Investigations2026-07-03 · 1 min read
Google says it disrupted NetNut proxy network spanning 2M devices
Google says it worked with the FBI, Lumen and other partners to disrupt NetNut, a residential proxy network also tracked as Popa, in a security action aimed at infrastructure the…
Google says it worked with the FBI, Lumen and other partners to disrupt NetNut, a residential proxy network also tracked as Popa, in a security action aimed at infrastructure the company estimates spans at least 2 million consumer devices worldwide.
In a July 2 Google Cloud Threat Intelligence post, Google said it disabled Google accounts and services used by NetNut for malware command and control, shared software-development-kit and backend infrastructure indicators with enforcement partners, and configured Google Play Protect to warn users and disable apps known to carry NetNut SDKs.
Google framed the result as significant degradation, not a permanent takedown. It said the action reduced the available pool of devices for the proxy operator “by millions,” while warning that residential proxy operators can adapt by buying capacity from competing networks or reselling overlapping infrastructure.
The scale matters because residential proxy networks route traffic through home internet connections, making abusive activity look like ordinary residential browsing. Google said its Threat Intelligence Group observed 316 distinct threat clusters using suspected NetNut exit nodes during one week in June, including cybercriminal and espionage groups. For device owners, the risk is not abstract: unauthorized traffic can pass through a home network, expose other devices on the same connection, and cause legitimate home IP addresses to be flagged or blocked.
KrebsOnSecurity reported that the FBI said it worked with industry partners to seize hundreds of domains associated with NetNut and that a seizure notice thanked Google, Lumen, Shadowserver and others. PCMag reported that the NetNut.com domain appeared seized while NetNut.io remained online, and quoted NetNut parent Alarum Technologies saying it would cooperate with law enforcement.
The open questions are operational: which domains were seized, how much backend infrastructure remains reachable, and whether NetNut or resellers can rebuild capacity through other residential proxy providers.
The Shadowfetch Brief
Get The Shadowfetch Brief
Stories like this — every side, one short morning email. Free.