Google and FBI Disrupt NetNut Residential Proxy Network Tied to 2 Million Home Devices
Google says it has disrupted the NetNut residential proxy network, also known as Popa, after finding that the network relied on at least 2 million home devices worldwide.
The company worked with the FBI, Lumen, and other partners to reduce the pool of devices available to NetNut by millions, according to the Google Threat Intelligence Group.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The action targeted accounts, services, software development kits, and backend command-and-control infrastructure used to operate the proxy network. The FBI also seized domains tied to NetNut and the Popa botnet, according to KrebsOnSecurity.
What Google Did Against NetNut
Google said it disabled Google accounts and associated services that NetNut used for malware command-and-control activity. It also shared technical intelligence with law enforcement, platform providers, and security researchers.
Google Play Protect was updated to warn users and disable apps known to include NetNut SDKs. The company said this protection will continue to block future installation attempts involving those known components.
The operation builds on Google’s January 2026 disruption of IPIDEA, another large residential proxy network. Google said the proxy industry remains deeply interconnected, with operators often buying capacity from competitors when their own networks shrink.
| Detail | What was reported |
|---|---|
| Targeted network | NetNut, also tracked as Popa |
| Estimated size | At least 2 million devices worldwide |
| Partners involved | Google, FBI, Lumen, Shadowserver, and others |
| Main action | Accounts disabled, domains seized, intelligence shared, apps blocked |
| Main risk | Home devices used as proxy exit nodes for cybercrime and espionage activity |
Why Residential Proxy Networks Are Dangerous
Residential proxy networks route traffic through real consumer internet connections. That makes malicious activity look like it comes from normal home users instead of attacker-controlled infrastructure.
These networks can support credential stuffing, password spraying, ad fraud, scraping, account takeovers, and attempts to hide espionage activity. Google said suspected NetNut exit nodes were used by 316 distinct threat clusters in one week during June 2026.
According to Reuters, Google said it weakened a network of internet-connected devices that was being used to conceal and route malicious online traffic.
How Home Devices Became Proxy Nodes
Google said home devices can enter proxy networks through pre-installed malware or through apps that contain hidden proxy code. Devices commonly mentioned in public reporting include smart TVs, streaming boxes, and other Android-based consumer hardware.
That means many owners may not realize their device has been enrolled into someone else’s proxy service. Once enrolled, their home IP address can carry traffic from unknown outside users.
This can create direct problems for households. Google warned that legitimate user traffic could be flagged as suspicious or blocked by internet providers and online services if the home IP address becomes associated with abusive activity.
- Cheap or unofficial streaming boxes can carry hidden software.
- Pirated streaming apps can bundle unwanted proxy components.
- Apps offering payment for unused bandwidth can create security risks.
- Proxy nodes may expose other devices on the same home network to threats.
- Home IP addresses can be used to mask cybercrime or espionage traffic.
FBI Seizures Put NetNut Under More Pressure
The FBI seizure notice replaced NetNut-related infrastructure, while the Internal Revenue Service Criminal Investigation division was also credited in public reporting. KrebsOnSecurity reported that the seizure covered hundreds of domains associated with NetNut and the Popa botnet.
NetNut is operated by Alarum Technologies, a publicly traded Israeli company. Reuters reported that Alarum said it was aware of the FBI seizure of some domains and would cooperate with law enforcement.
Alarum has disputed the botnet characterization in public reporting, saying it takes misuse seriously. However, Google and several security firms have linked NetNut infrastructure to compromised or unknowingly enrolled consumer devices.
NetNut Was Widely Resold
Google said NetNut operated a reseller program that allowed other proxy brands to white-label its network. The company said it has high confidence that many popular residential proxy brands were repackaging the NetNut botnet.
This matters because shutting down one brand name may not remove all related abuse. If resellers depend on the same underlying device pool, disruption can ripple through multiple proxy services at once.
At the same time, Google warned that residential proxy operators can adapt. After IPIDEA was disrupted, some operators appeared to buy proxy capacity from rivals, turning themselves into resellers of other networks.
Security Firms Connected Popa to NetNut
Public investigations helped bring attention to the NetNut and Popa connection before the takedown. KrebsOnSecurity reported that multiple security firms had linked the Popa botnet to NetNut and Alarum Technologies.
The reporting described Popa as a collection of at least 2 million devices compromised with little or no meaningful consent from victims. The devices were then used as always-on residential proxy nodes.

Google’s own post said public reporting by KrebsOnSecurity and others, confirmed by Google, showed that NetNut populated its botnet through SDKs used on devices commonly found in homes.
What Device Owners Should Do
Google advised consumers to avoid apps that promise payment for unused bandwidth or internet sharing. These apps can turn a device into a proxy node and create security problems for the wider home network.
Users should stick to official app stores, review permissions for VPN and proxy apps, and keep built-in security tools active. Android users can follow Google’s Google Play Protect guidance to check whether protection is enabled.
Google also said buyers should choose reputable connected devices and confirm whether Android TV devices are Play Protect certified. The company maintains an official Android TV page listing partner brands.
Signs a Device May Be Involved
Residential proxy infections can be difficult for average users to spot. A device may still appear to stream video or run apps normally while routing third-party traffic in the background.
Warning signs can include unusual network activity, a home IP address getting blocked by websites, repeated CAPTCHA prompts, router traffic spikes, unknown apps, or streaming boxes that cannot receive trusted updates.

Users who suspect compromise should disconnect the device, remove suspicious apps, reset the device if possible, update firmware, and consider replacing hardware from unknown manufacturers.
| Device or app type | Risk | Recommended action |
|---|---|---|
| Unofficial Android TV boxes | May include pre-installed malware or hidden proxy components | Use reputable certified devices only |
| Pirated streaming apps | Can bundle unwanted SDKs or proxy code | Remove them and avoid sideloading |
| Bandwidth-sharing apps | Can route unknown traffic through the home connection | Avoid unless the risks are fully understood |
| Unknown VPN or proxy apps | Can expose browsing and network traffic | Review permissions and uninstall suspicious apps |
Google Says the Fight Is Not Over
The NetNut action marks another major step against residential proxy abuse, but Google said the industry remains fluid and connected. Operators can rebuild, resell capacity, or shift to other infrastructure.
The Google Threat Intelligence Group said lasting impact will require coordinated action against several connected providers, not only one network at a time.
For consumers, the practical advice is straightforward. Keep Play Protect enabled, avoid unknown streaming apps, and buy connected devices from trusted brands listed through official Android TV channels.
FAQ
NetNut is a residential proxy network operated by Alarum Technologies. Google and security researchers have linked NetNut to Popa, a large proxy botnet made up of at least 2 million home devices.
Google said it significantly degraded NetNut’s proxy network and reduced the available pool of devices by millions. Public reporting also says the FBI seized domains tied to NetNut and Popa, but Google warned that proxy operators can adapt through reselling and shared infrastructure.
Google Threat Intelligence Group estimated that the NetNut network included at least 2 million devices worldwide. These included consumer devices such as smart TVs and streaming boxes.
Residential proxy networks can route traffic through normal home internet connections. Attackers use them to hide their real location during password spraying, account takeover attempts, scraping, ad fraud, and other malicious activity.
Users should avoid unknown streaming apps, pirated apps, and apps that offer payment for sharing unused bandwidth. They should also use official app stores, keep Play Protect enabled, update devices, and choose reputable certified streaming hardware.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages