Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Google Targets NetNut Residential Proxy Network Operating Across Two Million Devices

Google disrupts the NetNut residential proxy network, cutting access to millions of compromised devices used to conceal cyberattacks worldwide.


 

Several international authorities have coordinated operations to disrupt the infrastructure behind a large residential proxy network, also known as Popa, after Google dealt a significant blow to one of the internet's largest residential proxy ecosystems. 

Through the action, which was conducted in collaboration with Lumen Technologies, the FBI, and other industry partners, millions of compromised Android-powered devices, including smart TVs, streaming boxes, and other internet-connected consumer hardware, were prevented from accessing the network. This significantly reduced the network's operational capacity. 

In the network, ordinary household devices were covertly transformed into proxy relays that permitted cybercriminals and state-linked threat actors to route malicious activity through legitimate residential IP addresses while masking their identities while provoking suspicions among unsuspecting individuals. 

According to security researchers, there are at least two million compromised devices worldwide comprised of the botnet, indicating both its scope and the growing misuse of consumer IoT infrastructure in modern cyber campaigns. In addition to its sheer scale, NetNut has become an integral component of the underground residential proxy market, providing infrastructure to hundreds of cybercriminals and espionage-linked threat actors. 

Several domains were used to conduct the operations of the service, including netnut.com, seized as a result of the FBI's disruption efforts. Researchers at the Google Threat Intelligence Group (GTIG) observed 316 distinct threat clusters that leveraged suspected NetNut exit nodes during one week last month, illustrating the platform's substantial operational reach. 

As a result of the analysis, attackers were not only able to hide access to their own infrastructure, but also were able to conduct password-spreading campaigns and establish covert connections into targeted environments by using trusted residential IP addresses. NetNut operators are dependent on Google to provide malware command-and-control (C2) services, so Google disabled their accounts and cloud services, effectively cutting them off from their critical backend infrastructure. 

The company notified affected Android users and deactivated malicious applications associated with the botnet simultaneously through Google Play Protect, and it distributed technical intelligence on NetNut's software development kits (SDKs) and C2 architecture to platform providers, law enforcement agencies, and cybersecurity researchers in order to strengthen coordination in detection and mitigation. 

Moreover, Google emphasized that the disruption is likely to spread beyond a single botnet, as NetNut's reseller model has provided infrastructure to multiple residential proxy providers for many years, making the operation potentially significant for the entire illicit proxy ecosystem. Investigations into the operation have also highlighted the commercial infrastructure that underpins the proxy network. 

A report from Qurium, Synthient, Nokia Deepfield, and Spur in June linked the Popa botnet to NetNut, an Israeli public company owned by Alarum Technologies. During controlled testing, Synthient demonstrated that traffic routed through NetNut's commercial gateway originated from a device that was intentionally enrolled in the Popa network, providing evidence that the commercial proxy service was directly connected to compromised endpoints. 

In addition to the researchers refraining from attribution of intent or operational knowledge to Google, Google stated that its own threat intelligence was consistent with the public findings, treating NetNut and Popa as components of the same network and supporting the research team's assessment of proxy infrastructure construction. 

In contrast, Alarum has firmly rejected those conclusions, rejecting the categorization of NetNut as a botnet, and stating that the research is based on "unverified facts, as opposed to demonstrably inaccurate assertions and flawed deductions." In addition to maintaining that its platform operates as a legitimate, consent-based bandwidth-sharing service, the company maintains that it does not compromise user devices or function without authorization. 

Synthient's analysis challenged that position, revealing that none of the twenty examined applications related to the ecosystem provided meaningful consent prompts before enrolling users' devices in bandwidth sharing operations, raising further questions about transparency in the software distribution process. 

Aside from cautioning that removing NetNut represents only the first phase of a much larger effort, Google also stressed that the company operates a large white-label reseller program that allows third parties to market access to the same residential proxy infrastructure under a variety of brand names. As the company points out, a number of residential proxy services which appear to be independent ultimately draw connectivity from the NetNut device pool, so disruptions can affect multiple brands simultaneously if one provider is disrupted. 

However, Google characterized the latest actions as degradation, not a complete takedown, pointing out that operators have previously restored capacity through the use of competing proxy providers to source infrastructure. As evidence of the resilience of these interconnected ecosystems, the company cited its disruption of the China-linked IPIDEA residential proxy network in January and its subsequent legal action against the operators of the BadBox 2.0 botnet, whose Android TV infrastructure is similar to Popa, which was launched in July 2025. 

In order to create long-term impact, sustained, coordinated disruption across multiple providers must be undertaken. According to researchers, consumers' access to residential proxy networks is most commonly facilitated by applications that offer financial rewards for "unused bandwidth" or "sharing internet access." It is highly recommended that security teams only install apps from trusted app stores, carefully review VPN and proxy software permission requests, enable protections such as Google Play Protect, and purchase smart TVs and streaming devices from reputable manufacturers to minimize the risk of preloaded or malicious software being installed. 

Additionally, the report warns that residential IP addresses will not be in short supply in the cybercriminal ecosystem following NetNut's disruption. In order to identify any reemergence of NetNut-related traffic, continued monitoring of reseller brands and successor infrastructure is essential. 

According to Alarum's corporate legal counsel, Omer Weiss, a statement following the operation was issued by the company in which it was made aware of the FBI's seizure of certain NetNut-related domains on July 2, 2026. According to Weiss, Alarum is seriously concerned about the matter and will work closely with law enforcement authorities to investigate any misuse of its infrastructure and support the pursuit of accountability for those responsible. 

 As a result of NetNut's disruption, an important step in challenging the growing abuse of residential proxy infrastructure has been achieved, but the disruption also underscores the increasingly interconnected nature of commercial services, compromised consumer devices, and cybercriminal operations as well.

In a rapidly evolving proxy ecosystem characterized by reseller networks and shared infrastructure, sustained collaboration between technology providers, law enforcement agencies, and cybersecurity professionals will remain crucial. Maintaining trusted software sources, enforcing built-in security protections, and monitoring for unauthorized network activity remain practical safeguards against a threat landscape that is becoming increasingly adaptable.
Share it:

Android Botnet

Command And Control

Cyber Attacks

Cyber Threats

FBI Cyber Operation

Google Play Protect

Google Threat Intelligence Group

NetNut

Proxy Botnet

Residential Proxy Network