In early July 2026, a coordinated international effort led by Google and the FBI successfully dismantled NetNut, a massive residential proxy network that had compromised over two million Android devices globally. This disruption significantly curtailed cybercriminal and espionage activities that relied on NetNut to mask their origins, safeguarding countless unsuspecting home users from illicit traffic routing through their devices.
Major Cybercrime Infrastructure Taken Down
A significant international operation, spearheaded by Google and the Federal Bureau of Investigation (FBI), has successfully disrupted NetNut, a vast residential proxy network that exploited millions of compromised Android devices. This action, which unfolded around July 2-3, 2026, targeted a critical piece of infrastructure used by cybercriminals and state-sponsored espionage groups to conceal their online activities. The takedown is expected to severely impact malicious actors who relied on the network's ability to route traffic through legitimate home internet addresses.
The Anatomy of a Residential Proxy Botnet
NetNut, also identified by security researchers as the Popa botnet, leveraged an estimated two million Android devices, including smart TVs and streaming boxes, turning them into unwitting conduits for illicit internet traffic. These devices typically became compromised through malicious or trojanized applications downloaded by users, or in some cases, via malware like Badbox 2.0 that was pre-installed on low-cost, uncertified hardware before purchase. Residential proxy networks function by routing a user's internet traffic through an IP address assigned by an Internet Service Provider (ISP) to a real household, making malicious activity appear as legitimate home user traffic and bypassing traditional security defenses. For a deeper understanding of how these networks operate, you can refer to resources like this explanation of residential proxies.
Coordinated Global Response
The dismantling of the NetNut botnet was the result of a broad collaboration involving Google's Threat Intelligence Group (GTIG), the FBI, Lumen Technologies' Black Lotus Labs, The Shadowserver Foundation, and the US Internal Revenue Service's (IRS) Criminal Investigation division. Google's role included disabling accounts and associated services that NetNut operators used for command-and-control (C2) operations, effectively cutting off the botnet's backend infrastructure. Furthermore, Google Play Protect, Android's built-in security, was updated to automatically warn users and disable applications known to incorporate NetNut's malicious Software Development Kits (SDKs).
"We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions," Google stated in an official communication.
The FBI complemented these technical measures by seizing hundreds of domains linked to NetNut, including netnut.com, which was replaced with a federal seizure notice. This operation builds upon previous successes, such as the disruption of the IPIDEA proxy network in January 2026, demonstrating a sustained effort to combat such malicious services.
- Google disabled NetNut's command-and-control infrastructure by shutting down associated Google accounts and services.
- The FBI seized hundreds of domains, including netnut.com, effectively blinding parts of the network.
- Google Play Protect was updated to identify and disable applications containing NetNut's malicious SDKs.
What This Means
The disruption of NetNut underscores the growing threat posed by residential proxy networks and the proactive measures being taken by law enforcement and technology companies. For professionals, developers, and informed tech enthusiasts, this event highlights the importance of supply chain security for connected devices. Uncertified or low-cost Android devices, particularly smart TVs and streaming boxes, can be pre-infected with malware like Badbox 2.0, turning them into unwitting participants in global cybercrime operations. Users of such devices face risks including their home IP addresses being used for hacking, fraud, and espionage, potentially leading to their legitimate internet traffic being flagged or blocked by Internet Service Providers (ISPs). This incident also demonstrates the effectiveness of cross-industry and international collaboration in tackling sophisticated cyber threats.
Key Points
- NetNut, also known as Popa, compromised over 2 million Android devices globally, including smart TVs and streaming boxes.
- The operation involved Google's Threat Intelligence Group, the FBI, Lumen Technologies, The Shadowserver Foundation, and the IRS Criminal Investigation division.
- Compromised devices were used by cybercriminals and espionage groups to mask their identities for activities like password spraying and data scraping.
- Google disabled command-and-control infrastructure and updated Google Play Protect to remove malicious applications.
- The FBI seized hundreds of NetNut-associated domains, including netnut.com.
The Bottom Line
The successful disruption of the NetNut residential proxy network marks a significant victory against organized cybercrime, demonstrating that coordinated international efforts can effectively dismantle large-scale malicious infrastructure. While millions of devices have been cut off from the botnet, the underlying threat of compromised consumer devices remains. Users should remain vigilant about the security of their smart devices and the applications they install, prioritizing products from reputable vendors to mitigate risks of becoming part of future botnets.
