HomeTechGoogle disrupts NetNut residential proxy network built on 2 million devices

Google disrupts NetNut residential proxy network built on 2 million devices

Google LLC has disrupted NetNut, one of the largest residential proxy networks in operation, degrading a service that had turned more than 2 million home devices worldwide into relays for other people’s internet traffic.

The action was carried out in coordination with the U.S. Federal Bureau of Investigation, Lumen Technologies Inc. and others. Google’s Threat Intelligence Group said the effort reduced the pool of devices available to the proxy operator by millions and caused significant degradation to the network and its business. The FBI seized several NetNut domains as part of the operation.

NetNut, also tracked as Popa, sells access to residential internet addresses that let buyers route traffic through real home connections. That makes malicious activity look like ordinary browsing rather than the data center traffic that security tools tend to block. Google estimates the network spans at least 2 million devices, many of them smart TVs and streaming boxes that were either shipped with the proxy code preinstalled or picked it up through free apps that concealed it.

Google took three main steps. It disabled Google accounts and services NetNut used for malware command and control. It also shared technical intelligence on the network’s software development kits and back-end infrastructure with platform providers, law enforcement and research firms. Finally it set Google Play Protect to warn users and disable applications carrying NetNut SDKs.

The scale of abuse is substantial. In a single week in June, the Threat Intelligence Group counted 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups. Attackers used the network to mask their origin, reach victim environments and run password spray attacks. Google said devices turned into exit nodes also give outside traffic a path into home networks, exposing other devices on the same connection.

Unlike most proxy botnets, NetNut traces back to a public company. It is owned by Alarum Technologies Ltd., an Israeli firm listed on the Nasdaq. NetNut was founded in 2017. In June, researchers at Qurium Media Foundation, Synthient LLC, Nokia Deepfield and Spur Intelligence Inc. tied Popa to NetNut, and Synthient reported that none of the more than 20 apps it examined showed users a consent prompt.

Alarum rejects the botnet characterization. The company called the research “demonstrably inaccurate assertions and flawed deductions rather than verified facts” and said its software supports consented bandwidth sharing that does not compromise the devices it runs on.

Google framed the takedown as degradation rather than a kill. NetNut runs a reseller program that lets other companies sell its network under their own brands and Google said it has high confidence that many seemingly independent proxy services are white-labeling the same pool. The company disrupted the China-based IPIDEA network in January and sued the operators of the Badbox 2.0 botnet in July 2025. In both cases the networks proved resilient as operators bought capacity from rivals.

Image: NetNut

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

  • 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
  • 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.

About SiliconANGLE Media

SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.

 

Must Read

spot_img