Yesterday, visitors to the website of one of the world’s largest “residential proxy” providers found something unusual in place of the homepage: an FBI seizure banner. In a coordinated action announced July 2, Google’s threat intelligence team — working with the FBI, Lumen, and other partners — moved to dismantle the NetNut proxy network, also known as Popa. The scale is what should get your attention: Google estimates the network was built on at least 2 million everyday consumer devices, including smart TVs and streaming boxes, quietly routing strangers’ internet traffic through the homes and businesses where they sat.
If you have ever wondered whether the cheap streaming box in the break room or the bargain smart TV on the wall could really be a security issue, this story is the answer. Let’s walk through what happened, what these networks actually do, and the question every owner should be asking today: what is plugged into my network right now — and whose traffic is it carrying?
The takedown, at a glance
| What was hit | The NetNut residential proxy network (also tracked as “Popa”), one of the largest of its kind in the world |
| Who took action | Google’s Threat Intelligence Group, the FBI, IRS Criminal Investigation, Lumen, Shadowserver, and other partners |
| The scale | At least 2 million consumer devices worldwide — largely smart TVs and streaming boxes |
| What was seized | Hundreds of domains; the network’s homepage now displays an FBI seizure notice |
| Who was using it | In a single week in June, Google observed 316 distinct criminal and espionage groups routing activity through the network |
| The result | Google calls it a significant degradation — millions of devices removed from the pool — but not a kill |
One note for fairness: the company behind NetNut disputes the “botnet” label, saying its software is for consented bandwidth-sharing, and has said it will cooperate with law enforcement. Independent researchers, for their part, reported that of the more than twenty apps they examined carrying the software, not one showed users a consent prompt. We will let that contrast speak for itself.
What is a “residential proxy network,” in plain English?
Here is the simplest way to picture it. Every home and business has an internet address, and to the rest of the internet, that address has a reputation. Traffic coming from an ordinary house looks trustworthy. Traffic coming from anonymous data centers looks suspicious, and security systems often block it on sight.
A residential proxy network is a business built on renting out that trust. Its operators get their software running on millions of everyday devices, and then sell criminals and other customers the ability to route their traffic through your connection. The attack, the fraud, the password-guessing campaign — it all exits onto the internet wearing your address. To the victim on the other end, it looks like the attack came from a living room in a quiet neighborhood. Because, in a sense, it did.
How 2 million living-room devices got recruited
Nobody knowingly signs their TV up for a criminal relay service. The devices were roped in quietly, mainly through three doors:
- Pre-installed at the factory. Many cheap, no-name smart TVs and streaming boxes ship with the proxy software already baked in. The owner plugs it in, and it goes to work from day one.
- Hidden inside free apps. A free app promises one thing — a game, a utility, a streaming tool — and quietly carries the proxy code along with it.
- “Get paid for your unused internet.” Some apps openly offer small payments in exchange for “sharing your bandwidth.” Google flags these as a primary way malicious proxy networks grow — what is really being sold is your address and your trust.
Notice what all three have in common: the owner never truly understood the deal. The device keeps working. The TV still streams. Nothing looks wrong. That invisibility is the entire business model.
What it means when it’s your device
When one of these devices is sitting on your network, several things are quietly true at once:
- Strangers’ traffic flows through your connection. People you will never meet — including, per Google’s observations, criminal and espionage groups — are using your internet line as their disguise.
- Your address takes the blame. Whatever they do while wearing your address — fraud, break-in attempts, password-guessing campaigns against other companies — traces back to you first. That can mean your address ends up blocked and distrusted across the internet, and in the worst case, it means very uncomfortable questions land on your doorstep instead of the real culprit’s.
- The door swings both ways. Google notes that once a device becomes an exit point, unauthorized traffic passing through it can expose the other devices on the same network to threats. The hijacked TV is not sealed off from your computers, your point-of-sale, your files — it is inside the walls with them.
- You will almost certainly never notice. There is no alarm, no slowdown you would connect to the cause, no sign on the screen. These networks survive precisely because their hosts stay unaware for years.
Why this is a business problem, not just a home one
It is tempting to file this under “consumer news.” But walk through the average small business and count the screens: the TV in the lobby playing the news, the streaming box in the break room, the bargain smart display someone bought online because it was half the price of the name brand. Every one of those is a small computer on your business network, and this takedown just demonstrated — at the scale of two million devices — that such gadgets are actively recruited into criminal infrastructure, sometimes before they ever leave the factory.
For a business, the stakes are simply higher than at home. Your internet address is part of your reputation: it affects whether your email gets delivered, whether your customers’ systems trust yours, and how you look to every security system you interact with. A hijacked gadget quietly renting out that reputation to 316 criminal groups is not a quirky tech story. It is your business unknowingly co-signing for strangers — and absorbing the consequences when they misbehave.
Why the takedown won’t protect you
Here is the sober part, and Google itself is candid about it. This action is a degradation, not a kill. These networks are resold and white-labeled under many seemingly independent brand names, so the same pool of hijacked devices hides behind a crowd of storefronts. And when one network is knocked down, history shows the demand simply moves: after a similar takedown in January, operators rebuilt by buying capacity from rivals within months. The people renting hijacked addresses did not retire yesterday. They are shopping for new inventory — and unexamined devices on trusting networks are exactly what that inventory is made of.
In other words: law enforcement just cleaned up a huge slice of the problem, but no one is coming to inspect the devices on your network. That part has always been on the owner. It just rarely gets done, because nobody was ever assigned the job.
Red flags worth knowing
Without turning you into a security analyst, a few plain warning signs are worth keeping in mind — they come straight out of how this network grew:
- Apps that pay you for your internet. Any app offering money for your “unused bandwidth” is asking to rent out your address. Treat that offer as the warning it is.
- No-name, too-cheap hardware. The suspiciously cheap streaming box or off-brand smart TV is cheap for a reason — and sometimes that reason is that you are not the customer, you are the product.
- Gadgets nobody accounts for. If a device is on your network and no one can say what it is, who bought it, or what it talks to, it belongs on a list somewhere — and someone should be keeping that list.
Know what’s on your network — before it borrows your name
Two million device owners found out this week — or more likely, still have no idea — that their living rooms and break rooms were part of criminal infrastructure. The lesson is not to fear your TV. It is that every device you plug in is a small decision about who gets to operate inside your walls and under your name, and that almost no small business has ever taken an honest inventory of those decisions.
That is exactly what our environment review is for. We take a plain-language look at what is actually connected to your network — every device, including the ones everyone forgot about — what each one is, and whether anything is behaving in ways that should worry you. No jargon, no scare tactics, no obligation. The FBI just answered the question of what was running on two million networks. The better question is simpler and much closer to home: do you know what is running on yours?
Sources: Google Threat Intelligence Group; KrebsOnSecurity; The Hacker News; Cybernews, July 2026.













