threat-wire
FBI and Google Seize Botnet Built From 2 Million Home Devices
The FBI and Google dismantled NetNut, a residential proxy network built from at least 2 million home devices including smart TVs and streaming boxes. Criminals rented the network to hide password-spray and account-takeover traffic behind ordinary residential IP addresses, the kind many business security tools are built to trust.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
The FBI, working with Google, Lumen, and the IRS Criminal Investigation division, seized hundreds of domains this week tied to NetNut, a residential proxy network built from at least 2 million home devices worldwide. Smart TVs, streaming boxes, and other consumer gadgets made up the pool, many of them enrolled without their owners ever seeing a consent screen.
What the numbers show
Google's Threat Intelligence Group counted 316 distinct threat clusters using NetNut's exit nodes in a single week in June, a mix of cybercriminal and espionage groups running password-guessing attacks and hiding the true source of their traffic. Researchers at Spur found that 42% of apps available for LG's webOS smart TV platform bundle a residential proxy SDK, and more than a quarter of apps built for Samsung's Tizen do the same.
NetNut is owned by Alarum Technologies, a publicly traded Israeli company (NASDAQ: ALAR). Alarum disputes the botnet label and says its software only shares bandwidth with consent, but Synthient, one of the research firms that traced the underlying Popa botnet to NetNut, said none of the more than 20 apps it tested actually showed a consent prompt before enrolling a device.
The angle most coverage misses
Security tools are built to trust residential IP addresses more than datacentre traffic, on the theory that ordinary home browsing looks nothing like an attack. Residential proxy networks exist to break that assumption. When an attacker routes a password-spray attempt or a stolen-credential login through a device on your employee's home network, it arrives at your VPN or cloud login looking exactly like the employee's own traffic. Google says criminal and espionage groups used NetNut for precisely that: masking access to victim environments and running password-guessing attacks that would otherwise get flagged.
An exit node also opens a door the wrong way. Once a home device becomes a proxy exit point, Google warns, outside traffic passes through it and can reach other devices on the same network, exposing whatever else is connected, including a work laptop on the same Wi-Fi.
- Check any TV streaming box in your office or a remote employee's home. If it did not come from a name-brand manufacturer with official Android TV OS and Play Protect certification, treat it as compromised until verified.
- Watch for apps, on smart TVs or phones, that offer payment for "sharing your unused bandwidth" or "earning money for your internet connection." That pitch is one of the clearest signs of proxy malware.
- Run your business's public IP addresses through Synthient's proxy-detection lookup page to check whether any of your own connections have been flagged as a residential exit node.
- If your business uses IP reputation or geofencing as a login control, treat a login from a "clean" residential IP with unusual timing or an unfamiliar device fingerprint as worth a second look rather than automatically trusted.
This is not a kill, Google says, only a degradation. The company took down a similar network called IPIDEA in January, and its operators simply started buying capacity from competitors, becoming resellers themselves. NetNut runs its own reseller programme, and Google says it has "high confidence" that many proxy brands that look independent are actually reselling the same NetNut pool. That makes the real test of this takedown whether NetNut-linked traffic resurfaces somewhere else.
"When a consumer device becomes an exit node, unauthorized network traffic passes through it, effectively exposing other devices on the network to Internet threats," Google's Threat Intelligence Group wrote in its disclosure.