Google is cracking down on an Israeli residential proxy provider for allegedly abusing connected TV devices to host internet traffic for hackers.
Google says it worked with the FBI and Lumen Technologies to disrupt a botnet, an army of infected computers, spanning Android-based TV boxes sold to consumers. It linked the botnet to the Israeli service NetNut, which sells residential proxies that allow customers to route their internet traffic to IP addresses based in different countries. This came after cybersecurity researchers found the botnet, dubbed “Popa,” has been abusing millions of consumer TV streaming devices to host a wide range of hacking activities, such as account hijacking
Google’s investigation confirmed that NetNut’s network appears to span “at least 2 million devices, distributed across the world.” In addition, the company found evidence that 316 distinct threat clusters used suspected NetNut proxy exit nodes, including cybercriminal and spying groups.
“These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks,” the company’s report warns. “Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to internet threats.”
In other cases, hijacked traffic was used for ad fraud, which generates cash by inflating web traffic.
(Credit: Synthient.com)
Google adds that NetNut allegedly grew the botnet by distributing software development kits for “devices commonly found in homes, such as smart TVs and streaming boxes.” That preinstalled software secretly gave NetNut a way to maintain access to the devices and relay internet traffic through them, without the owner’s knowledge.
In response, Google, which develops the Android OS, shut down the Google accounts and services NetNut relied on to control the botnet. Android’s built-in Google Play Protect has been disabling “applications known to incorporate NetNut SDKs, and the system will continue to protect users against future install attempts,” the company says.
The disruption should reduce “the available pool of devices for the proxy operator by millions,” Google added. But the company warns that NetNut may try to rebuild its network, possibly by buying capacity from a competitor. In the meantime, Google is urging consumers to buy TV streaming devices from reputable manufacturers, rather than unknown providers peddling cheap set-top boxes secretly loaded with malware.
Recommended by Our Editors
The company added: “Consumers should be extremely wary of applications that offer payment in exchange for ‘unused bandwidth’ or ‘sharing your internet.’ These applications are primary ways for malicious proxy networks to grow, and could open security vulnerabilities on the device’s home network.”
The crack down might damage the reputation of NetNut, as well as bring it legal troubles. But the provider’s parent Alarum Technologies told PCMag it plans to cooperate with the FBI. “On July 2, 2026, Alarum and its subsidiary NetNut were made aware of the seizure of some of its domains by the FBI,” the company said. “Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.”
In the meantime, NetNut’s website currently advertises shady services, including “limitless web data extraction” for companies looking to scrape data for AI training.
About Our Expert

Michael Kan
Principal Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Click Here For The Original Source.
