Google, the FBI, and other tech firms disrupted the NetNut residential proxy network, also known as the Popa botnet. The operation targeted over two million malware-infected devices. These devices were primarily smart TVs and streaming boxes. They concealed malicious internet traffic for cybercriminals and state-sponsored groups.

The botnet hijacked home electronics. It turned them into relay points. This allowed threat actors to mask their locations. They conducted attacks including password spraying, ad fraud, and data scraping. In a single week in June 2026, Google observed 316 distinct threat actor groups using the NetNut network.

The FBI seized hundreds of domains associated with the network. Google disabled accounts used for command and control. Google updated Play Protect to warn users and disable malicious apps responsible for infections.