Google and FBI Shut Down NetNut Proxy Network Hijacking 2 Million Devices

The NetNut proxy network used 2 million hijacked home devices, which is a massive number of compromised connections.

Massive Botnet Tied to Malicious Activity Halted

Google and the FBI have successfully dismantled NetNut, a vast residential proxy network operating on an estimated two million hijacked home devices. The operation, detailed across multiple reports published around July 3rd, 2026, targeted the infrastructure used by cybercriminals and espionage groups to mask their illicit activities.

The disruption involved a multi-pronged approach by Google, including disabling Google accounts and services used for NetNut's command-and-control (C2) backend. This action severed the operators' connection to their management infrastructure. Additionally, Google Play Protect has been updated to automatically detect and disable applications bundled with NetNut's software development kits (SDKs) on Android devices, while also warning users and preventing future installations. Intelligence regarding NetNut's SDKs and C2 infrastructure has been shared with law enforcement, platform providers, and security researchers to aid in broader enforcement efforts.

Read More: EU AI Delays: GDPR and AI Act Slow New Models

NetNut cracked as Google and FBI target 2 million-device botnet - 1

NetNut, also internally tracked as Popa, allowed third parties to rent access to ordinary home internet connections across approximately 130 countries. These connections served as "exit nodes" for various illicit online behaviors. =The proxy service was notably used by at least 316 identified threat actors for activities such as mass content scraping, advertising fraud, and account takeover schemes.=

How Devices Were Compromised

Devices became unwitting participants in the NetNut network through two primary mechanisms:

NetNut cracked as Google and FBI target 2 million-device botnet - 2
  • Pre-installed Malware: Malicious code was embedded in devices before they were purchased by consumers.

  • Unwitting App Installation: Users unknowingly installed applications that contained hidden proxy code within their SDKs.

Commonly affected devices include smart TVs and streaming boxes, which, when connected to the internet, had their connections quietly rented out. Google Play Protect now actively warns Android users and disables apps containing NetNut SDKs. Users are advised to obtain devices from reputable manufacturers and install applications solely from trusted sources, paying close attention to app permissions, particularly for VPN and proxy services.

Read More: How LLM-as-a-Judge stops rogue code in AI apps on 7 April 2026

Reseller Networks and Ecosystem Impact

Investigations revealed that NetNut operated a significant reseller program, enabling various proxy services to "white-label" its infrastructure. This meant that many seemingly independent proxy brands were, in reality, repackaging the NetNut botnet under different names, all sharing the same backend. This reseller model highlights the interconnectedness of such networks and the challenge in fully eradicating them.

The operation, a coordinated international effort, also involved partners such as Lumen Technologies, the Shadowserver Foundation, and the U.S. Internal Revenue Service’s (IRS) Criminal Investigation division. Hundreds of domains tied to the Popa botnet were seized.

Background

Residential proxy networks like NetNut have become a critical tool for cybercriminals seeking to obscure their digital footprint. By leveraging compromised home internet connections, threat actors can conduct malicious activities without their true origin being easily traceable. The takedown of NetNut represents a significant blow to this infrastructure, but the underlying vulnerabilities that allow such networks to form and scale remain a persistent concern in the cybersecurity landscape.

Read More: Kochi Drones Spray Mosquito Larva Faster in 25 Minutes

Frequently Asked Questions

Q: What happened to the NetNut proxy network on July 3rd, 2026?
Google and the FBI successfully shut down NetNut, a large proxy network that used about 2 million hijacked home devices. This stops criminals from using these devices for bad online activities.
Q: How were devices used by NetNut?
Devices were used because they had malware installed before they were sold, or users unknowingly installed apps with hidden proxy code. This allowed NetNut to rent out internet connections for illegal acts.
Q: Who was affected by the NetNut network disruption?
The main people affected are cybercriminals who used NetNut to hide their illegal activities like fraud and account theft. Users whose devices were hijacked are also indirectly affected as their connections are now safer.
Q: What is the impact of this action on device users?
Google Play Protect will now warn Android users and stop apps with NetNut's code from running. Users should be careful about where they get devices and apps from to avoid future risks.
Q: What was NetNut used for?
NetNut was used by at least 316 threat actors to mask their online actions. They used it for things like scraping content, committing advertising fraud, and taking over online accounts.