Google and FBI Disrupt NetNut Residential Proxy Network Tied to 2 Million Home Devices


Google says it has disrupted the NetNut residential proxy network, also known as Popa, after finding that the network relied on at least 2 million home devices worldwide.

The company worked with the FBI, Lumen, and other partners to reduce the pool of devices available to NetNut by millions, according to the Google Threat Intelligence Group.

The action targeted accounts, services, software development kits, and backend command-and-control infrastructure used to operate the proxy network. The FBI also seized domains tied to NetNut and the Popa botnet, according to KrebsOnSecurity.

What Google Did Against NetNut

Google said it disabled Google accounts and associated services that NetNut used for malware command-and-control activity. It also shared technical intelligence with law enforcement, platform providers, and security researchers.

Google Play Protect was updated to warn users and disable apps known to include NetNut SDKs. The company said this protection will continue to block future installation attempts involving those known components.

The operation builds on Google’s January 2026 disruption of IPIDEA, another large residential proxy network. Google said the proxy industry remains deeply interconnected, with operators often buying capacity from competitors when their own networks shrink.

DetailWhat was reported
Targeted networkNetNut, also tracked as Popa
Estimated sizeAt least 2 million devices worldwide
Partners involvedGoogle, FBI, Lumen, Shadowserver, and others
Main actionAccounts disabled, domains seized, intelligence shared, apps blocked
Main riskHome devices used as proxy exit nodes for cybercrime and espionage activity

Why Residential Proxy Networks Are Dangerous

Residential proxy networks route traffic through real consumer internet connections. That makes malicious activity look like it comes from normal home users instead of attacker-controlled infrastructure.

These networks can support credential stuffing, password spraying, ad fraud, scraping, account takeovers, and attempts to hide espionage activity. Google said suspected NetNut exit nodes were used by 316 distinct threat clusters in one week during June 2026.

According to Reuters, Google said it weakened a network of internet-connected devices that was being used to conceal and route malicious online traffic.

How Home Devices Became Proxy Nodes

Google said home devices can enter proxy networks through pre-installed malware or through apps that contain hidden proxy code. Devices commonly mentioned in public reporting include smart TVs, streaming boxes, and other Android-based consumer hardware.

That means many owners may not realize their device has been enrolled into someone else’s proxy service. Once enrolled, their home IP address can carry traffic from unknown outside users.

This can create direct problems for households. Google warned that legitimate user traffic could be flagged as suspicious or blocked by internet providers and online services if the home IP address becomes associated with abusive activity.

  • Cheap or unofficial streaming boxes can carry hidden software.
  • Pirated streaming apps can bundle unwanted proxy components.
  • Apps offering payment for unused bandwidth can create security risks.
  • Proxy nodes may expose other devices on the same home network to threats.
  • Home IP addresses can be used to mask cybercrime or espionage traffic.

FBI Seizures Put NetNut Under More Pressure

The FBI seizure notice replaced NetNut-related infrastructure, while the Internal Revenue Service Criminal Investigation division was also credited in public reporting. KrebsOnSecurity reported that the seizure covered hundreds of domains associated with NetNut and the Popa botnet.

NetNut is operated by Alarum Technologies, a publicly traded Israeli company. Reuters reported that Alarum said it was aware of the FBI seizure of some domains and would cooperate with law enforcement.

Alarum has disputed the botnet characterization in public reporting, saying it takes misuse seriously. However, Google and several security firms have linked NetNut infrastructure to compromised or unknowingly enrolled consumer devices.

NetNut Was Widely Resold

Google said NetNut operated a reseller program that allowed other proxy brands to white-label its network. The company said it has high confidence that many popular residential proxy brands were repackaging the NetNut botnet.

This matters because shutting down one brand name may not remove all related abuse. If resellers depend on the same underlying device pool, disruption can ripple through multiple proxy services at once.

At the same time, Google warned that residential proxy operators can adapt. After IPIDEA was disrupted, some operators appeared to buy proxy capacity from rivals, turning themselves into resellers of other networks.

Security Firms Connected Popa to NetNut

Public investigations helped bring attention to the NetNut and Popa connection before the takedown. KrebsOnSecurity reported that multiple security firms had linked the Popa botnet to NetNut and Alarum Technologies.

The reporting described Popa as a collection of at least 2 million devices compromised with little or no meaningful consent from victims. The devices were then used as always-on residential proxy nodes.

Screenshot

Google’s own post said public reporting by KrebsOnSecurity and others, confirmed by Google, showed that NetNut populated its botnet through SDKs used on devices commonly found in homes.

What Device Owners Should Do

Google advised consumers to avoid apps that promise payment for unused bandwidth or internet sharing. These apps can turn a device into a proxy node and create security problems for the wider home network.

Users should stick to official app stores, review permissions for VPN and proxy apps, and keep built-in security tools active. Android users can follow Google’s Google Play Protect guidance to check whether protection is enabled.

Google also said buyers should choose reputable connected devices and confirm whether Android TV devices are Play Protect certified. The company maintains an official Android TV page listing partner brands.

Signs a Device May Be Involved

Residential proxy infections can be difficult for average users to spot. A device may still appear to stream video or run apps normally while routing third-party traffic in the background.

Warning signs can include unusual network activity, a home IP address getting blocked by websites, repeated CAPTCHA prompts, router traffic spikes, unknown apps, or streaming boxes that cannot receive trusted updates.

Users who suspect compromise should disconnect the device, remove suspicious apps, reset the device if possible, update firmware, and consider replacing hardware from unknown manufacturers.

Device or app typeRiskRecommended action
Unofficial Android TV boxesMay include pre-installed malware or hidden proxy componentsUse reputable certified devices only
Pirated streaming appsCan bundle unwanted SDKs or proxy codeRemove them and avoid sideloading
Bandwidth-sharing appsCan route unknown traffic through the home connectionAvoid unless the risks are fully understood
Unknown VPN or proxy appsCan expose browsing and network trafficReview permissions and uninstall suspicious apps

Google Says the Fight Is Not Over

The NetNut action marks another major step against residential proxy abuse, but Google said the industry remains fluid and connected. Operators can rebuild, resell capacity, or shift to other infrastructure.

The Google Threat Intelligence Group said lasting impact will require coordinated action against several connected providers, not only one network at a time.

For consumers, the practical advice is straightforward. Keep Play Protect enabled, avoid unknown streaming apps, and buy connected devices from trusted brands listed through official Android TV channels.

FAQ

What is NetNut?

NetNut is a residential proxy network operated by Alarum Technologies. Google and security researchers have linked NetNut to Popa, a large proxy botnet made up of at least 2 million home devices.

Did Google dismantle NetNut completely?

Google said it significantly degraded NetNut’s proxy network and reduced the available pool of devices by millions. Public reporting also says the FBI seized domains tied to NetNut and Popa, but Google warned that proxy operators can adapt through reselling and shared infrastructure.

How many devices were involved in the NetNut proxy network?

Google Threat Intelligence Group estimated that the NetNut network included at least 2 million devices worldwide. These included consumer devices such as smart TVs and streaming boxes.

Why are residential proxy networks dangerous?

Residential proxy networks can route traffic through normal home internet connections. Attackers use them to hide their real location during password spraying, account takeover attempts, scraping, ad fraud, and other malicious activity.

How can users protect home devices from proxy malware?

Users should avoid unknown streaming apps, pirated apps, and apps that offer payment for sharing unused bandwidth. They should also use official app stores, keep Play Protect enabled, update devices, and choose reputable certified streaming hardware.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages