Google and its partners have disrupted the NetNut proxy network, one of the world’s largest residential proxy services, cutting off access to an estimated two million compromised Android devices. The operation targeted infrastructure that cybercriminals and espionage groups used to hide malicious activity behind legitimate home internet connections.

Google Targets Massive Residential Proxy Network

The Google Threat Intelligence Group (GTIG) said NetNut, also known as Popa, controlled at least two million infected devices worldwide.

The botnet primarily relied on compromised Android devices, including smart TVs, streaming boxes, and other internet-connected consumer hardware.

GTIG said attackers infected many devices through trojanized applications or malware bundled with software before the devices reached consumers. Some infections also came from botnets such as Badbox 2.0, which installed proxy plugins on vulnerable devices.

How the NetNut Proxy Network Worked

Residential proxy networks allow attackers to route internet traffic through compromised home devices.

Instead of using suspicious servers, threat actors hide behind legitimate residential IP addresses. That approach helps them avoid detection while launching cyberattacks.

Victims often remain unaware that their devices are forwarding malicious traffic. However, internet providers and online services may eventually flag or block the infected devices because of the suspicious activity.

FBI and Google Coordinate Global Disruption

The takedown involved Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and several other industry partners.

As part of the operation, the FBI seized domains used by the NetNut proxy network, including netnut.com.

Google also disabled the accounts and services that NetNut operators used to manage malware command-and-control (C2) infrastructure. The company said the action blocked access to critical backend systems used to operate the botnet.

Hundreds of Threat Groups Used NetNut

GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes during a single week last month.

Researchers said cybercriminals and espionage groups relied on the service to access their own infrastructure, launch password-spraying attacks, and reach victim networks without exposing their real locations.

The platform ranked among the largest residential proxy services available to threat actors.

Google Protects Android Users

Google used Play Protect to help limit the impact of the botnet.

The company automatically warned affected Android users and disabled malicious applications running on infected devices.

Google also shared technical intelligence about NetNut’s software development kits (SDKs) and command-and-control infrastructure with law enforcement agencies, cybersecurity researchers, and platform providers.

Disruption Could Affect the Entire Proxy Market

Google believes the operation will affect more than just NetNut.

According to the company, NetNut operated an extensive reseller program that allowed other proxy providers to white-label its infrastructure.

Security researchers say many residential proxy services buy and resell capacity from competing providers. As a result, disrupting one of the industry’s largest networks could affect multiple proxy services that depend on the same infrastructure.

The operation follows Google’s earlier disruption of the IPIDEA residential proxy botnet and forms part of the company’s broader effort to dismantle large-scale residential proxy networks.


0 responses to “NetNut Proxy Network Disrupted as Google Cuts Off 2 Million Infected Devices”