passwords across many accounts, which blends in far better when each login attempt appears to come from a different residential IP instead of one flagged data-center range
- Malware C2 riding on abused Google accounts, which Google says it has since disabled along with associated infrastructure, in addition to sharing SDK and backend C2 intelligence with platform providers, law enforcement, and research firms
Google Play Protect — Android’s built-in malware scanner — has also been updated to flag and disable apps carrying known NetNut SDKs automatically.
Not an isolated incident: IPIDEA, BadBox, and Kimwolf
NetNut is not the first residential proxy network built this way, and it likely won’t be the last. Building a botnet this way is itself a recognized MITRE ATT&CK pattern — Compromise Infrastructure: Botnet (T1584.005), compromising large numbers of third-party systems to assemble infrastructure that supports later operations.
| Botnet / Network | Scale | Status | Connection to NetNut |
|---|---|---|---|
| IPIDEA | Millions of devices before disruption | Disrupted by Google, Jan 2026 | Major competitor; NetNut gained popularity after IPIDEA’s takedown |
| BadBox 2.0 | Large IoT botnet | Disrupted in 2025 by Google, HUMAN Security, Trend Micro, and partners | Overlapping infrastructure and tactics |
| Kimwolf | 2M+ devices reported in 2026 | Reported active in 2026 | Tunneled through IPIDEA’s proxy connections into victims’ home networks |
We wrote about Kimwolf in detail in Kimwolf Botnet: 2 Million Hijacked Devices Reshaping Threat Landscape — it is the same underlying playbook: hijack or co-opt consumer IoT devices at scale, sell access to the aggregate network, and let customers decide what to do with two million exit points. Law enforcement action against one node in this ecosystem, as with the Netherlands’ seizure of servers tied to bulletproof hosting provider Stark Industries (see Netherlands Seized 800 Servers), tends to shrink the market rather than end it. Google warned that when a proxy operator gets disrupted, remaining operators “begin buying capacity from their competitors, effectively becoming a reseller.” GTIG also stated it has high confidence that many popular residential proxy brands are white-labeling the NetNut botnet, meaning this seizure’s real blast radius likely extends to services that never carried the NetNut name at all.
What you can do today
If you’re a home user:
- Check what apps are installed on your smart TV, especially free or unofficial streaming and “TV tuner” apps, and remove ones you don’t actively use
- Prefer reputable, certified devices and official app stores over sideloaded APKs or no-name streaming boxes; Amazon and Roku have drawn clearer lines against proxy SDKs than LG and Samsung
- Be suspicious of any app offering payment or perks for “unused bandwidth” or “background data sharing” — that’s the business model, not a bonus feature
- If your TV supports it, review and revoke broad network or “always-on” permissions granted during setup
If you’re defending a network:
- Don’t treat “the login came from a residential IP in the right country” as a clean signal by itself — check for the specific behavioral patterns of password spraying (many accounts, few passwords each, low per-account attempt rate) alongside geolocation
- Correlate authentication anomalies against known residential-proxy ASN and exit-node intelligence feeds, not just data-center IP blocklists — NetNut, IPIDEA, and their whitelabel resellers will not appear on the latter
- If you operate IoT devices — including break-room smart TVs and digital signage — on a corporate network, put them on an isolated VLAN with no route to management interfaces, NAS, or printers, for the same reason we recommend it for cameras in The EDR Dead Zone
- Expect this ecosystem to consolidate, not disappear: budget threat intel time for tracking which brands absorb NetNut’s former customer base, the same way NetNut absorbed IPIDEA’s
Related Posts
- Kimwolf Botnet: 2 Million Hijacked Devices Reshaping Threat Landscape — the sibling botnet that tunneled through IPIDEA’s proxy network into victims’ home networks, using the same hijacked-IoT playbook.
- The EDR Dead Zone: How Attackers Pivot Through Cameras and NAS Devices — why the local-network risk from a compromised smart TV extends far beyond the TV itself.
- Netherlands Seized 800 Servers: Bulletproof Hosting Is Now a Sanctions Problem — another 2026 infrastructure takedown that shows attacker infrastructure behaves like a resilient business ecosystem, not a single target.
Sources
- FBI Seizes NetNut Proxy Platform, Popa Botnet — Krebs on Security
- ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm — Krebs on Security
- Google’s Continued Disruption of Malicious Residential Proxy Networks — Google Cloud Blog
- Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices — The Hacker News
- Residential proxy SDKs are hiding in LG and Samsung smart TV apps — Help Net Security
- MITRE ATT&CK: External Proxy (T1090.002)
- MITRE ATT&CK: Compromise Infrastructure: Botnet (T1584.005)
- MITRE ATT&CK: Brute Force: Password Spraying (T1110.003)