2 Million Devices Were Turned Into Hacking Tools Without Owners Knowing. Here’s How To Check if Yours Was Affected

The residential proxy network routed malicious traffic through millions of compromised home devices. Here's how to identify the warning signs and protect yourself.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

Google, in coordination with the FBI, Lumen, and other security researchers, has taken down NetNut, one of the largest and most popular residential proxy networks. The operation is expected to have affected at least 2 million devices[1], primarily smart home devices such as streaming boxes and smart TVs.

The worrying part is that your device could have been infected by NetNut without you even knowing it. As a result, legitimate traffic from your own home network may be flagged as suspicious or even blocked by online services or your internet service provider.

Here's how NetNut worked, how authorities took it down, and what you can do to keep your home devices safe.

In this article
How NetNut infected your devices
How to check if your device has been compromised
What you can do if your device is infected
Bottom line

How NetNut infected your devices

According to KrebsOnSecurity, one of the research outlets behind the NetNut takedown, residential proxy networks like NetNut operate by controlling residential IP addresses, registering them as exit nodes, and then selling access to them to paying customers.

Those customers are often malicious threat actors who abuse the compromised residential IPs for advertising fraud, account takeovers, or mass content scraping.

Your home device may either come pre-infected with malware, or you may unknowingly sideload or download applications that contain hidden proxy code. Once infected, your device can become one of these exit nodes, allowing cybercriminals to route malicious traffic through your home internet connection.

Worse still, once an infected device becomes a residential proxy node, attackers may also be able to use it as a foothold into your home network. That means a compromised streaming box or smart TV could potentially expose your laptop, phone, security cameras, or other devices connected to the same Wi-Fi network. If attackers manage to compromise those devices, they could gain access to sensitive information such as personal files, photos, saved passwords, or financial data.

Researchers found NetNut relied on three key malware components:

  • Vo1d: NetNut's device pool was built on an existing malware infrastructure known as Vo1d, a malware campaign that targets unofficial and cheap Android TV boxes — the ones that advertise that you can watch every streaming service with just one box or stick.
  • BadBox 2.0: This is another botnet that packaged proxy code onto infected devices. Google also named BadBox 2.0 as a source feeding NetNut's network.
  • Popa: It’s a plug-in component that rides on the same Vo1d infrastructure. It’s used to register an infected device, keep long-lived encrypted connections open, and establish communication tunnels on demand. Its sole job was to keep devices available as always-on relay points.

In July 2025, Google, HUMAN Security, and Trend Micro took down BadBox 2.0, but that did not stop Popa. Instead, new domains were almost immediately registered to keep the botnet running.

Researchers traced one of Popa's control domains back to Ninjatech, a company founded by a former NetNut executive who had built an early version of the Popa SDK years earlier. They also observed that traffic from Popa-infected devices matched NetNut's paying customers, leading them to believe that Popa was actively feeding NetNut's proxy pool.

Alarum Technologies, the publicly traded Israeli company that owns NetNut, has denied the botnet label and said its SDK operates with user consent. However, researchers at Synthient found that, in an analysis of more than 20 Popa-distributing apps, none asked users for consent before installing the proxy component.

What Google did to stop NetNut

As part of the NetNut and Popa takedown, Google implemented the following measures:

  1. Disabled Google accounts and associated services used by NetNut for malware command and control (C2).
  2. Shared intelligence relating to NetNut software development kits (SDKs) with law enforcement agencies, researchers, and platform providers.
  3. Ensured that Google Play Protect automatically warned users and disabled applications known to incorporate NetNut SDKs.

"We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions," Google said.

The netnut.com website now displays a warning stating that the website was seized by the FBI in coordination with the Department of Justice and the Internal Revenue Service Criminal Investigation.

Screenshot showing netnut.com has been seized by the FBI and other partners.

Google has warned users to stay wary of apps that offer payment in exchange for sharing their internet connection or unused bandwidth. While this might sound like easy passive income, agreeing to it means letting a stranger route unknown traffic through your home IP address.

The good news is that many of the affected devices rely on unofficial Android operating systems that aren't protected by Google's Play Protect certification. If you're unsure about your device, Google recommends checking whether it runs the official Android TV OS and is Play Protect certified.

How to check if your device has been compromised

Since the entire Popa network affected more than two million devices, the chances that your device is one of them are fairly realistic.

Here are a few practical ways to check whether your device is being used as a potential exit node.

  1. Know which devices are at the highest risk: If you're using an unofficial Android TV box or streaming stick, or a device purchased from a second-hand marketplace, there's a higher chance it may be infected by the Popa botnet.
  2. Check your router's traffic logs: Since an infected device constantly sends and receives data, you may notice unusual traffic while checking your router's logs. Look for high outbound data usage that doesn't correlate with your normal streaming habits.
  3. Look for unknown apps: Scan your device or smart TV for unfamiliar or unauthorized apps, such as free VPNs, screensavers, or PDF viewers.
  4. Watch for physical signs: Device overheating, unexpected battery drain, or screen freezes can indicate suspicious background processes.
  5. Check with your ISP: If you've received a warning about unusual outbound activity or throttling from your internet service provider, it's worth checking with them rather than dismissing the issue.

What you can do if your device is infected

If you believe your device could be infected, or want to prevent it from happening, there are several things you can do to protect your home network:

  1. Installing a third-party antivirus program to detect and remove malware on Windows PCs, Macs, and Android devices connected to your home network.
  2. Change your Wi-Fi password after securing your device, since some of these networks allow lateral movement that could compromise other devices on your home network.
  3. Use a VPN on your smart TV to help protect all data coming to and from the device (with the added bonus of being able to change your location to access geo-restricted content).
  4. Factory-resetting it may help. However, this doesn't guarantee that all infected apps, botnets, or malware have been removed.
  5. Another option is replacing the device entirely with one from a reputable brand, rather than the cheap knockoffs often sold under unknown brand names.

Bottom line

Although the operation marks a major victory against malicious residential proxy networks, Google has underlined that it is not a permanent solution. The company has called on ISPs, technology platforms, and mobile platforms to continue working together against such threats.

Similarly, users should exercise caution before purchasing connected devices and ensure they come from reputable manufacturers. Sticking to official app stores, avoiding apps that offer payment for sharing your internet connection, and choosing Play Protect-certified Android TV devices can also help reduce the risk of compromise.

Protect Every Aspect of Your Digital Life — Even Your Time
4.7
Editorial Rating
See Price
On TotalAV's website
2026 Editors’ Choice
Best Antivirus for Safe Browsing
Antivirus Software
TotalAV
  • An antivirus that scores 18/18 on AV-TEST for Windows and macOS, with top marks across all test categories
  • Passed every malware and drive-by download test we ran, quarantining threats automatically
  • Includes a junk cleaner, app uninstaller, and browser cleaner to keep your device running smoothly alongside the antivirus

Author Details
Krishi Chowdhary specializes in digital privacy, cybersecurity, and consumer technology. He has written extensively on online privacy tools and broader cybersecurity topics, including online scams, data breaches, age verification, and emerging digital threats. Krishi believes technology reporting should empower readers, not confuse them, and is committed to making even the most technical subjects easy to understand without compromising on accuracy or depth. His work has appeared in leading technology publications, including CNET, ExpressVPN, and TechRadar, where he has covered topics ranging from cybersecurity incidents and privacy product announcements to artificial intelligence and major technology news

Citations

[1] Google’s Continued Disruption of Malicious Residential Proxy Networks