Investigations2026-07-02 · 2 min read
Google disrupts NetNut proxy network spanning 2M devices
Google says it degraded the NetNut residential proxy network, also tracked as Popa, after estimating the network spans at least 2 million devices…
Google says it has disrupted NetNut, a residential proxy network also tracked as Popa, in coordination with the FBI, Lumen and other partners, after estimating the network spans at least 2 million consumer devices worldwide.
In a July 2 Google Cloud Threat Intelligence post, Google said it disabled Google accounts and services used for NetNut command-and-control, shared software-development-kit and backend infrastructure indicators with enforcement partners, and configured Google Play Protect to warn users and disable apps known to carry NetNut SDKs.
The important caveat: Google is describing degradation, not a permanent takedown. The company said the action reduced NetNut's available device pool "by millions," but also said past residential-proxy disruptions show individual networks can appear resilient as operators buy or resell capacity elsewhere.
The user risk is local. Residential proxy networks route outside traffic through home IP addresses, making malicious activity look like ordinary residential browsing. Google said device owners can see legitimate traffic flagged or blocked, and that a device turned into an exit node can expose other devices on the same home network to unauthorized traffic.
Google also said it observed 316 distinct threat clusters using suspected NetNut exit nodes during a single week in June, including cybercriminal and espionage groups. Those groups used the network to mask their origin, access victim environments and conduct password-spray attacks, according to Google.
SiliconANGLE reported the same core disruption and said the FBI seized several NetNut domains. The public source pass does not identify which domains were seized or how durable the disruption will be.
The background is contested. KrebsOnSecurity and Qurium previously reported research linking Popa infrastructure to NetNut and to Android-based TV boxes and apps that can turn consumer devices into relay nodes. SiliconANGLE noted that Alarum Technologies, NetNut's owner, has rejected the botnet characterization in prior reporting, saying its software supports consented bandwidth sharing and does not compromise devices.
What remains unknown: which domains were seized, whether the disruption will last, and how much capacity NetNut or related proxy operators can rebuild through resellers.
The Shadowfetch Brief
Get The Shadowfetch Brief
Stories like this — every side, one short morning email. Free.