Google’s condition has become very bad netnutOne of the largest networks that turns home appliances into rented relays for other people’s traffic.
Working with the FBI, Lumen and others, Google’s Threat Intelligence Group (GTIG) said this week that it has reduced the network’s pool of exploitable devices by millions.
Google identifies NetNet, which is also tracked as PoppaAs a network it has spread across home devices around the world, including smart TVs and streaming boxes, and GTIG estimates there are at least 2 million devices in the network.
If one of those devices is in your home, strangers can route their own traffic through your Internet connection, and your address is blamed for whatever they do with it.
how it works
A residential proxy network sells access to real home Internet addresses. Attackers pay to route their traffic through your connection, so it looks like normal home browsing, not the datacenter traffic that security tools block.
To build that pool, operators need to run their code on home devices. Some devices ship with cheap off-brand hardware pre-installed; Others pick it up when someone installs a free app that hides it. Once it’s turned on, the device becomes an “exit node”, a gateway through which other people’s traffic flows.
Google says an egress node brings outside traffic inside the home network, giving attackers the opportunity to access other devices on it. Some of these home gadgets have also been pulled into major attack botnets like Mirai and Badbox 2.0.
In a single week in June, GTIG counted 316 different threat groups using suspicious NetNet exit nodes, including cybercriminals and espionage groups, to hide their real location and run password-guessing attacks.
the company behind it
Unlike most proxy botnets, Netnut is associated with a public company. In June, researchers from Curium, Synthient, Nokia Deepfield, and Spur connected Popa to NetNet.
NetNet is a proxy provider owned by publicly traded Israeli company Alaram Technologies (NASDAQ: ALAR). In a controlled test, Synthiant said that traffic sent to NetNet’s commercial gateway came through a device enrolled in Popa.
Synthient framed this as evidence of traffic paths, not evidence of what NetNet knew or intended. Google’s own intelligence is aligned: It considers NetNut and Popa to be the same network, and says the public reporting matches its view of how NetNut creates its botnet. When the researchers’ findings were published, Hacker News covered them.
Alarum rejects the “botnet” label. It calls the research “blatantly false claims and flawed deductions rather than verified facts” and says its software is intended for consensual bandwidth-sharing that does not compromise the devices it runs on.
The researchers’ testing complicates that defense: Synthient reported that none of the more than 20 apps it examined actually showed users a consent prompt.
Why is one removal not enough?
Cutting Netnut is messy by design. NetNet runs a reseller program that lets other companies sell its network under their own brand names. Google says it is confident that many popular, different-looking proxy brands are actually reselling the same NetNet pool.
So the same removal affects a lot of brands that look independent but aren’t.
That’s why Google calls it murder, not degradation. It said its previous action against similar IPIDEA networks had shown that these networks could appear resilient: operators began buying capacity from rivals, in effect becoming resellers themselves. Google says real, lasting damage would mean going after multiple connected providers at once.
In January, Google and partners disrupted China-based network IPIDEA, which at its peak was the largest network of its kind. In July 2025, Google took to court the operators of Badbox 2.0, a botnet of hijacked Android TV devices whose components overlap with Popa. Each time, the networks proved stubborn.
What should consumers do?
The most obvious warning sign is an app that offers to pay you for your “unused bandwidth” or “share your internet.” This is one of the main ways these networks grow.
Beyond that:
- Stick to the official app store, and check what permissions a VPN or proxy app is asking for.
- Keep built-in protections like Google Play Protect turned on.
- Buy streaming boxes and smart TV hardware from known manufacturers, not no-name brands.
The demand for these home addresses does not end when the network is shut down; It just goes on. For defenders and platforms, the next signal worth watching is whether NetNet-linked traffic resurfaces under reseller brands.