Skip to content

Google and FBI Dismantle NetNut Botnet with Two Million Devices

The Point: A residential proxy network comprising two million infected devices was destroyed by Google and the FBI after being used for mass infiltration by 316 different threat clusters per week.

Google and the FBI have significantly disrupted the NetNut proxy network (also known as Popa) in a coordinated operation. The botnet comprised at least two million compromised home devices worldwide and served hundreds of hacker groups as cover for malicious activities.

The NetNut network, operated by Alarum Technologies, functioned as residential proxy infrastructure: operators routed malicious traffic through the private IP addresses of compromised consumer devices, including smart TVs, routers, and streaming boxes. In the operation, Google blocked numerous user accounts and command-and-control infrastructure services, while the FBI seized hundreds of associated domains and involved Lumen Technologies and additional security partners.

For CISOs, the incident scenario is significant: residential proxies are in high demand in the cybercrime ecosystem because security tools filter traffic from private internet connections less frequently than traffic from data centers. The Google Threat Intelligence Group observed 316 distinct threat clusters instrumentalizing NetNut exit nodes for attacks within a single week in June 2026 alone – ranging from password brute-force attacks to malware C&C navigation to targeted espionage. The network was also linked to other campaigns such as the Badbox 2.0 botnet.

The infection vectors reveal structural security gaps in device protection: consumers were primarily integrated into the botnet via malicious software development kits – concealed in free apps or in inexpensive no-name hardware firmware. Apps lured users with the promise of sharing unused bandwidth for payment. After infection, third-party traffic flowed undetected through the home connection and gave attackers access to other devices on the same network.

For mitigation, Google Play Protect on Android devices has enabled automated blocking for known NetNut components and disabled existing installations. The operation reduced the proxy operator’s available device pool by millions, according to Google – a significant blow to a business model that relied on direct sales as well as reseller programs.


Source: www.it-daily.net · Published July 5, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 of the EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: