Home/ Blog/ Security news/ Article
Blog · Security news

The FBI seized NetNut's proxy network. Its two million hacked devices are still infected.

The FBI and Google seized the NetNut residential proxy network on July 2, but its two million hacked devices are still infected. Why IP reputation still fails.

Isometric small houses with light threads braiding into a severed central cable

Seizing a residential proxy service takes down the storefront. It does not take back the stock. On July 2, 2026, the FBI and the Internal Revenue Service Criminal Investigation division, working with Google, Lumen, and Shadowserver, seized hundreds of domains tied to NetNut, a large residential proxy service, and replaced its site with a seizure notice. That is good news, and most of the coverage read that way. The part that matters more for anyone defending a login page: the roughly two million hacked devices that made NetNut useful are still hacked.

What the July 2 seizure covered

NetNut sold access to residential internet connections. An attacker who buys a residential proxy routes traffic through a real home broadband line, so a login attempt or a scraping run looks like it came from an ordinary consumer instead of a data center. That is the whole value of the service: it launders the source of the traffic.

The takedown hit the infrastructure that sold and coordinated that access. Agents seized hundreds of NetNut domains and the backend that ran them, and Google disabled the accounts and apps tied to the operation. The service is run by Alarum Technologies (NASDAQ: ALAR), an Israeli firm listed on a United States exchange, whose legal counsel said it would cooperate with law enforcement. Researchers connect NetNut to a botnet tracked as Popa. Alarum rejects the botnet label and says its software does consensual bandwidth sharing, so treat operator intent as an open question rather than a settled fact. What is not in dispute is the supply.

Google's own framing is the tell. Its Threat Intelligence Group described the action as degrading the network rather than killing it, cutting the pool of usable devices by millions. Degrading, not killing. Hold onto that word.

The NetNut takedown by the numbers
2 million
hacked devices
smart TVs and streaming boxes, still infected
316
attacker groups in one week
seen routing through NetNut exit nodes in June
hundreds
domains seized
NetNut and Popa infrastructure taken offline
Source: FBI seizure notice and Google Threat Intelligence Group, July 2, 2026.

The two million devices are the part that did not change

A residential proxy network is only as valuable as the number of real homes it can route through. NetNut's supply was roughly two million compromised devices: smart TVs, streaming boxes, and off-brand Android TV hardware, many of them enrolled with little or no consent from the people who own them. Some shipped with the proxy code already on cheap gear. Others picked it up through apps that promised to pay for spare bandwidth.

None of those devices got patched on July 2. A domain seizure changes what the operator can sell and coordinate. It does nothing to the television in someone's living room that is still running the malware. Those devices will keep beaconing out, and the demand that rented them does not evaporate. It moves. We have watched this exact shape before with router botnets, where the forgotten device on the network keeps scanning for the next operator long after any headline has faded.

Why blocking proxy IP ranges was never the control

Here is the detail that did not make most of the takedown coverage, and it is the one defenders should sit with. Google assessed with high confidence that many well-known residential proxy brands are quietly reselling the same NetNut supply under their own names. If you were blocking one proxy vendor's address ranges, you were not blocking the pool. You were blocking one label on it.

We made the same argument in June, when researchers first tied the Popa botnet to NetNut: a hacked home IP address is not evidence of a safe request. The takedown is the proof. In a single week in June, Google counted 316 separate attacker groups routing password-guessing and other activity through NetNut exit nodes. Those groups did not rely on the service because it was cheap. They relied on it because residential addresses defeat the reputation and geolocation checks that many fraud and login defenses still lean on.

An address that belongs to a broadband subscriber carries a good reputation by default. When two million of those addresses are for rent, that reputation stops being a signal at all. It was true the day before the seizure and it is true the day after.

Treat residential IPs as untrusted by default

The seizure is worth something. It raises the cost of running this particular service, and it gives two million device owners a reason to look at what their smart TV is doing at night. But it does not change the work on your side, and reading it as a reason to relax the login defenses you already run would be a mistake.

For anyone protecting accounts or an authentication endpoint, the concrete steps:

  • Stop using a residential IP address, its geolocation, or its reputation score as a trust signal on its own. It can feed a risk score. It cannot be the deciding vote.
  • Detect on behavior instead: the velocity of attempts against one account, one client touching many accounts, impossible travel between sessions, and sudden shifts in device or browser fingerprint on a known account.
  • Assume credential-stuffing traffic will look residential and geographically normal. Rate-limit and challenge on the pattern, not the source address.
  • Keep multi-factor authentication on every account that matters. It is the control that holds when the attacker's source looks perfectly ordinary. Watch for the password-spray runs that quietly probe for the accounts that lack it.

Enforcement takedowns are good, and we should want more of them. They are also not remediation. We saw the same lesson when police scrubbed the SocGholish malware from thousands of sites and the way in stayed open. The infrastructure changes. The technique does not. NetNut's storefront is gone. The two million devices, and the 316 groups that were happy to pay for them, are already looking for the next one. Build the detection that does not care which name is on the door.

Topics

Frequently asked questions

What is NetNut?

NetNut is a residential proxy service that routed customers' internet traffic through home broadband connections, making that traffic look like it came from ordinary consumers. Researchers tied it to a botnet of about two million hacked devices. It traces to the Israeli firm Alarum Technologies.

What did the FBI and Google do to NetNut on July 2, 2026?

The FBI and the IRS Criminal Investigation division, working with Google, Lumen, and Shadowserver, seized hundreds of NetNut domains and its backend infrastructure and posted a seizure notice. Google disabled linked accounts and apps, which it described as degrading the network rather than killing it.

Are the two million infected devices now safe?

No. The seizure took down the infrastructure that sold and coordinated proxy access, but the smart TVs, streaming boxes, and Android TV devices running the malware were not cleaned. They stay infected and can be re-enrolled into successor services or other operators over time.

Why does blocking residential proxy IP addresses not protect me?

Because a residential IP carries a trusted reputation by default, and Google says many proxy brands resell the same NetNut supply under different names. Blocking one vendor's ranges blocks one label, not the pool of two million addresses. Reputation and geolocation stopped being reliable trust signals.

What should defenders do after the NetNut takedown?

Stop treating a residential IP address, its location, or its reputation as proof a request is safe. Score logins on behavior instead: attempt velocity, one client hitting many accounts, impossible travel, and device fingerprint changes. Keep multi-factor authentication on every account that matters.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.