A coordinated international effort led by Google and the Federal Bureau of Investigation (FBI) has successfully dismantled NetNut, a major residential proxy network also known as the Popa botnet. The operation, which took place on July 2-3, 2026, disconnected an estimated two million compromised Android devices, including smart TVs and streaming boxes, that were being exploited by cybercriminals and espionage groups.
Major Cybercrime Proxy Network Shut Down
In a significant blow to global cybercrime, a collaborative operation involving Google's Threat Intelligence Group (GTIG) and the FBI has disrupted the NetNut residential proxy network. This action, announced on July 2, 2026, effectively severed access for millions of consumer devices that were unknowingly routing malicious internet traffic.
NetNut's Extensive Reach and Malicious Operations
NetNut, also identified as the Popa botnet, leveraged at least two million compromised devices worldwide, primarily Android-based smart TVs and streaming boxes, to create a vast network of residential proxies. These devices became part of the botnet through pre-installed malware or trojanized applications, such as those associated with Badbox 2.0, which secretly embedded proxy plugins. The network's operator, linked to the publicly traded Israeli firm Alarum Technologies, rented access to these compromised home IP addresses, allowing threat actors to conceal their true identities and origins when conducting various illicit activities. For more technical details on botnet operations, refer to Wikipedia's explanation of botnets.
Coordinated Takedown Efforts and Industry Response
The dismantling of the NetNut botnet was the result of a comprehensive effort involving Google, the FBI, Lumen Technologies' Black Lotus Labs, The Shadowserver Foundation, and the US Internal Revenue Service (IRS) Criminal Investigation division. The FBI seized hundreds of domains associated with NetNut, including netnut.com, replacing the main website with a federal seizure notice.
"We believe our coordinated actions have caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions." – Google Threat Intelligence Group
Google's specific contributions included disabling accounts and services used by NetNut for command-and-control (C2) infrastructure, which violated Google's terms of service. The company also shared critical technical intelligence regarding NetNut's software development kits (SDKs) and backend systems with law enforcement and industry partners. Furthermore, Google Play Protect, Android's integrated security feature, was updated to automatically warn users and disable applications known to contain NetNut SDKs.
- In a single week during June 2026, GTIG observed 316 distinct clusters of threat actors utilizing suspected NetNut exit nodes for cybercriminal and espionage activities.
- Malicious actors employed NetNut to mask their IP addresses during password-spraying attacks, credential stuffing, advertising fraud, and unauthorized access to victim environments.
- This operation follows Google's successful disruption of the IPIDEA proxy network in January 2026, signaling an ongoing commitment to combating malicious residential proxy services.
What This Means
The disruption of NetNut represents a substantial victory in the ongoing battle against large-scale cybercrime infrastructure. For professionals and developers, this event highlights the persistent threat posed by compromised consumer devices and the sophisticated methods used to build and monetize botnets. It underscores the critical importance of secure software supply chains and robust device security. While this takedown significantly impacts threat actors, the fluid nature of the residential proxy ecosystem suggests that new or existing networks may attempt to fill the void. This incident also serves as a reminder for consumers to be vigilant about the applications they install, particularly those offering incentives for sharing internet bandwidth, and to ensure their smart devices are from reputable manufacturers with official certifications like Android TV OS and Play Protect.
Key Points
- Google and the FBI led a joint operation on July 2-3, 2026, to disrupt the NetNut residential proxy network.
- The takedown severed an estimated 2 million compromised Android devices, including smart TVs and streaming boxes, from the botnet.
- NetNut, also known as Popa, was used by hundreds of cybercriminal and espionage groups to hide malicious traffic.
- The FBI seized hundreds of NetNut-associated domains, while Google disabled command-and-control infrastructure and updated Play Protect.
- NetNut's parent company, Alarum Technologies, acknowledged the domain seizures and pledged cooperation.
The Bottom Line
The coordinated disruption of NetNut demonstrates the increasing effectiveness of international law enforcement and tech industry partnerships in dismantling major cybercrime infrastructure. While this operation has significantly degraded a key enabler for malicious activity, the underlying challenge of compromised consumer devices and the adaptability of proxy network operators remain. Continued vigilance from both users and industry will be essential to counter evolving threats in the residential proxy landscape.
