Skip to content
Tech News
← Back to articles

Google and the FBI Target Massive Botnet That Quietly Used Home Devices to Mask Cybercrime

read original more articles

The FBI, in partnership with Google and other tech companies, struck a massive blow against NetNut, a public-facing residential network proxy service that secretly hosted a botnet controlling approximately 2 million Android TVs and similar smart home devices. The network was being used for password-spraying, credential attacks and other malicious activity.

Residential proxy botnets make malicious traffic appear like normal internet use, allowing everyday devices to be secretly hijacked by cybercriminals to conduct illegal activities using your home internet. Infected home devices were often preloaded with malicious software used by the botnet, which made traditional home security practices less effective at detecting and stopping the problem.

According to an FBI statement emailed to CNET, on July 2, the federal agency carried out "a court-authorized seizure of multiple domains as part of a coordinated law enforcement action with the Department of Justice and IRS Criminal Investigation targeting infrastructure associated with the NetNut residential proxy platform, its administrators, and users."

Authorities worked in tandem with Google, Lumen Technologies and the Shadowserver Foundation to go after NetNut and its services -- also known as the Popa botnet by security researchers. Google said in a blog post that the actions "caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions." NetNut's website now shows an FBI takedown notice.

Google acknowledged that taking down NetNut is only the first step. Because these proxy networks frequently share and resell access to each other's botnets, disrupting one provider often leads malicious actors to simply purchase capacity from a competitor. To create a lasting impact, Google said it must "target the infrastructure of several interconnected providers" simultaneously.

NetNut's official website is taken down with this seizure notice in its place. The FBI

How this botnet worked

In 2024, security researchers at XLab found the Vo1d botnet, a massive collection of hacked, mostly off-brand Android TV devices. If you recall the fake AI video of Donald Trump and Elon Musk appearing on TVs at the Department of Housing and Urban Development, that was most likely caused by a malicious actor using the Vo1d botnet.

Those same researchers also found Popa, a legitimate network protocol plug-in that turned consumer devices into residential proxy nodes with the user's consent. But the version researchers found was being installed on the hacked Android TV devices without user consent. According to the FBI, a residential proxy node is "an intermediary server between individuals and websites they visit to make their connections appear to originate elsewhere."

Residential proxy networks are legal in the US, and businesses that use them usually sell access to enterprise customers, where they're often used for security penetration testing, ad verification, gathering marketing data and unlocking geo-locked websites. Since residential nodes use real IP addresses from someone's home, the company or person using the node is seen by the World Wide Web as just an ordinary user, and their true identity is hidden.

... continue reading