Google, FBI disrupt massive NetNut botnet linked to 2 million devices
Google says it disrupted the NetNut residential proxy network after disabling accounts used for malware command-and-control operations, cutting millions of compromised devices out of the network.

US Department of Justice | FBI
- Google says it disrupted the NetNut botnet by disabling accounts used for malware command-and-control operations.
- The company estimates the network relied on roughly 2 million internet-connected devices to route traffic through residential IP addresses.
- Google warns the residential proxy industry is rapidly expanding, making it harder to disrupt botnets used by hackers and spies.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Google on Thursday says it has significantly disrupted NetNut – one of the world’s largest residential proxy botnets – by cutting off Google accounts and services tied to its command-and-control operations.
The Google Threat Intelligence Group (GTIG) announced the takedown in a blog post, estimating the botnet spans at least 2 million home devices worldwide.
“We observed 316 distinct threat clusters—cybercrime and espionage groups—using the network to mask activity and launch password spray attacks,” GTIG said in a post on X.
The takedown happened in coordination with the FBI, Lumen Technologies, and other partners, building on Google’s January disruption of the IPIDEA proxy network.
Google said this also involved sharing technical intelligence on NetNut software development kits (SDKs) and backend infrastructure with lae enforcement, platform providers, and research firms.
Millions of devices caught in NetNut network
To disable the NetNut residential proxy network – also known as “Popa” – Google says it cut off the botnet’s access to Google accounts and associated services.
“We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,” Google said.
Google also warned that many popular residential proxy brands may be tied to the same operation, predicting that this latest disruption will have “ripple effects” across the malicious proxy ecosystem.
“We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,” Google said.
In addition to selling access to the network under the NetNut brand, NetNut has a robust reseller program that allows “whitelabeling of its network.”
This means threat actors will buy access to NetNut's device pool and then, using their own logo, website, and branding, resell that access as their own proxy service.
Why residential proxy botnets are dangerous
Residential proxy networks route internet traffic through consumer IP addresses, allowing attackers to mask where their traffic is really coming from.
Google says operators build these networks by getting code onto home devices, turning them into exit nodes that can be sold to customers.
Unsuspecting users may download apps containing hidden proxy code or even purchase off-market connected devices preloaded with malware.
In a single week in June, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups.
The company says those actors used NetNut to hide their real IP addresses to carry out attacks such as password spraying and connecting with their own command infrastructure.
GTIG also identified NetNut botnet plugin components linked to multiple botnet operations, including the previously disrupted “BadBox2.0” campaign, which targeted cheap off-brand Android devices and consumer hardware.
Proxy industry keeps expanding
Google says NetNut was populated through SDKs on devices commonly found in homes, including smart TVs and streaming boxes.
Public reports have also linked NetNut to Mirai-based DDoS botnet infections.
The company urges consumers to be wary of apps offering payment in exchange for “unused bandwidth” or “sharing your internet” – the primary way malicious proxy networks grow.
GTIF says users should stick to official app stores, review permissions for third-party VPNs and proxies, and make sure built-in security protections like Google Play Protect are active, Google said.
Google said it has made sure its Google Play Protect, Android’s built-in app security protection, is automatically warning users and has already disabled apps known to include NetNut SDKs.
The Play Protect system “will continue to protect users against future install attempts,” it said.