Global Takedown Hits Residential Proxy Botnet Behind 2 Million Compromised Home Devices

Law enforcement and industry partners disrupted the NetNut residential proxy network, which compromised millions of home devices to route malicious traffic for cybercriminal and espionage operations.

CSBadmin
2 Min Read

How the NetNut Network Operated

Google, in collaboration with the FBI, Lumen Technologies, and other partners, has disrupted the NetNut residential proxy network, also known as ‘Popa’. This operation targeted a system that compromised at least 2 million home devices worldwide to create a massive proxy botnet. NetNut functioned as a subsidiary of the publicly traded Israeli firm Alarum Technologies, and its infrastructure was resold through a white-label program, meaning many popular proxy services were effectively repackaging this malicious network.

The Popa botnet operated as a component of the larger Vo1d botnet, which specifically targets unofficial Android TV boxes running pirated streaming apps. Home devices were infected either through pre-installed malware or hidden SDKs bundled in free applications, turning them into unwitting proxy nodes without user knowledge.

Impact and Scope of the Disruption

Lumen’s Black Lotus Labs estimated that the Popa botnet cycled through 1.5 to 2.5 million distinct IP addresses daily, controlled by approximately 250 to 300 command domains. In a single week during June 2026, Google’s Threat Intelligence Group observed 316 distinct threat clusters, including both cybercriminal and espionage groups, leveraging NetNut exit nodes for password spraying and infrastructure obfuscation.

Google responded by disabling accounts and services that NetNut used for malware command and control, violating its Terms of Service. The company also updated Google Play Protect to automatically warn users and disable applications bundled with NetNut SDKs. Security researchers expressed high confidence in the connection between Popa devices and NetNut proxy traffic, though Alarum Technologies disputed the botnet characterization, claiming their SDKs facilitate consensual bandwidth sharing. Google is urging consumers to avoid apps promising payment for unused bandwidth and to verify Play Protect certification before purchasing connected devices.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.