Google-FBI Operation Takes Down NetNut, A 2-Million-Device Proxy Botnet

A coordinated takedown hit one of the world's largest residential proxy networks, which Google says rented hijacked smart TVs and streaming boxes to cybercriminals and espionage groups.

Published on Jul 6, 2026
Google-FBI Operation Takes Down NetNut, a 2-Million-Device Proxy Botnet

Google has disrupted NetNut, among the largest residential proxy networks in operation, in a coordinated action with the FBI, Lumen, the Shadowserver Foundation, and others.

Google’s Threat Intelligence Group (GTIG) estimated the network, also tracked as Popa, spanned at least 2 million hijacked consumer devices, and said the action cut the operator’s usable pool by millions.

Google disabled the accounts that NetNut used for malware command and control, set Play Protect to disable Android apps carrying NetNut software kits, and shared intelligence with platforms and law enforcement.

The FBI simultaneously seized hundreds of domains, and NetNut’s main .com site now carries a federal seizure notice. Google said the effort caused “significant degradation to NetNut’s proxy network and its business operations.”

The network was built, Google said, on ordinary household hardware. Smart TVs and streaming boxes were enrolled either through pre-installed malware or through apps users unknowingly installed carrying hidden proxy code, turning home connections into exit nodes for paying customers. GTIG also found NetNut components inside the Badbox 2.0 botnet.

Over a single week in June, GTIG tied 316 separate threat groups to suspected NetNut exit nodes, a mix of criminal and state-linked actors. They leaned on the network to hide where their traffic really originated, slipped into target environments, and peppered logins with password-spray attempts.

Spread across millions of residential addresses, that traffic looked like ordinary home browsing.

A Proxy Network Traced to a Public Company

Unlike most proxy operations, NetNut is not an underground brand. It is a commercial service owned by Alarum Technologies, an Israeli company listed on the Nasdaq.

In June, research firms including Synthient and Qurium reported that the commercial service is fed by the Popa proxyware, quietly enrolled onto home devices, in findings later picked up by KrebsOnSecurity.

Synthient offered a concrete demonstration: in a controlled test, it sent a tagged request into NetNut’s commercial gateway and captured it leaving a device the firm had enrolled in the Popa SDK. Synthient called this an analytic judgment about how the traffic egressed, not a statement about NetNut’s internal knowledge or intent.

Alarum rejected the findings. In a statement to Synthient, it said it runs a legitimate commercial proxy network with customer due-diligence, KYC, and misuse-monitoring measures. They disputed the premises of the research.

That dispute may prove secondary to the disruption’s real reach, however. Google said it has high confidence that many popular proxy brands are whitelabeling the NetNut network, so the takedown could ripple well beyond a single name.

After January’s action against the rival IPIDEA network, it noted, operators simply bought capacity from competitors, and Google argued lasting disruption means targeting several interconnected providers at once.

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Alessandro Mascellino
Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.