Skip to main content
Threat IntelligenceEmerging Threats

Google Disrupts Massive NetNut Residential Proxy Network

Living room with smart TV and streaming box, cityscape visible through window.

Google's Threat Intelligence Group estimates NetNut's pool holds at least 2 million home devices worldwide, including smart TVs and streaming boxes.

Google, the FBI, Lumen, and partners degrade a two‑million‑device pool

Working with the FBI, Lumen, and other partners, Google's Threat Intelligence Group (GTIG) said this week it had reduced NetNut's pool of usable devices by millions. GTIG counts at least 2 million devices in the network it tracks as NetNut or Popa, and in a single week in June it observed 316 distinct threat clusters using suspected NetNut exit nodes — a mix that GTIG described as including both cybercriminal and espionage groups.

GTIG warns that an "exit node" on a residential network brings outside traffic into a home, creating an attacker foothold that can be used to reach other devices on the same network. The same types of home gadgets used as proxy exits have also been pulled into large attack botnets such as Mirai and Badbox 2.0, the report notes.

How NetNut / Popa assembles and sells access

The operation described by GTIG and outside researchers fits the business model known as a residential proxy network: operators sell access to real home internet addresses so paying customers can route traffic through ordinary consumer connections rather than datacenter IPs that many security tools block.

According to the reporting, operators get that pool of addresses by having their code run on home devices. Some devices ship with the code pre‑installed on cheap off‑brand hardware; others pick it up when a user installs a free app that hides the proxy software. Once active, the device functions as an exit node — a doorway that other people's traffic flows through and that attributes that traffic to the home's IP address.

NetNut also runs a reseller program: GTIG says many popular, seemingly separate proxy brands are likely reselling the same underlying NetNut pool. That interconnection is why Google calls its recent actions a degradation, not a kill: a single takedown can ripple across many brands, but operators can respond by buying capacity from rivals or becoming resellers themselves.

Technical testing and attribution reported by researchers

Independent researchers at Qurium, Synthient, Nokia Deepfield, and Spur tied Popa to NetNut in June. Synthient conducted a controlled test that sent traffic into NetNut's commercial gateway and observed that the traffic exited through a device it had enrolled in Popa. Synthient framed that finding "as evidence of the traffic path, not proof of what NetNut knew or intended," and Google says public reporting aligns with GTIG's view of how NetNut builds its botnet.

The Hacker News covered the researchers' findings when they were published. Those findings complicate defenses that rely on the claim of consented sharing, because the researchers reported operational behaviors inconsistent with informed user consent.

Alarum Technologies disputes the characterization

NetNut is a proxy provider owned by publicly traded Israeli company Alarum Technologies (NASDAQ: ALAR). Alarum rejects the "botnet" label. In a public statement the company called the research "demonstrably inaccurate assertions and flawed deductions rather than verified facts," and said its software is for consented bandwidth‑sharing that does not compromise the devices it runs on.

That dispute sits beside the researchers' testing: Synthient reported that none of the more than 20 apps it examined actually showed users a consent prompt.

What this means for end users, technologists, and law enforcement

  • End users: The clearest consumer warning sign is an app that offers to pay you for your "unused bandwidth" or for "sharing your internet." Users are advised to stick to official app stores, check permissions for VPN or proxy apps, keep built‑in protections like Google Play Protect switched on, and buy streaming boxes and smart TV hardware from known manufacturers rather than no‑name brands.
  • Technologists and security teams: Defenders should expect cyclical behavior: when a network is disrupted, demand for residential addresses does not vanish — it migrates. GTIG highlights reseller brands as the next signal to watch; defenders should monitor for NetNut‑linked traffic resurfacing under different brand names and for password‑guessing campaigns routed through exit nodes.
  • Law enforcement and platforms: GTIG's framing of "degradation, not a kill" underscores that durable disruption often requires coordinated action against several connected providers at once. Google points to past operations — a January disruption of IPIDEA and a July 2025 court action against Badbox 2.0's operators — as precedent for the difficulty of eradicating these networks.

NetNut's recent degradation is a notable tactical win in the battle over residential proxy networks, but the record included in GTIG's and independent researchers' reports makes clear this will be an ongoing contest. Operators have multiple ways to reconstitute capacity — through resellers, alternative providers, or preinstalled software on cheap hardware — and defenders will be watching whether NetNut‑linked traffic simply resurfaces under new brand names.

https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html