WHAT WE KNOW SO FAR: A coordinated effort by US law enforcement and private-sector researchers has disrupted a major residential proxy network that turned everyday consumer devices into tools for cybercrime. The operation, led by the FBI and Google's Threat Intelligence Group, focused on NetNut, a commercial proxy service that researchers also track as the Popa botnet. According to Google, the network co-opted more than two million devices globally, routing internet traffic through residential connections.
The Popa botnet relied on a malicious software development kit embedded in low-cost Android-based devices, including smart TVs and streaming boxes, as well as unofficial apps such as SmartTube. Once those devices were connected, they began acting as proxy exit points without clearly informing users. That setup allowed attackers to send traffic through residential IP addresses, making it harder for security systems to detect or block malicious behavior.
Google said that in one week in June 2026, at least 316 distinct threat clusters used NetNut's network for password spraying, credential stuffing, advertising fraud and sensitive data scraping.
The way NetNut operated set it apart from the usual underground botnets. Rather than being run solely by underground actors, it appears to have had ties to a commercial entity.









