Google says it has significantly disrupted one of the world’s largest malicious residential proxy networks after working with the FBI and industry partners to dismantle infrastructure tied to NetNut, a service that allegedly relied on more than two million compromised internet-connected devices.

 

 

The operation targeted NetNut, also tracked as Popa, a residential proxy network that routed internet traffic through infected home devices, allowing cybercriminals and espionage groups to disguise malicious activity behind legitimate residential IP addresses. Google estimates the network controls at least two million devices worldwide, including smart TVs, streaming boxes, and other internet-connected consumer hardware.

According to Google’s Threat Intelligence Group (GTIG), the company disabled Google accounts and services used by NetNut’s command-and-control infrastructure, shared technical intelligence with law enforcement and cybersecurity partners, and updated Google Play Protect to automatically detect and disable Android apps containing NetNut software development kits (SDKs). Google believes these actions reduced the operator’s available device pool by millions.

Residential proxy services have legitimate commercial uses, such as localized web testing and market research. However, security researchers say criminal operators increasingly abuse these networks because traffic originating from residential IP addresses is less likely to be blocked than traffic from cloud providers or data centers.

Google said it observed 316 distinct cybercrime and espionage clusters using suspected NetNut exit nodes during a single week. Threat actors allegedly relied on the network to conceal command-and-control communications, conduct password spraying attacks, and access compromised systems while masking their true locations.

Investigators believe many consumers became part of the network without realizing it. Some devices were reportedly sold with malicious software already installed, while others were infected after users downloaded applications containing hidden proxy components. Once compromised, the devices quietly relayed internet traffic on behalf of paying customers.

The FBI also seized multiple domains associated with NetNut as part of the coordinated operation. NetNut’s parent company, Israeli web data provider Alarum Technologies, acknowledged the seizures and said it would cooperate with law enforcement to investigate any misuse of its infrastructure.

Google warned that the disruption is unlikely to eliminate the broader residential proxy ecosystem because many providers operate reseller programs that allow other companies to rebrand and sell access to the same underlying infrastructure. The company said operators whose own botnets are weakened often purchase capacity from competitors, making the ecosystem highly interconnected and resilient.

The operation builds on Google’s earlier disruption of the IPIDEA residential proxy network and reflects a broader effort by technology companies and law enforcement agencies to dismantle infrastructure that enables cybercrime at scale. Google said it will continue monitoring how residential proxy operators adapt as the industry continues to evolve.

Leave a Reply