Google, FBI Disrupt Massive Residential Proxy Network Powered by Millions of Devices
In a major blow to cybercrime operations, Google has joined forces with the FBI and other organizations to dismantle NetNut, a massive residential proxy network that had infected over 2 million Android devices. The takedown is a significant development in the ongoing battle against botnets and proxy networks used for malicious activities.
At its core, NetNut was a complex system of compromised devices that were rented out to various threat actors, including cybercriminals and espionage groups. These devices, which included smart TVs and streaming boxes, had been infected with malware such as Badbox 2.0, allowing their operators to mask the true source of malicious activity. According to Google, in a single week in June, NetNut was used in over 316 distinct threat clusters for password-spray attacks and accessing victim environments.
The network’s operator, Alarum Technologies Ltd, was linked to both NetNut and Popa, two names that have been associated with the same proxy network. The company’s business model relied on renting out access to its massive pool of compromised devices to various clients, who used them for malicious purposes such as hacking and espionage.
Google played a key role in the takedown by disabling Google accounts and services used for command-and-control (C&C) operations, effectively dismantling NetNut’s backend infrastructure. The company also disabled infected applications via Google Play Protect and warned victims of the threat through automatic alerts. Furthermore, Google shared threat intelligence with industry partners and law enforcement to help disrupt similar proxy networks.
The disruption of NetNut is significant not only because of its massive scale but also due to its ripple effect on the ecosystem. According to Google, when faced with the degradation of their own botnet, proxy operators often begin buying capacity from competitors, effectively becoming resellers. This highlights the need for continued efforts to target the infrastructure of interconnected providers.
The takedown is part of a larger effort to combat proxy networks and botnets that have become increasingly sophisticated in recent years. Other notable examples include the disruption of IPIDEA and the massive 17-million-device botnet dismantled by Dutch police. As the cyber threat landscape continues to evolve, it’s clear that collaboration between tech giants, law enforcement agencies, and industry partners will be crucial in keeping pace with the malicious activities of cybercriminals.
For individuals and organizations, this takedown serves as a reminder to remain vigilant against malware and compromised devices. It’s essential to keep software up-to-date, use robust security measures, and monitor network activity for signs of suspicious behavior. By staying informed about emerging threats and taking proactive steps to secure their systems, individuals can reduce the risk of falling victim to malicious activities orchestrated by proxy networks like NetNut.
Source: SecurityWeek — 2026-07-03