Google, the FBI, and a coalition of industry partners have disrupted NetNut, a large-scale residential proxy botnet also tracked under the name Popa. The network is believed to have comprised more than 2 million Android devices, including smart TVs and streaming boxes, compromised through trojanized applications and malware including Badbox 2.0.

Scope and Operator

NetNut’s operator has been linked to Alarum Technologies Ltd, a publicly traded Israeli firm. The network was monetized by renting proxy access to a broad range of threat actors. In a single week during June, Google observed 316 distinct threat clusters leveraging NetNut to obscure their locations during password-spray attacks and to access victim environments. Beyond direct sales, NetNut operated a reseller program that allowed other brands to whitelabel the botnet’s capacity.

Actions Taken

Google’s response involved several coordinated actions:

  • Disabling Google accounts and associated services used for command-and-control infrastructure, dismantling the botnet’s backend.
  • Pushing removals of infected applications through Google Play Protect and automatically notifying affected device owners.
  • Sharing threat intelligence with law enforcement and industry partners.

Google stated that the operation reduced the available pool of compromised devices by millions, causing significant degradation to both the proxy network and NetNut’s business operations.

Broader Ecosystem Implications

The NetNut disruption follows the January takedown of IPIDEA, another residential proxy service. Google noted a behavioral pattern that complicates sustained suppression of these networks: when one botnet is degraded, its operators tend to purchase capacity from competing proxy services, effectively shifting the problem rather than eliminating it.

“We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers,” Google said in its disclosure.

The acknowledgment points to an ongoing challenge for defenders. Residential proxy botnets are attractive to threat actors precisely because traffic appears to originate from legitimate consumer devices, making detection and blocking significantly harder. Security teams should treat unusual authentication activity, particularly credential-stuffing and password-spray patterns sourced from residential IP ranges, as a continuing concern even following high-profile takedowns.