Google and FBI disrupt NetNut proxy network of 2 million devices

Google, working with the FBI, network operator Lumen, and others, has moved to dismantle NetNut, one of the largest malicious residential proxy networks in the world, according to the Google Threat Intelligence Group (GTIG). GTIG estimates the network runs on at least 2 million compromised devices spread across the globe, and says the coordinated action has degraded it by millions of nodes.

What NetNut is

Residential proxy networks sell criminals the ability to route their traffic through IP addresses that belong to ordinary home internet connections, masking the true origin of an attack. NetNut (also known as Popa) grows its network by getting code onto everyday home devices, such as smart TVs and streaming boxes, either pre installed before purchase or hidden inside apps that users unknowingly download. GTIG says it has identified NetNut components tied to large scale botnets including Badbox 2.0, and that many other popular proxy brands are quietly reselling the NetNut network under their own labels.

Why it matters

The danger is not abstract. In a single week in June 2026, GTIG observed 316 distinct threat clusters, including both cybercriminal and espionage groups, using suspected NetNut exit nodes to hide where they were connecting from and to run password spraying attacks. When a home device becomes an exit node, other people's malicious traffic flows through it, which can get the owner's legitimate connections flagged or blocked and can expose other devices on the same home network. Independent reporting has also documented NetNut infected devices being pulled into Mirai style denial of service botnets.

What was done

Google disabled the accounts and services NetNut used for malware command and control, shared intelligence on its SDKs and back end infrastructure with law enforcement and platform providers, and pushed Google Play Protect to warn users and disable apps carrying NetNut code. GTIG cautions that the proxy ecosystem is resilient; after its earlier takedown of the IPIDEA network in January 2026, operators simply began buying capacity from competitors. This action follows a wave of infrastructure disruptions, including the recent Microsoft and Europol takedown of the StealC and Amadey malware networks, and echoes earlier proxy botnets like TheMoon, which powered the Faceless proxy service from 40,000 hijacked routers.

What you should do

Consumers should be wary of apps that offer payment in exchange for "unused bandwidth" or "sharing your internet," stick to official app stores, review the permissions of any third party VPN or proxy app, and buy connected devices only from reputable manufacturers. Keeping built in protections such as Google Play Protect active helps block known NetNut applications.

Full detail is in the original report from the Google Threat Intelligence Group.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions