FBI and Google Dismantle NetNut Botnet Hijacking 2 Million Devices
The coordinated action significantly weakened a major proxy network that let attackers hide malicious traffic behind ordinary home IP addresses, reducing the pool of hijacked devices available for cyber operations.
Reporting from 1 source: GIGAZINE.
The FBI and Google disrupted the NetNut residential proxy network, which incorporated over 2 million consumer devices including smart TVs and streaming boxes as exit nodes for cybercriminals and state-sponsored attackers. The takedown involved domain seizures, account disabling, and technical countermeasures with Lumen.
The botnet NetNut turned cheap Android smart TVs, streaming media boxes, and unofficial apps like SmartTube into relay nodes for cybercriminals. The incorporated devices served as exit nodes, making attacks appear to originate from ordinary households. Google Threat Intelligence reported that in a single week in June 2026, at least 316 threat clusters used NetNut for password spraying, credential stuffing, ad fraud, and data scraping.
The FBI seized domains tied to NetNut on July 2, 2026, and notified parent company Alarum Technologies. Google disabled accounts NetNut used for command and control, shared infrastructure details with law enforcement, and used Play Protect to warn users about apps containing the problematic SDK. The company said the joint action has significantly weakened NetNut's network, reducing the pool of available devices by millions. The takedown follows a similar disruption of the IPIDEA proxy network in January 2026.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.