Smart TV Hacked
The FBI worked alongside Google, Lumen Technologies and the Shadowserver Foundation in an effort to disrupt the network IBT UK Composite/Images from: Jens Kreuter/Unsplash; Markus Spiske/Unsplash

A major operation involving the FBI, Google, and other technology companies has disrupted a residential proxy network linked to millions of compromised Android TVs and smart home devices.

The operation targeted NetNut, a public-facing residential proxy service that authorities said was connected to a botnet controlling around 2 million Android TVs and similar devices. The network was reportedly being used for password-spraying, credential attacks, and other forms of malicious activity while making the traffic appear as if it came from ordinary internet users.

The problem highlighted how everyday smart devices can become part of cybercriminal operations without owners knowing. Many infected devices had malicious software installed before users even started using them, allowing hackers to secretly use home internet connections for illegal activities.

The FBI worked alongside Google, Lumen Technologies and the Shadowserver Foundation in an effort to disrupt the network and reduce the number of devices available to the operators behind it.

FBI And Google Disrupt Massive Proxy Network

The FBI confirmed that on July 2 it carried out a court-authorised operation targeting infrastructure linked to the NetNut residential proxy platform, its administrators and its users. The agency said the action involved the seizure of multiple domains as part of a coordinated effort with the Department of Justice and IRS Criminal Investigation.

Google said the operation had affected NetNut's operations by reducing the available pool of devices connected to the proxy network by millions. The company said the action had caused 'significant degradation to NetNut's proxy network and its business operations', according to a blog post.

NetNut's website now displays an FBI takedown notice following the operation. The company was described as one of the largest residential proxy network operators in the world and was owned by Alarum Technologies, a publicly traded company based in Israel.

Residential proxy services are not automatically illegal. These networks are commonly used by businesses for legitimate purposes, including security testing, advertising verification, collecting marketing information, and accessing websites restricted by location. They work by using real residential IP addresses, making online activity appear as if it is coming from a normal household connection.

The issue with NetNut was that authorities found its network was being linked to malicious activity. Security researchers discovered that traffic generated by the Popa botnet was coming from NetNut users, meaning the service was allegedly providing access to compromised devices that could be used by criminals.

Google warned that shutting down one provider would not completely remove the threat because proxy networks often share and resell access to each other's botnets. The company said lasting disruption would require targeting multiple connected providers at the same time.

How Hackers Used Android TVs As Botnet Devices

The operation was connected to research into the Vo1d botnet, which was discovered in 2024 by security researchers at XLab. The botnet consisted mainly of hacked, off-brand Android TV devices that had been turned into tools for cybercriminal activity.

Researchers also identified Popa, a network protocol plug-in that can normally be used to create residential proxy nodes with user permission. However, the version found on compromised Android TV devices was installed without users knowing, turning those devices into proxy points controlled by attackers.

According to the FBI, a residential proxy node acts as 'an intermediary server between individuals and websites they visit to make their connections appear to originate elsewhere'. This meant hackers could carry out attacks while appearing to use an ordinary person's home internet connection.

Compromised Android TV devices allowed cybercriminals to perform activities such as password attacks, data scraping and other malicious actions. Hackers could make their activity appear as though it was coming from another household, hiding their actual location and identity.

The majority of affected devices were reportedly cheap, no-name Android TV streaming boxes commonly sold through online marketplaces. Many of these devices use older versions of Android, which often lack newer security protections and may not receive regular updates.

Security researchers also warned about streaming devices promoted on social media that promise free access to content without subscriptions. Some of these products have reportedly been found with malware already installed before they reach customers.

To reduce the risk of becoming part of a botnet, users should buy Android TV devices from recognised manufacturers, choose products that receive regular security updates and avoid suspicious low-cost streaming boxes promoted online. The same precautions apply to other smart home devices, which can also become targets for cybercriminals.

Keeping software updated, using strong passwords, avoiding suspicious emails and protecting personal information online remain important steps in reducing the chances of falling victim to future attacks. The incident shows how seemingly harmless devices connected to home networks can become tools for cybercriminals when security is ignored.