A coordinated international effort led by Google and the FBI has successfully disrupted NetNut, a massive residential proxy network also known as the Popa botnet. This operation, which took place on July 2-3, 2026, severed connections for at least two million compromised Android devices, including smart TVs and streaming boxes, that were being exploited by cybercriminals and espionage groups.
Major Residential Proxy Botnet Neutralized
In a significant victory against cybercrime, a global coalition has dismantled the NetNut residential proxy network, a sophisticated botnet that covertly utilized millions of consumer devices. This action effectively cut off a crucial resource for threat actors seeking to mask their malicious online activities. The operation targeted NetNut, also identified as the Popa botnet, which had established itself as one of the world's largest malicious proxy services.
Unveiling the Network's Scale and Modus Operandi
The NetNut botnet leveraged an estimated at least two million compromised Android devices worldwide, encompassing smart TVs and streaming boxes, to route illicit traffic. According to the Google Threat Intelligence Group (GTIG), these devices typically became part of the network after being infected with malware, such as components of the Badbox 2.0 botnet, often pre-installed or downloaded through trojanized applications. This allowed cybercriminals and espionage groups to conduct activities like password spraying, credential stuffing, and data scraping while hiding behind legitimate residential IP addresses. Google's internal reporting indicated that in a single week in June 2026, 316 distinct threat clusters were observed utilizing NetNut exit nodes. For more information on botnet operations, refer to Lumen Technologies' resources on botnets.
Coordinated Enforcement Actions
The disruption of NetNut was the result of a coordinated effort involving Google, the Federal Bureau of Investigation (FBI), Lumen Technologies, The Shadowserver Foundation, and the US Internal Revenue Service's (IRS) Criminal Investigation division.
"GTIG estimates Netnut controls at least 2 million infected devices globally (including smart TVs and streaming boxes), powered by trojanized applications and botnets like Badbox 2.0 that package proxy plugins," Google stated.
Key actions undertaken during the operation included:
- The FBI seized hundreds of domains associated with NetNut, including netnut.com, proxyjet.io, and divinetworks.com, effectively blinding the network's infrastructure.
- Google disabled accounts and associated services used by NetNut for malware command-and-control (C2), dismantling critical backend infrastructure.
- Google Play Protect, Android's built-in security protection, was updated to automatically warn users and disable applications known to incorporate NetNut's malicious software development kits (SDKs).
- Google also shared technical intelligence regarding NetNut's SDKs and C2 infrastructure with platform providers, law enforcement, and research firms to foster broader ecosystem awareness and enforcement.
What This Means
The takedown of NetNut represents a significant blow to the cybercriminal underground, disrupting a major avenue for obfuscating malicious traffic. For professionals, developers, and informed tech enthusiasts, this highlights the persistent threat of residential proxy botnets and the critical need for robust supply chain security. While the immediate impact is substantial, the interconnected nature of the proxy industry suggests that operators may attempt to rebuild by reselling capacity from other providers, a pattern observed after the disruption of IPIDEA earlier this year. Consumers are also reminded of the risks associated with unofficial apps and low-cost, uncertified smart devices that can unknowingly enroll their home internet connections into such networks.
Key Points
- The NetNut residential proxy network, also known as the Popa botnet, was disrupted on July 2-3, 2026, by a multi-agency international operation.
- This botnet compromised at least two million Android devices globally, including smart TVs and streaming boxes, for illicit activities.
- The operation involved FBI domain seizures and Google's disabling of command-and-control infrastructure and malicious applications.
The Bottom Line
The disruption of the NetNut proxy network underscores the ongoing battle against sophisticated cybercriminal infrastructure. While this coordinated action has significantly degraded NetNut's operations, the adaptability of these networks means vigilance remains paramount. Consumers should prioritize purchasing devices from reputable manufacturers and maintaining updated security software, while industry stakeholders must continue collaborative efforts to dismantle these resilient threats. For further insights into residential proxy networks and their abuse, consider resources from The Shadowserver Foundation.
