Full Report
Google has significantly degraded NetNut, one of the biggest networks that turns home devices into rented relays for other people's traffic. Working with the FBI, Lumen, and others, Google's Threat Intelligence Group (GTIG) said this week it had reduced the network's pool of usable devices by millions. Google identifies NetNut, also tracked as Popa, as a network spread across home
Analysis Summary
# Incident Report: Degradation of NetNut (Popa) Residential Proxy Network
## Executive Summary
Google's Threat Intelligence Group (GTIG), in collaboration with the FBI and Lumen, executed a major disruption operation against NetNut (also known as Popa), a massive residential proxy botnet. The operation successfully reduced the pool of usable compromised devices by millions, significantly hindering the ability of threat actors to mask malicious traffic behind legitimate home internet connections. NetNut is allegedly linked to the publicly traded Israeli firm Alarum Technologies, though the company disputes the "botnet" classification.
## Incident Details
- **Discovery Date:** June 2026 (Public attribution by researchers)
- **Incident Date:** Ongoing; Disruption announced July 02, 2026
- **Affected Organization:** Distributed across millions of private home networks
- **Sector:** Residential Internet/IoT
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-dating July 2025 (overlaps with Badbox 2.0 and Mirai)
- **Vector:** Supply chain compromise (pre-installed on off-brand hardware) and deceptive "free" applications.
- **Details:** Attackers embedded proxy code into cheap off-brand smart TVs and streaming boxes during manufacturing or bundled the payload with free apps that promised users rewards for "sharing" bandwidth without explicit consent.
### Lateral Movement
- **Details:** Once installed, the proxy software treats the home device as an "exit node." This position allows outside traffic as a foothold to potentially scan or reach other internal devices on the local home network.
### Data Exfiltration/Impact
- **Impact:** Abuse of residential IP reputations. Over 316 distinct threat clusters (criminal and espionage) used the nodes in a single week in June for password-guessing and to bypass geolocation-based security filters.
### Detection & Response
- **Detection:** Identified by GTIG and researchers at Qurium, Synthient, Nokia Deepfield, and Spur through traffic analysis and controlled gateway testing.
- **Response Actions:** Google, the FBI, and Lumen collaborated to "degrade" the network, removing millions of devices from the available pool and targeting the infrastructure used by resellers.
## Attack Methodology
- **Initial Access:** Supply chain (pre-installed firmware) and Social Engineering (malicious "bandwidth sharing" apps).
- **Persistence:** Firmware integration on IoT/Android TV devices.
- **Defense Evasion:** Use of residential IPs to bypass data center-based IP blacklists and appear as legitimate home browsing.
- **Lateral Movement:** Inbound traffic routing into private home LANs.
- **Impact:** Network abuse, reputational damage to home IP addresses, and facilitation of large-scale credential stuffing.
## Impact Assessment
- **Financial:** Massive infrastructure investment by NetNut operators degraded; potential costs to users in bandwidth consumption.
- **Data Breach:** Exposure of internal home networks to external traffic.
- **Operational:** Disruption of over 2 million nodes.
- **Reputational:** Publicly traded owner Alarum Technologies facing scrutiny from researchers and law enforcement.
## Indicators of Compromise
- **Network indicators:** Traffic routing through `NetNut[.]io` or `Popa` infrastructure gateways.
- **Behavioral indicators:** IoT devices (Smart TVs/boxes) generating high volumes of outbound traffic to unauthorized destinations; devices acting as gateways for external inbound connections.
## Response Actions
- **Containment measures:** Targeted disruption of command-and-control (C2) and reseller gateway infrastructure.
- **Eradication steps:** Google and partners "knocked out" millions of devices from the proxy pool.
- **Recovery actions:** Ongoing monitoring for reseller "sprawl" where operators attempt to buy capacity from rival networks.
## Lessons Learned
- **Key takeaways:** Residential proxy networks are frequently built on "involuntary" or "deceptive" botnets rather than transparent consent.
- **Resilience:** These networks are highly resilient; a "kill" is difficult because operators often pivot to reselling or purchasing capacity from other compromised pools (e.g., following the IPIDEA or Badbox disruptions).
## Recommendations
- **Consumer Prevention:** Avoid purchasing off-brand IoT/Android TV devices; do not install apps that offer payment for "unused bandwidth."
- **Enterprise Prevention:** Implement behavioral analytics to detect "residential proxy" signatures in incoming traffic, even if the IP appears legitimate.
- **Policy:** Support inter-agency cooperation (FBI/Private Sector) to target the financial and gateway infrastructure of proxy providers rather than just individual nodes.