Massive Botnet Tied to Malicious Activity Halted
Google and the FBI have successfully dismantled NetNut, a vast residential proxy network operating on an estimated two million hijacked home devices. The operation, detailed across multiple reports published around July 3rd, 2026, targeted the infrastructure used by cybercriminals and espionage groups to mask their illicit activities.
The disruption involved a multi-pronged approach by Google, including disabling Google accounts and services used for NetNut's command-and-control (C2) backend. This action severed the operators' connection to their management infrastructure. Additionally, Google Play Protect has been updated to automatically detect and disable applications bundled with NetNut's software development kits (SDKs) on Android devices, while also warning users and preventing future installations. Intelligence regarding NetNut's SDKs and C2 infrastructure has been shared with law enforcement, platform providers, and security researchers to aid in broader enforcement efforts.
Read More: EU AI Delays: GDPR and AI Act Slow New Models

NetNut, also internally tracked as Popa, allowed third parties to rent access to ordinary home internet connections across approximately 130 countries. These connections served as "exit nodes" for various illicit online behaviors. =The proxy service was notably used by at least 316 identified threat actors for activities such as mass content scraping, advertising fraud, and account takeover schemes.=
How Devices Were Compromised
Devices became unwitting participants in the NetNut network through two primary mechanisms:

Pre-installed Malware: Malicious code was embedded in devices before they were purchased by consumers.
Unwitting App Installation: Users unknowingly installed applications that contained hidden proxy code within their SDKs.
Commonly affected devices include smart TVs and streaming boxes, which, when connected to the internet, had their connections quietly rented out. Google Play Protect now actively warns Android users and disables apps containing NetNut SDKs. Users are advised to obtain devices from reputable manufacturers and install applications solely from trusted sources, paying close attention to app permissions, particularly for VPN and proxy services.
Read More: How LLM-as-a-Judge stops rogue code in AI apps on 7 April 2026
Reseller Networks and Ecosystem Impact
Investigations revealed that NetNut operated a significant reseller program, enabling various proxy services to "white-label" its infrastructure. This meant that many seemingly independent proxy brands were, in reality, repackaging the NetNut botnet under different names, all sharing the same backend. This reseller model highlights the interconnectedness of such networks and the challenge in fully eradicating them.
The operation, a coordinated international effort, also involved partners such as Lumen Technologies, the Shadowserver Foundation, and the U.S. Internal Revenue Service’s (IRS) Criminal Investigation division. Hundreds of domains tied to the Popa botnet were seized.
Background
Residential proxy networks like NetNut have become a critical tool for cybercriminals seeking to obscure their digital footprint. By leveraging compromised home internet connections, threat actors can conduct malicious activities without their true origin being easily traceable. The takedown of NetNut represents a significant blow to this infrastructure, but the underlying vulnerabilities that allow such networks to form and scale remain a persistent concern in the cybersecurity landscape.
Read More: Kochi Drones Spray Mosquito Larva Faster in 25 Minutes