Google, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of Devices
Google and FBI dismantle NetNut, a massive residential proxy network powered by millions of compromised devices.
Summary
Google and the FBI, in coordination with other organizations, have successfully disrupted NetNut, a large residential proxy network. This network, believed to comprise over 2 million compromised Android devices, was used by cybercriminals and nation-state actors to mask their identities during attacks, including password-spray campaigns. Google disabled command-and-control infrastructure and infected applications, significantly degrading the network's operations.
Full text
Google, the FBI, and other organizations coordinated in a joint effort to dismantle NetNut, a massive residential proxy network. Also known as Popa, NetNut is believed to consist of more than 2 million Android devices such as smart TVs and streaming boxes, that have been infected through trojanized applications and malware such as Badbox 2.0. The network’s operator, linked to the publicly-traded Israeli firm Alarum Technologies Ltd, rented the residential proxies to various threat actors, including cybercriminal and espionage groups. In a single week in June, Google observed 316 distinct threat clusters using NetNut to hide their locations in password-spray attacks and to access victim environments. “We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,” Google said. As part of the operation, the internet giant disabled Google accounts and associated services used for command-and-control (C&C), dismantling the botnet’s backend infrastructure.Advertisement. Scroll to continue reading. Additionally, it disabled the infected applications via Google Play Protect and automatically warned victims of the threat. Google also shared threat intelligence with industry partners and law enforcement. According to Google, NetNut is not only selling access to the residential proxy network under its own brand, but also operates a reseller program, allowing other popular brands to whitelabel the NetNut botnet. The NetNut takedown follows the January disruption of IPIDEA, and is expected to have a ripple effect across the ecosystem. “What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers,” Google says. Related: Google Sues Operators of 10-Million-Device Badbox 2.0 Botnet Related: 15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown Related: Dutch Police Dismantle Massive 17-Million-Device Botnet Related: GlassWorm Botnet Disrupted Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire ‘BioShocking’ Attack Tricks AI Browsers Into Stealing CredentialsCISA Warns of Actively Exploited Microsoft SharePoint VulnerabilityMicrosoft Adds New Teams Controls to Block Unauthorized AI Bots From MeetingsAdobe Patches Critical ColdFusion, Campaign Classic VulnerabilitiesCitrix Patches NetScaler Vulnerabilities, Including New ‘HTTP/2 Bomb’ AttackApple Patches Dozens of Vulnerabilities Across iOS, macOS, and SafariDawnguard Raises $6.3 Million for Security Architecture Automation PlatformMassive Password Spray Campaign Targeting Azure CLI Latest News Medtronic Data Breach Impacts 3.8 Million PeopleAlleged Scattered Spider Hacker Extradited to USCritical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code ExecutionNew CitrixBleed Vulnerability Exploited Immediately After Public DisclosureHow to Conduct a Successful Audit of AI-Driven Software DevelopmentFortiBleed Campaign Linked to INC, Lynx Ransomware AttacksTrump Administration Lifts Restrictions on Anthropic’s Claude Models After Cybersecurity AlarmCisco Confirms In-the-Wild Exploitation of Unified CM Vulnerability Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveJames Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.Rafal Los has joined Binary Defense as Chief Strategy Officer.Tracey Mustacchio has joined Everfox as Chief Marketing Officer.More People On The MoveExpert Insights How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- malware — Badbox 2.0