Back to Home
Global Operation Dismantles NetNut Proxy Botnet, Millions of Devices Freed

Global Operation Dismantles NetNut Proxy Botnet, Millions of Devices Freed

T
Techpivo News
·1 min read·0 views
Quick Brief
  • NetNut residential proxy network disrupted by international operation.
  • Over two million Android devices cut off from botnet control.
  • FBI and Google led the coordinated enforcement actions.
📌Key Points
1NetNut, known as the Popa botnet, was disrupted by a global coalition on July 2-3, 2026.
2The network comprised at least 2 million compromised Android devices, including smart TVs and streaming boxes.
3FBI seized domains, and Google disabled command-and-control infrastructure and malicious apps.

A coordinated international effort led by Google and the FBI has successfully disrupted NetNut, a massive residential proxy network also known as the Popa botnet. This operation, which took place on July 2-3, 2026, severed connections for at least two million compromised Android devices, including smart TVs and streaming boxes, that were being exploited by cybercriminals and espionage groups.

Major Residential Proxy Botnet Neutralized

In a significant victory against cybercrime, a global coalition has dismantled the NetNut residential proxy network, a sophisticated botnet that covertly utilized millions of consumer devices. This action effectively cut off a crucial resource for threat actors seeking to mask their malicious online activities. The operation targeted NetNut, also identified as the Popa botnet, which had established itself as one of the world's largest malicious proxy services.

Unveiling the Network's Scale and Modus Operandi

The NetNut botnet leveraged an estimated at least two million compromised Android devices worldwide, encompassing smart TVs and streaming boxes, to route illicit traffic. According to the Google Threat Intelligence Group (GTIG), these devices typically became part of the network after being infected with malware, such as components of the Badbox 2.0 botnet, often pre-installed or downloaded through trojanized applications. This allowed cybercriminals and espionage groups to conduct activities like password spraying, credential stuffing, and data scraping while hiding behind legitimate residential IP addresses. Google's internal reporting indicated that in a single week in June 2026, 316 distinct threat clusters were observed utilizing NetNut exit nodes. For more information on botnet operations, refer to Lumen Technologies' resources on botnets.

Coordinated Enforcement Actions

The disruption of NetNut was the result of a coordinated effort involving Google, the Federal Bureau of Investigation (FBI), Lumen Technologies, The Shadowserver Foundation, and the US Internal Revenue Service's (IRS) Criminal Investigation division.

"GTIG estimates Netnut controls at least 2 million infected devices globally (including smart TVs and streaming boxes), powered by trojanized applications and botnets like Badbox 2.0 that package proxy plugins," Google stated.

Key actions undertaken during the operation included:

  • The FBI seized hundreds of domains associated with NetNut, including netnut.com, proxyjet.io, and divinetworks.com, effectively blinding the network's infrastructure.
  • Google disabled accounts and associated services used by NetNut for malware command-and-control (C2), dismantling critical backend infrastructure.
  • Google Play Protect, Android's built-in security protection, was updated to automatically warn users and disable applications known to incorporate NetNut's malicious software development kits (SDKs).
  • Google also shared technical intelligence regarding NetNut's SDKs and C2 infrastructure with platform providers, law enforcement, and research firms to foster broader ecosystem awareness and enforcement.

What This Means

The takedown of NetNut represents a significant blow to the cybercriminal underground, disrupting a major avenue for obfuscating malicious traffic. For professionals, developers, and informed tech enthusiasts, this highlights the persistent threat of residential proxy botnets and the critical need for robust supply chain security. While the immediate impact is substantial, the interconnected nature of the proxy industry suggests that operators may attempt to rebuild by reselling capacity from other providers, a pattern observed after the disruption of IPIDEA earlier this year. Consumers are also reminded of the risks associated with unofficial apps and low-cost, uncertified smart devices that can unknowingly enroll their home internet connections into such networks.

Key Points

  • The NetNut residential proxy network, also known as the Popa botnet, was disrupted on July 2-3, 2026, by a multi-agency international operation.
  • This botnet compromised at least two million Android devices globally, including smart TVs and streaming boxes, for illicit activities.
  • The operation involved FBI domain seizures and Google's disabling of command-and-control infrastructure and malicious applications.

The Bottom Line

The disruption of the NetNut proxy network underscores the ongoing battle against sophisticated cybercriminal infrastructure. While this coordinated action has significantly degraded NetNut's operations, the adaptability of these networks means vigilance remains paramount. Consumers should prioritize purchasing devices from reputable manufacturers and maintaining updated security software, while industry stakeholders must continue collaborative efforts to dismantle these resilient threats. For further insights into residential proxy networks and their abuse, consider resources from The Shadowserver Foundation.

Frequently Asked Questions

What is the NetNut proxy network?
NetNut, also known as the Popa botnet, was a large residential proxy network that exploited at least two million compromised Android devices, including smart TVs and streaming boxes, to route malicious internet traffic.
Who was involved in the NetNut disruption?
The disruption was a joint international effort involving Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and the US Internal Revenue Service's Criminal Investigation division.
How were devices compromised by NetNut?
Devices were typically infected with malware like Badbox 2.0, often pre-installed or downloaded through trojanized applications, turning them into unwitting proxy nodes for cybercriminals.

Discussion

We use cookies and similar technologies to improve your experience, analyze traffic, and personalize content. By clicking “Accept All”, you consent to our use of cookies. See our Cookies Policy for details.