Google Dismantles NetNut Residential Proxy Botnet
Google dismantled the NetNut residential proxy botnet, a major cyber threat that compromised over 2 million home devices. This residential proxy network, also known as Popa, was widely used to mask malicious activity and resold to criminal groups. Understanding the impact of this operation and the risks posed by residential proxy abuse is essential for organisations of all sizes.
What Happened: Unpacking the NetNut Proxy Botnet
In June 2026, Google, the FBI, Lumen Technologies, and several cybersecurity partners took coordinated action against the NetNut residential proxy network. NetNut, also tracked as Popa, operated by compromising home and Internet of Things (IoT) devices—often through unofficial Android TV apps. Devices infected by Popa became unwitting relay nodes, forwarding proxy traffic for NetNut clients.
Google disabled accounts and services used by NetNut for malware command-and-control, as these activities breached Google’s Terms of Service. Technical intelligence on NetNut’s software development kits (SDKs) and backend infrastructure was shared with law enforcement and research firms, enabling broader ecosystem enforcement against malicious proxy operators.
Google also updated Play Protect to automatically warn users and disable Android applications bundled with NetNut SDKs. This prevents further installations and protects home devices from being hijacked as proxy nodes. The operation followed a similar disruption against another proxy network, IPIDEA, earlier in 2026, signalling a sustained campaign against botnet-driven residential proxies.
How NetNut Operated
- Compromised home and IoT devices via unofficial Android TV apps.
- Used SDKs embedded in pirated streaming apps such as CRICFy, DooFlix, and Flixoid.
- Devices relayed proxy traffic, masking the origin of malicious activity.
- Infrastructure white-labelled and resold under various proxy brands.
- Minimal verification for buyers, enabling abuse by cybercriminals.
Technical Attribution
Investigations by security firms and journalists linked the Popa botnet directly to NetNut, a subsidiary of Alarum Technologies Ltd. Proxy-tracking firm Synthient found that Popa devices actively forwarded NetNut proxy traffic. Lumen’s Black Lotus Labs estimated the botnet cycled through 1.5 to 2.5 million IP addresses daily, directed by around 250-300 controller domains.
Despite NetNut’s claims of consensual bandwidth-sharing and misuse monitoring, experts argued that lack of meaningful verification allowed criminal groups to purchase proxy access easily. This made the network one of the most widely resold and abused proxy infrastructures in the cybercriminal ecosystem.
Why Residential Proxy Abuse Matters to Organisations
Residential proxy abuse poses significant risks to organisations, especially small and medium businesses (SMBs) in the UK. Cybercriminals use residential proxies to mask their activity, evade detection, and bypass security controls. This allows them to conduct fraud, credential stuffing, phishing, and network intrusion while appearing to operate from innocent home devices.
The NetNut botnet’s reach means that many organisations may see changing patterns in proxy traffic, with a sudden drop or shift following Google’s takedown. Attackers seeking new proxy sources could target other devices or networks, increasing risk for both home users and businesses.
Key Risks for Businesses
- Malicious traffic disguised as legitimate residential IPs.
- Difficulty in blocking attacks due to constantly rotating proxy endpoints.
- Potential for compromised devices on employee networks.
- Exposure to fraud, data exfiltration, and access abuse.
- Challenges in threat intelligence and incident response.
Organisations must understand that residential proxies can undermine traditional security measures. Attackers often use them to circumvent geo-blocking, rate limits, and detection rules. This makes proactive defences and monitoring all the more critical.
Best Practices: Protecting Against Residential Proxy Abuse
To defend against residential proxy botnets like NetNut, organisations should strengthen controls and improve visibility. The following best practices can help reduce risk and improve resilience:
- Monitor for Unusual Proxy Traffic: Use network analytics and threat intelligence to identify suspicious proxy connections and rotating IPs.
- Enforce Application Controls: Restrict installation of unofficial apps, especially on Android devices and TV boxes used in office or remote environments.
- Implement Multi-Factor Authentication: Protect accounts from credential stuffing attacks that leverage residential proxies.
- Segment Networks: Isolate IoT devices and home office equipment from sensitive business systems.
- Educate Employees: Raise awareness about risks of pirated apps and proxy abuse, promoting safe device usage.
- Collaborate with Providers: Share threat intelligence and coordinate with ISPs, platform providers, and security partners.
Android Protections
Google Play Protect now warns users and disables apps bundled with proxy SDKs. Organisations should enforce device policies that restrict installation of unofficial streaming apps and regularly audit Android devices for suspicious software.
Strengthening Security Controls
Review firewall and proxy rules to identify and block known malicious endpoints. Update threat feeds to include indicators linked to dismantled proxy networks. Consider using advanced detection tools that distinguish residential proxy traffic from legitimate activities.
Conclusion: Staying Vigilant Against Proxy Botnets
The dismantling of the NetNut residential proxy botnet is a significant step in curbing cybercriminal abuse of home devices. However, attackers will continue to seek new ways to mask their activity and evade detection. UK organisations should review their controls, monitor proxy traffic, and educate users to minimise risk from residential proxy abuse. By staying informed and proactive, businesses can better protect themselves against evolving cyber threats.
Originally reported by cybersecuritynews.com.







