Google, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of Devices

Google, FBI Disrupt Massive Residential Proxy Network Powered by Millions of Devices

In a major joint operation, Google, the FBI, and other organizations have dismantled NetNut, a massive residential proxy network that had been secretly powered by over 2 million compromised Android devices. The network’s operator, linked to the Israeli firm Alarum Technologies Ltd, rented out these proxies to various threat actors, including cybercriminals and espionage groups.

NetNut’s proxy network was built on top of a malware known as Badbox 2.0, which infected millions of smart TVs, streaming boxes, and other Android devices through trojanized applications. The network used these compromised devices to hide the locations of threat actors in password-spray attacks and to access victim environments. In one week alone in June, Google observed over 316 distinct threat clusters using NetNut’s proxies.

The joint operation involved disabling Google accounts and associated services used for command-and-control (C&C) activities, effectively dismantling the botnet’s backend infrastructure. Google also disabled infected applications via its Play Protect service and warned victims of the threat. Furthermore, the company shared threat intelligence with industry partners and law enforcement to disrupt the network’s operations.

NetNut’s takedown is significant not only because of the scale of the operation but also because it highlights the complexity of the botnet ecosystem. The company operates a reseller program, allowing other popular brands to use its proxy network under their own branding. This means that when faced with disruption, proxy operators may simply shift their business to their competitors, creating a fluid and ever-changing landscape for security teams.

Google’s efforts to disrupt NetNut are part of a larger trend in the cybersecurity industry, where companies are recognizing the need to target not just individual botnets but also the infrastructure of interconnected providers. By scaling up their efforts to tackle multiple providers simultaneously, Google hopes to create lasting disruption in the proxy network ecosystem.

The takedown of NetNut is a reminder that residential proxy networks pose significant threats to online security and should be taken seriously by individuals and organizations alike. It’s essential for users to remain vigilant and take steps to protect themselves from potential threats, such as installing reputable antivirus software and keeping their devices up to date with the latest security patches.

In practical terms, this takedown serves as a warning to individuals who may have compromised devices in their homes or workplaces. If you suspect that your device has been infected with malware, it’s essential to take immediate action by scanning your device for malware and resetting any compromised applications. By staying informed and proactive, we can all play a role in disrupting the activities of malicious actors and keeping our online environment safer.


Source: SecurityWeek — 2026-07-03