Google, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of Devices
NetNut was a large residential proxy network composed of over 2 million compromised Android devices, including smart TVs and streaming boxes, infected via trojanized apps and malware. The network rented access to cybercriminals and nation-state actors to mask their identities during attacks. Google, the FBI, and partners coordinated to dismantle NetNut by disabling its backend infrastructure, infected apps, and associated Google accounts. This disruption significantly reduced the pool of devices available to the proxy operator and impacted its business operations. NetNut also operated a reseller program, amplifying its reach through other brands. The takedown is part of ongoing efforts to disrupt interconnected proxy botnet ecosystems.
AI Analysis
Technical Summary
NetNut, also known as Popa, was a residential proxy network powered by more than 2 million compromised Android devices infected via trojanized applications and malware such as Badbox 2.0. The network rented proxy access to various threat actors, including cybercriminal and espionage groups, enabling them to hide their locations during attacks like password spraying. Google, the FBI, and other organizations coordinated a takedown operation that disabled Google accounts and services used for command-and-control, removed infected apps via Google Play Protect, and warned victims. This operation caused significant degradation to NetNut's infrastructure and business, reducing the available infected device pool by millions. NetNut also operated a reseller program, allowing other brands to white-label its proxy services. The takedown follows similar disruptions of related proxy botnets and aims to scale efforts against interconnected providers in this ecosystem.
Potential Impact
The disruption of NetNut significantly reduced the availability of millions of compromised devices used as residential proxies by cybercriminals and nation-state actors to mask their identities during attacks. This degradation impacts the ability of threat actors to conduct operations such as password spraying and unauthorized access while hiding their true locations. The takedown also affects the broader proxy botnet ecosystem by disrupting reseller networks and forcing operators to seek alternative sources, potentially reducing overall malicious proxy capacity.
Mitigation Recommendations
Google and partners have already taken coordinated action to dismantle the NetNut network by disabling command-and-control infrastructure, removing infected applications via Google Play Protect, and warning victims. These measures have significantly degraded the threat. No additional immediate action is required from defenders regarding this specific threat. Continued monitoring of related proxy botnet activity and collaboration with industry and law enforcement is recommended to address the evolving ecosystem.
Google, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of Devices
Description
NetNut was a large residential proxy network composed of over 2 million compromised Android devices, including smart TVs and streaming boxes, infected via trojanized apps and malware. The network rented access to cybercriminals and nation-state actors to mask their identities during attacks. Google, the FBI, and partners coordinated to dismantle NetNut by disabling its backend infrastructure, infected apps, and associated Google accounts. This disruption significantly reduced the pool of devices available to the proxy operator and impacted its business operations. NetNut also operated a reseller program, amplifying its reach through other brands. The takedown is part of ongoing efforts to disrupt interconnected proxy botnet ecosystems.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
NetNut, also known as Popa, was a residential proxy network powered by more than 2 million compromised Android devices infected via trojanized applications and malware such as Badbox 2.0. The network rented proxy access to various threat actors, including cybercriminal and espionage groups, enabling them to hide their locations during attacks like password spraying. Google, the FBI, and other organizations coordinated a takedown operation that disabled Google accounts and services used for command-and-control, removed infected apps via Google Play Protect, and warned victims. This operation caused significant degradation to NetNut's infrastructure and business, reducing the available infected device pool by millions. NetNut also operated a reseller program, allowing other brands to white-label its proxy services. The takedown follows similar disruptions of related proxy botnets and aims to scale efforts against interconnected providers in this ecosystem.
Potential Impact
The disruption of NetNut significantly reduced the availability of millions of compromised devices used as residential proxies by cybercriminals and nation-state actors to mask their identities during attacks. This degradation impacts the ability of threat actors to conduct operations such as password spraying and unauthorized access while hiding their true locations. The takedown also affects the broader proxy botnet ecosystem by disrupting reseller networks and forcing operators to seek alternative sources, potentially reducing overall malicious proxy capacity.
Mitigation Recommendations
Google and partners have already taken coordinated action to dismantle the NetNut network by disabling command-and-control infrastructure, removing infected applications via Google Play Protect, and warning victims. These measures have significantly degraded the threat. No additional immediate action is required from defenders regarding this specific threat. Continued monitoring of related proxy botnet activity and collaboration with industry and law enforcement is recommended to address the evolving ecosystem.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/google-fbi-disrupt-netnut-residential-proxy-network-powered-by-millions-of-devices/","fetched":true,"fetchedAt":"2026-07-03T08:21:24.368Z","wordCount":1022}
Threat ID: 6a47710427e9c79719512da4
Added to database: 07/03/2026, 08:21:24 UTC
Last enriched: 07/03/2026, 08:21:31 UTC
Last updated: 07/03/2026, 10:52:41 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.