Key Takeaways
- A coordinated takedown led by Google, the FBI, Lumen Technologies, The Shadowserver Foundation and other partners disrupted the NetNut (also known as Popa) residential proxy botnet, which controlled an estimated ≥ 2 million compromised Android devices worldwide.
- NetNut supplied cybercriminals and espionage groups with legitimate‑looking home IP addresses to hide malicious traffic, enable password‑spraying attacks, and access attacker‑controlled infrastructure.
- The botnet spread primarily through trojanized applications and pre‑installed malware, turning smart TVs, streaming boxes, and other consumer devices into exit nodes for the proxy network.
- Law‑enforcement seized the core .netnut.com domain, while Google disabled associated command‑and‑control (C2) accounts, warned users via Play Protect, and shared technical indicators with industry and researchers.
- Disruption of NetNut is expected to ripple through the residential proxy market because many competing services rely on its infrastructure via a whitelabel reseller model; operators often simply buy replacement capacity from rivals when one network is taken down.
- The action follows Google’s earlier dismantling of the IPIDEA botnet and reflects an ongoing commitment to dismantle large‑scale residential proxy threats that abuse home internet connections.
Overview of the Joint Operation
In a multi‑agency effort, Google’s Threat Intelligence Group (GTIG) teamed up with the FBI, Lumen Technologies, The Shadowserver Foundation, and several industry partners to dismantle the NetNut residential proxy botnet. The operation combined legal authority, technical telemetry, and threat‑intel sharing to identify and neutralize the infrastructure that powered the network. By aligning law‑enforcement seizure capabilities with corporate security controls, the collaborators were able to cut off the botnet’s command‑and‑control channels and prevent further abuse of compromised devices. This collaboration exemplifies how public‑private partnerships can effectively counter large‑scale cyber‑crime ecosystems that rely on abused consumer hardware.
What Is NetNut (aka Popa)?
NetNut, also marketed under the alias “Popa,” is a residential proxy service that sells access to IP addresses belonging to everyday home internet connections. Unlike data‑center proxies, residential proxies route traffic through genuine ISP‑assigned addresses, making malicious activity appear as ordinary household traffic. Threat actors purchase this access to conceal their origins, bypass geo‑restrictions, and evade reputation‑based defenses. The service operated through a web portal and APIs, allowing customers to rent proxy exit nodes on demand. Its popularity stemmed from the perceived legitimacy of the IP pools and the ease with which buyers could integrate the service into their attack toolchains.
Scale of Infection and Device Compromise
GTIG estimates that NetNut controlled at least two million compromised Android devices globally, a figure that includes smartphones, smart TVs, streaming boxes, and other Android‑based consumer electronics. The infection vector relied heavily on trojanized applications—either malicious apps downloaded from unofficial sources or legitimate‑looking apps that had been repackaged with hidden proxy modules. In some cases, malware was pre‑installed on devices before they reached consumers, a technique seen in prior botnets such as Badbox 2.0. Once installed, the malware silently opened a background proxy client that enrolled the device as an exit node, ready to forward any traffic requested by the NetNut infrastructure.
How Residential Proxy Networks Operate
When a device becomes part of NetNut, it functions as an exit node: the malware receives commands from the botnet’s C2 servers instruct the device to forward network packets on behalf of a paying customer. To the outside world, the traffic appears to originate from the victim’s residential IP address, which is typically trusted by websites, online services, and security tools. This mechanism allows attackers to conduct credential‑stuffing, password‑spraying, fraud, and even espionage while blending in with legitimate home‑user traffic. Moreover, because the IP address belongs to a real ISP, many reputation‑based blocks and geo‑filters fail to detect the abuse, providing criminals with a low‑cost, high‑effectiveness anonymity layer.
Details of the Disruption Coalition
The takedown was not the work of a single entity. Google contributed threat‑intel data, disabled malicious accounts on its platforms, and shared technical details about NetNut’s software development kits (SDKs) and C2 infrastructure with law‑enforcement and security researchers. The FBI exercised its legal authority to seize domains associated with the service, while Lumen Technologies and The Shadowserver Foundation provided network‑traffic analysis and sinkholing capabilities to reroute or neutralize malicious traffic. Additional industry partners contributed telemetry, malware‑sample sharing, and mitigation guidance. This layered approach ensured that both the command‑and‑control layer and the consumer‑device infection vectors were addressed simultaneously.
FBI Seizure of Core Domains
A pivotal moment in the operation was the FBI’s seizure of the primary domain netnut.com, which served as the central hub for NetNut’s customer portal, API endpoints, and malware distribution. According to Mark Karayan of Mandiant, the .com domain was actively used by the botnet operators alongside several other domains that were also taken down in the coordinated action. By removing control over these domains, the authorities disrupted the ability of customers to provision new proxy nodes and hindered the malware’s ability to contact its C2 servers. The seizure also facilitated the collection of evidentiary material for potential prosecution of those behind the service.
Threat‑Actor Usage and GTIG Observations
GTIG reported that, within a single week last month, researchers observed 316 distinct threat clusters leveraging suspected NetNut exit nodes. These clusters spanned financially motivated cybercriminals, credential‑stuffing gangs, and state‑linked espionage groups. Common abuse scenarios included using the residential proxies to mask the origin of password‑spraying attacks against enterprise VPNs, to automate fraudulent transactions on e‑commerce sites, and to reach victim environments for post‑exploitation lateral movement. The sheer diversity of actors underscored how valuable a large, reliable residential proxy pool had become to the underground economy.
Google’s Specific Mitigations and Protections
Beyond sharing intelligence, Google took direct steps to protect its ecosystem and users. The company disabled Google accounts and services that NetNut operators had relied upon for malware command‑and‑control, effectively cutting off a critical backend channel. Google Play Protect, the built‑in Android security scanner, automatically flagged and disabled the trojanized applications responsible for enrolling devices into the botnet, issuing warnings to affected users. Additionally, Google published technical indicators—such as file hashes, C2 IP addresses, and SDK signatures—to enable other platform providers, security vendors, and researchers to detect and block the malware across the broader Android landscape.
Impact on the Residential Proxy Industry and Reseller Model
Google anticipates that the NetNut disruption will have a lasting effect on the residential proxy market because many competing services operate as whitelabel resellers of NetNut’s infrastructure. The botnet’s reseller program allowed partners to rebrand and sell access to the same underlying proxy network, meaning that a sizable portion of the market depended on NetNut’s capacity. When one node is removed, operators often simply purchase replacement bandwidth from rival providers, preserving their business model while shifting the underlying source. As Karayan noted, the proxy industry is deeply interconnected, with constant buying and selling of botnet capacity; therefore, taking down a major player like NetNut forces the ecosystem to adapt, but also reduces the overall availability of abused residential IPs in the short term.
Connection to Earlier IPIDEA Disruption and Future Outlook
The NetNut takedown follows Google’s earlier successful disruption of the ID‑IDEA residential proxy botnet earlier this year, demonstrating a sustained focus on dismantling large‑scale abuse of home internet connections. Both operations illustrate the effectiveness of combining legal actions, technical takedowns, and proactive user protections. Looking forward, Google and its partners intend to continue monitoring for similar threats, sharing indicators of compromise, and working with ISPs to notify and remediate infected consumer devices. While cybercriminals will likely seek alternative proxy sources, each disruption raises the cost and complexity of maintaining large residential‑proxy networks, ultimately contributing to a safer internet for end‑users.

