Google Disrupts NetNut: Inside the Takedown of a 2-Million-Device Proxy Network

Google disrupted NetNut, a residential proxy network abused by malware operators across two million hijacked devices. Here is how the takedown worked.

Stop Trusted Devices From Becoming Hidden Relays
  • July 3, 2026

Google has struck a major blow against one of the internet’s quieter threats. Lately, the company disrupted NetNut, a residential proxy network abused by malware operators. The action reached an estimated two million hijacked devices worldwide. Moreover, it pulled in the FBI, tax investigators, and telecom partners, showing how seriously authorities now treat proxy-fueled crime.

Google Pulls the Plug on a Two-Million-Device Network

The attack was targeted on the infrastructure identified internally by Google as the “Popabotnet. Rather than pressing a kill switch on one particular element of this operation, Google adopted a multipronged strategy. This included the disabling of connected accounts, malicious applications identification via Play Protect, and intelligence sharing with its partners. In parallel, the FBI seized the domains associated with the botnet.

Google positioned the outcome as degradation rather than destruction. That is, the attack was devastating, but it does not mean that the botnet will cease to exist. Still, the interference with two million relay nodes is undoubtedly a blow to its creators.

What Residential Proxies Actually Do

A residential proxy routes internet traffic through real home devices. As a result, activity appears to come from an ordinary household rather than a data center. Legitimate businesses use these services for ad verification and price checks.

Criminals, however, love them for the very same reason. They blend in perfectly. Common abuses include:

  • Credential stuffing against login pages
  • Large-scale ad fraud and fake clicks
  • Web scraping and inventory hoarding
  • Masking command traffic for malware

Because the traffic looks human and local, standard defenses struggle to spot it. Therein lies the appeal for anyone wanting to stay hidden.

RESIDENTIAL PROXY DISRUPTION

NetNut Proxy Disruption — Popa Botnet Degraded

Google, in coordination with the FBI and telecom partners, disrupted the infrastructure of the Popa botnet, disabling connected accounts and interrupting traffic through two million hijacked home devices worldwide.

GOOGLE TAKEDOWN · BOTNET

The Disruption Strategy

NODES 2M

Google disrupted the infrastructure of the “Popa” botnet. By disabling connected accounts, identifying malicious apps via Play Protect, and sharing intelligence, Google and telecom partners degraded the operation, while the FBI seized the associated domains.

METHOD: Multipronged technical & legal action
PARTNERS: FBI, Tax Investigators, Telecoms
SILENT RELAYS · PROXYWARE

How Devices Are Hijacked

RISK HIGH

Smartphones, routers, and IoT devices are turned into exit nodes without consent. This happens through malicious apps with proxy code, “proxyware” bundled in free software, or compromised IoT devices. The bandwidth is sold to clients, relaying traffic silently.

ENTRY: Embedded proxy code & proxyware
IMPACT: Strangers’ criminal traffic relayed silently
BLOCKING DIFFICULTY · IPS

Why Traffic is Hard to Block

POOL ROTATING

Blocking datacenter IPs is easy, but blocking home connections risks harming legitimate users. The pool of IPs rotates across millions of devices. Nation-state groups leverage these residential proxies to hide espionage traffic and evade attribution.

DEFENSE: Cannot simply blacklist rotating home IPs
ACTORS: Espionage groups hiding in home traffic
LITIGATION & TECH · METHOD

Google’s Disruption Playbook

TOOL LAWSUIT

Google has adopted a playbook that combines technical action with aggressive lawsuits to disrupt criminal infrastructure. This approach targeting botnets has shifted lawsuits from a last resort to a strategic first-line tool.

EXAMPLES: Glupteba, CryptBot, Badbox 2.0
SHIELD: Aggressive litigation & infrastructure takedown

What Residential Proxies Do & Common Abuses

A residential proxy routes traffic through real home devices to make activity appear to come from ordinary households. While legitimate businesses use them for ad verification, criminals abuse them to stay hidden behind rotated, trusted IPs.

ABUSE 01

Credential Stuffing: Attacking login interfaces using rotated home IPs to easily bypass standard rate limits.

ABUSE 02

Ad Fraud: Simulating human behavior on publisher sites to commit large-scale ad fraud and generate fake clicks.

ABUSE 03

Inventory Hoarding: Mass web scraping and inventory hoarding to corner markets and block legitimate purchases.

ABUSE 04

Malware C2 Masking: Hiding malware command and control (C2) communications inside normal household web traffic.

