SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Google disrupts NetNut proxy network in FBI operation

Google disrupts NetNut proxy network in FBI operation

Fri, 3rd Jul 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Google has taken action against the NetNut residential proxy network in an operation carried out with the FBI, Lumen and other partners.

It disabled Google accounts and related services that NetNut used for malware command and control, shared technical intelligence on NetNut software development kits and backend infrastructure with platform providers, law enforcement and research firms, and updated Google Play Protect to warn users and disable applications known to include NetNut software.

NetNut, also known as Popa, is one of the largest residential proxy networks tracked by Google Threat Intelligence Group, which estimates it includes at least 2 million devices worldwide. The operation follows Google's earlier disruption of the IPIDEA proxy network and is part of a wider effort to dismantle malicious residential proxy services.

Residential proxy networks route internet traffic through IP addresses assigned by internet service providers to homes and consumers. This allows customers to mask their activity behind ordinary residential connections rather than data centre infrastructure.

Google says operators build these networks by placing code on consumer devices so they can be used as exit nodes. This can happen when malware is installed on devices before sale or when users download applications containing hidden proxy code.

That creates risks for consumers whose home connections are drawn into the network. Attackers can use those IP addresses as a launch point for hacking and other unauthorised activity, while legitimate traffic from the affected household may then be flagged as suspicious or blocked by service providers.

Scale of Use

Google believes the action has significantly degraded NetNut's network and business operations by reducing the available pool of devices by millions. It says NetNut sells access to its network under its own brand and through a reseller programme that allows other providers to white-label the service.

That reseller structure means the impact may extend beyond a single brand. Google says it has high confidence that many well-known residential proxy brands are in fact white-labelling the NetNut botnet.

Earlier action against IPIDEA showed that individual networks can appear resilient even after disruption. In those cases, operators whose own botnets have been weakened can buy capacity from competitors and continue operating as resellers.

That has made the market more fluid and interconnected. Google says it plans to continue observing the composition of the NetNut network and map how related operators adapt.

Threat Activity

Google linked NetNut to a wide range of malicious activity. In one week in June, it observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups.

Those groups used the network to obscure the origin of connections when accessing victim environments, reaching their own infrastructure and carrying out password spray attacks. Google also identified NetNut botnet plugin components in larger botnets such as Badbox 2.0.

Public reporting cited by Google tied the network's growth to software development kits distributed through devices commonly found in homes, including smart televisions and streaming boxes. Other researchers have documented the use of NetNut to infect devices with variants of Mirai distributed denial-of-service botnets.

Google also warned that when a consumer device becomes an exit node, unauthorised traffic passes through it and may give attackers a route to other private devices on the same home network. That can expose household devices to broader internet threats.

Consumer Protections

As part of the operation, Play Protect on Android devices now automatically warns users about applications known to incorporate NetNut software and disables those apps. Google says the system will continue to protect users against future installation attempts.

It urged consumers to be cautious about applications that offer payment in return for "unused bandwidth" or "sharing your internet", saying such offers are a common way for malicious proxy networks to expand. It also advised users to rely on official app stores, review permissions for third-party virtual private network and proxy apps, and ensure built-in security protections remain active.

Google said buyers of connected devices such as set-top boxes should check that products come from reputable manufacturers. It pointed to the risk that some devices may be compromised before they reach consumers.

The action against NetNut reflects growing focus on residential proxy networks among technology companies, telecoms groups and law enforcement agencies. Google says the market is expanding rapidly and depends on overlapping botnet infrastructure that is repeatedly resold across providers.

It says continued co-ordination across mobile platforms, internet service providers and other technology platforms will be needed to block malicious command-and-control infrastructure and reduce the long-term presence of these networks.