Skip to main content
Emerging ThreatsMalware & Ransomware

Google and FBI dismantle 2-million device NetNut botnet

Technicians investigate a large screen displaying a map of the internet in a network operations center with rows of servers…

"In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups," said Google.

Who carried out the disruption

Google, Lumen, Shadowserver, the FBI and other contributors worked together to "significantly degrade" the NetNut residential proxy network as part of an ongoing effort to disrupt tools used to conceal malicious activity, according to Google Cloud and reporting on the operation. The action continues a pattern of interventions that included a disruption of the IPIDEA proxy network in January.

NetNut's scale and the delivery mechanism

Google Cloud said investigators believe NetNut was one of the most popular residential proxy providers and had at least 2 million devices enrolled in its botnet. Those devices were reported to be composed mainly of small TV-streaming hardware. To grow its pool of exit nodes, NetNut distributed its own software development kit (SDK) to those devices.

Residential proxy providers commonly pitch services to device owners as a way to "monetize spare bandwidth," paying a fee in exchange for letting an SDK run on consumer devices. The reporting repeats the official advice to refuse such offers, because running those SDKs feeds the cybercrime ecosystem and can create additional vulnerabilities in home networks.

What NetNut sold and how the market is structured

NetNut reportedly offered a range of products: standalone residential proxy networks, mobile and datacenter proxies, scrapers, and datasets. The company also ran a reseller program. Experts quoted in the reporting believe many other residential proxy networks are powered by NetNut's infrastructure, meaning the disruption could have downstream effects across the proxy market.

Google's Threat Intelligence Group (GTIG) cautioned that while the disruption may ripple across the ecosystem, individual networks can be resilient. GTIG observed that when a provider's botnet capacity is degraded, proxy operators often buy capacity from competitors and effectively become resellers themselves.

Evidence of criminal and botnet linkages

GTIG reported finding plugin components tying NetNut to large-scale botnets such as Badbox 2.0. Other public reports cited in the article noted signs that NetNut has been used to infect devices with Mirai variants. Google warned that threat actors used suspected NetNut exit nodes not only for evading attribution but also for operational activity: masking origin IP addresses when accessing victim environments and conducting actions such as password spray attacks.

Market resilience and the limits of ad hoc takedowns

Google framed the disruption as part of an ongoing mapping exercise: observers will continue to monitor NetNut's composition and how peer providers adapt. The company warned that ad hoc disruptions can be temporary unless they are scaled to target the infrastructure of multiple interconnected providers, and that long-term effectiveness will require support from internet service providers, mobile platforms, and other technology companies.

The public, visible outcomes of this action were mixed. netnut.com returned a "This website has been seized" splash page, while netnut.io remained online; The Register asked GTIG about that discrepancy but did not immediately receive a reply.

What this means for ISPs, mobile platforms, and end users

  • ISPs and mobile platforms: Google specifically named ISPs, mobile platforms and other technology companies as required partners for a long-term approach. The reporting implies these providers will need to participate in broader, coordinated actions to prevent providers from simply reconstituting capacity across networks.
  • End users and device owners: The article repeats the standard public advisory — users should refuse offers to monetize spare bandwidth by running third‑party SDKs on consumer devices, because those SDKs can enroll devices into proxy pools that are frequently abused by criminals.
  • Security teams and defenders: GTIG's observation that 316 distinct threat clusters used suspected NetNut exit nodes in a single week underscores the operational role these proxy services play for both criminal and espionage groups; defenders will need to monitor exit-node behavior and threat-cluster indicators tied to residential proxies.

The disruption of NetNut demonstrates both the scale of contemporary residential proxy markets — at least 2 million devices by GTIG's estimate — and the fragility of fixes that target only a single provider. Google and partners can point to a seized domain and degraded infrastructure, but the company itself warned that lasting change will depend on a broader coalition of ISPs, mobile platforms and technology companies willing to curtail the underlying enrollment pathways and commercial reselling that allow such networks to reconstitute. For now, defenders can track the observable indicators GTIG has published and remind device owners to refuse offers that install third‑party SDKs — small steps that the reporting suggests are necessary components of any durable solution.

Original story