© 2026 XCITIUM THREAT LABS

How Everyday Devices Became Criminal Relays

Most victims never agreed to join anything. Instead, hidden software quietly turned their phones, routers, and smart gadgets into exit nodes. Typically, this happens through several channels:

  • Malicious apps carrying embedded proxy code
  • “Proxyware” bundled inside free software
  • Compromised or poorly secured IoT devices

Once installed, the code sells the device’s bandwidth to paying clients. Consequently, an infected phone can relay a stranger’s criminal traffic without its owner ever noticing. That silent hijacking is exactly what lets these networks grow so massive.

A Cybercrime Tool With a Stock Ticker

This is where things become a little strange. NetNut is part of a company named Alarum Technologies, which is traded on the Nasdaq market. This makes this story different from the norm in the underground world.

It was independently proven that the Popa botnet had a direct connection to the proxy service of NetNut. Of course, the company denied these claims and justified their actions. Nonetheless, the reaction to this came quickly – Alarum’s shares were down about 24%, in one swoop.

Why This Traffic Is So Hard to Block

Blocking a data-center address is easy. Blocking a real family’s home connection is not. Therein lies the core problem with residential proxy abuse.

Security teams cannot simply blacklist these addresses without harming legitimate users. Furthermore, the pool of IPs constantly rotates across millions of devices. Nation-state groups have taken notice too. For instance, state-linked actors have hidden espionage traffic inside normal-looking home connections, making attribution far harder for defenders.

Google’s Growing Takedown Playbook

This step comes as part of a distinct and strategic pattern. In recent years, Google has increasingly been using the combination of lawsuits and technology to tackle criminal infrastructure. Some of the cases include:

  • Glupteba, a robust blockchain botnet
  • CryptBot, an information-stealing threat
  • Badbox 2.0, a massive fraud network for Android devices

In all these cases, the company uses lawsuits and technology as a way of fighting the menace. Nowadays, tech companies are increasingly using lawsuits as a strategic tool and not as a last resort.

The Rising Stakes of Proxy Abuse

The timing is indicative of the wider growth of proxy-facilitated criminal activity. Residential proxy systems have seen huge growth in scale and complexity. As other methods become more easily detectable, criminals become increasingly reliant on these difficult-to-trace proxies.

Numbers tell the story here. Ad fraud costs advertisers over ten billion dollars annually. Additionally, botnets assembled using home computer systems can facilitate denial-of-service attacks at a scale never before seen, breaking multiple terabits per second in several recent floods. Against such a growing threat, to dismantle a network of two million nodes sends a clear signal.

Conclusion: When Ordinary Devices Become Criminal Infrastructure

The NetNut disruption shows how quietly residential proxy abuse can scale. A phone, router, smart device, or workstation may look normal to its owner, but in the background it can become a rented relay for someone else’s traffic. That traffic can support credential stuffing, ad fraud, scraping, malware command activity, and espionage operations that hide behind trusted home IP addresses.

This is what makes residential proxy networks so dangerous. The device is not only infected. It becomes infrastructure.

Why This Threat Matters

Residential proxy abuse breaks one of the assumptions defenders rely on, that suspicious traffic comes from suspicious places. When malicious activity is routed through real consumer and business connections, it becomes harder to block without disrupting legitimate users.

  • Hijacked devices can relay criminal traffic silently
  • Malicious apps and proxyware can turn endpoints into exit nodes
  • Rotating residential IPs can bypass rate limits and reputation checks
  • Credential stuffing and ad fraud become harder to trace
  • Malware command traffic can blend into normal web activity
  • State-linked actors can use home traffic to make attribution harder

The result is a threat model where compromised devices do not only lose control. They help attackers hide.

Where Xcitium Changes the Outcome

For organizations using Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, hidden relay activity is stopped at the point that matters, execution.

This is Execution Governance.

Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Proxyware, hidden relay components, loaders, scripts, and suspicious network activity are governed before they can turn a managed endpoint into criminal infrastructure.

Detection asks, “Did we recognize this as malicious?”
Execution Governance asks, “Could unknown code turn this device into an attacker-controlled relay?”

That is the difference.

Do Not Let Trusted Devices Become Trusted Cover

Google’s disruption of NetNut reduced a major proxy network, but the lesson goes beyond one operation. Criminals will continue looking for devices they can quietly rent, route through, and hide behind.

Security teams cannot rely only on blocking bad IPs.
They must stop devices from becoming bad infrastructure.

Govern unknown execution before trust exists.
Prevent proxyware from turning endpoints into relays.
Prove control before abuse becomes impact.

Like what you see? Share with a friend.

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo