DistantNews
Support us
๐Ÿ‡ฐ๐Ÿ‡ฌ Kyrgyzstan /Technology

FBI dismantles NetNut botnet using millions of hidden proxy devices

From 24.kg · () Russian

Translated from Russian, summarized and contextualized by DistantNews.

At a glance

News Sources not specified Outcome reported
  • The FBI has dismantled NetNut, a botnet that used millions of compromised devices as proxy servers.
  • The botnet leveraged user devices like smart TVs and Android gadgets, rerouting traffic through their IP addresses without owners' knowledge.
  • NetNut was used for various cybercrimes, including credential theft and ad fraud, and was linked to Israeli company Alarum Technologies.

The FBI, in collaboration with Google's cybersecurity units, has successfully neutralized NetNut, a vast botnet that exploited millions of user devices worldwide to function as a hidden proxy infrastructure. The operation targeted a network that comprised over 2 million devices, including smart TVs, streaming boxes, and various Android gadgets.

These connected devices were reportedly used to automatically reroute internet traffic through users' home IP addresses, a process of which the owners were unaware. The core of this scheme involved a malicious software development kit (SDK) embedded in inexpensive Android devices and certain applications, including third-party content viewers. Once installed, this software turned devices into nodes within a distributed proxy network, enabling malicious actors to mask their activities.

Investigators determined that in a single week in June 2026, NetNut's infrastructure was utilized by hundreds of groups for a range of illicit activities. These included brute-force password attacks, credential theft, advertising fraud, and the collection of sensitive information. A key characteristic of NetNut was its operation as a commercial proxy service rather than a traditional underground botnet.

Experts have linked the infrastructure to Alarum Technologies, an Israeli company whose shares are traded on Nasdaq. Previously, Alarum had stated it offered users a voluntary internet resource exchange service. However, independent research suggested that device owners might not have been adequately informed about how their connections were being used. Following the seizure of NetNut-related domains, Alarum announced its cooperation with law enforcement. Google confirmed that NetNut's model allowed other companies to rebrand and resell access to the proxy infrastructure. In response, Google seized related domains, blocked associated command-and-control server accounts, and updated its Google Play Protect system to detect applications containing the malicious SDK.

DistantNews Editorial

Originally published by 24.kg in Russian. Translated, summarized, and contextualized by our editorial team with added local perspective. Read our editorial standards.