Google disrupted NetNut, a major proxy network that routed internet traffic through compromised home devices used by cybercriminals.
Google has disrupted NetNut, one of the world’s largest residential proxy networks. The service routed internet traffic through home devices, allowing customers to hide their real location and identity.
“Today, in coordination with the FBI, Lumen, and others, Google took action against the NetNut residential proxy network, also known as Popa.” reads the Google’s announcment. “This action builds on our disruption of the IPIDEA proxy network that took place in January 2026, and is a continuation of Google’s objective to dismantle malicious residential proxy networks.”
While proxy services have legitimate uses, networks like NetNut are also widely abused by cybercriminals for fraud, account takeovers, web scraping, and other malicious activities.
NetNut is composed of approximately 2 million compromised home devices. It turns smart TVs, streaming boxes, and other consumer devices into proxy nodes, allowing cybercriminals and espionage groups to hide their identity. Owners often have no idea their devices are being misused, exposing their home networks to additional threats while their internet connections can be abused for hacking, password spraying, fraud, and DDoS attacks.
“In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups. These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks.” states the announcement. “Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it.”
Google warns users to avoid apps that promise money for sharing “unused bandwidth” or internet access, as they are often used to build malicious proxy networks. Download apps only from trusted stores, review VPN and proxy permissions, and keep security features like Google Play Protect enabled. When buying connected devices such as TV boxes, choose reputable brands and verify they are Play Protect certified to reduce the risk of compromise.
“While point-in-time disruptions are a critical tool to protect our users, continued and coordinated effort is needed to reduce malicious proxy networks in the long run.” concludes the announcement. “We encourage mobile platforms, ISPs, and other tech platforms to continue sharing intelligence and to take direct action to block malicious C2 infrastructure.”
Cybersecurity firms involved in the investigation linked NetNut to Alarum Technologies, although the company denies operating a botnet and says users consent to bandwidth sharing. Researchers dispute that claim, reporting no clear user consent in tested apps. Google’s disruption has weakened NetNut by removing millions of compromised devices, but warns the threat remains because many proxy providers resell the same infrastructure. Experts believe the takedown will significantly disrupt cybercriminals while also reducing abuse tied to large DDoS botnets.
“Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” Omer Weiss, legal counsel for NetNut parent Alarum Technologies, said in a written statement, as reported by KrebsOnSecurity.
Synthient founder Benjamin Brundage recently reported he believes the operation is a major setback for cybercriminals, especially after Google’s earlier action against IPIDEA, NetNut’s main competitor, significantly weakened another key source of residential proxy infrastructure.
“As KrebsOnSecurity has warned repeatedly, most of the no-name TV streaming boxes for sale on the major e-commerce websites either come pre-installed with residential proxy software, or require the installation of proxy SDKs in order to use the device for its stated purpose (streaming pirated movies, sporting events and TV shows).” concludes KrebsOnSecurity. “Google’s advice here is sound: When it comes to TV boxes, stick to name brands from reputable manufacturers, and then be sparing and judicious with any apps you choose to install.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/194690/cyber-crime/law-enforcememt-operation-disrupted-malicious-residential-proxy-networks-netnut.html
