A joint operation involving Google, the FBI, Lumen Technologies, and The Shadowserver Foundation has disrupted NetNut, a residential proxy botnet also tracked as Popa, that routed malicious traffic through approximately two million compromised consumer devices worldwide.

What NetNut Was and How It Operated

NetNut gave cybercriminals and espionage groups access to infected Android devices, including smart TVs and streaming boxes, allowing them to disguise malicious traffic behind legitimate residential IP addresses. Devices were recruited into the botnet either through pre-installed malware or trojanized applications downloaded by users. One malware family tied to the network is Badbox 2.0, which packages proxy plugins into infected apps.

Once compromised, devices functioned as exit nodes, routing unauthorized traffic through their residential IP addresses. This can result in those devices being flagged or blocked by internet service providers and online platforms, affecting the device owners.

Scale and Threat Actor Usage

Google’s Threat Intelligence Group (GTIG) described NetNut as one of the largest residential proxy networks in the world. In a single week last month, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, spanning both cybercriminal and espionage activity. Threat actors leveraged the network to access their own infrastructure, conduct password-spraying attacks, and reach victim environments.

Takedown Actions

The FBI seized the netnut.com domain along with other domains associated with the operation. Google disabled accounts and services on its infrastructure that NetNut operators used for malware command-and-control, cutting off access to critical backend systems. Google Play Protect was used to automatically warn users and disable infected applications on Android devices. Google also shared technical details on NetNut’s SDKs and C2 infrastructure with platform providers, law enforcement, and security researchers.

Broader Industry Impact

NetNut operated a reseller program that allowed other proxy services to white-label its network capacity, meaning many popular residential proxy services depended on NetNut as an upstream provider. Google noted that disrupting NetNut is expected to have a cascading effect across the proxy industry. However, the company acknowledged that disruptions often push operators to purchase replacement capacity from competing providers, underscoring the resilience of the proxy ecosystem.

This action follows Google’s earlier disruption of the IPIDEA residential proxy network and reflects an ongoing effort to dismantle infrastructure that enables anonymous malicious traffic at scale.