Google has disrupted NetNut, among the largest residential proxy networks in operation, in a coordinated action with the FBI, Lumen, the Shadowserver Foundation, and others.
Google’s Threat Intelligence Group (GTIG) estimated the network, also tracked as Popa, spanned at least 2 million hijacked consumer devices, and said the action cut the operator’s usable pool by millions.
Google disabled the accounts that NetNut used for malware command and control, set Play Protect to disable Android apps carrying NetNut software kits, and shared intelligence with platforms and law enforcement.
The FBI simultaneously seized hundreds of domains, and NetNut’s main .com site now carries a federal seizure notice. Google said the effort caused “significant degradation to NetNut’s proxy network and its business operations.”
The network was built, Google said, on ordinary household hardware. Smart TVs and streaming boxes were enrolled either through pre-installed malware or through apps users unknowingly installed carrying hidden proxy code, turning home connections into exit nodes for paying customers. GTIG also found NetNut components inside the Badbox 2.0 botnet.
Over a single week in June, GTIG tied 316 separate threat groups to suspected NetNut exit nodes, a mix of criminal and state-linked actors. They leaned on the network to hide where their traffic really originated, slipped into target environments, and peppered logins with password-spray attempts.
Spread across millions of residential addresses, that traffic looked like ordinary home browsing.
A Proxy Network Traced to a Public Company
Unlike most proxy operations, NetNut is not an underground brand. It is a commercial service owned by Alarum Technologies, an Israeli company listed on the Nasdaq.
In June, research firms including Synthient and Qurium reported that the commercial service is fed by the Popa proxyware, quietly enrolled onto home devices, in findings later picked up by KrebsOnSecurity.
Synthient offered a concrete demonstration: in a controlled test, it sent a tagged request into NetNut’s commercial gateway and captured it leaving a device the firm had enrolled in the Popa SDK. Synthient called this an analytic judgment about how the traffic egressed, not a statement about NetNut’s internal knowledge or intent.
Alarum rejected the findings. In a statement to Synthient, it said it runs a legitimate commercial proxy network with customer due-diligence, KYC, and misuse-monitoring measures. They disputed the premises of the research.
That dispute may prove secondary to the disruption’s real reach, however. Google said it has high confidence that many popular proxy brands are whitelabeling the NetNut network, so the takedown could ripple well beyond a single name.
After January’s action against the rival IPIDEA network, it noted, operators simply bought capacity from competitors, and Google argued lasting disruption means targeting several interconnected providers at once.