Full Report
Background Today, in coordination with the FBI, Lumen, and others, Google took action against the NetNut residential proxy network, also known as Popa. This action builds on our disruption of the IPIDEA proxy network that took place in January 2026, and is a continuation of Google’s objective to dismantle malicious residential proxy networks. Actions Taken As a part of this disruption we took the following actions: Disabled Google accounts and associated Google services used by NetNut for malware command and control (C2), which directly violates Google’s Terms of Service and Acceptable Use Policy. Shared technical intelligence on NetNut software development kits (SDKs) and backend C2 infrastructure with platform providers, law enforcement, and research firms to help drive ecosystem-wide awareness and enforcement. We ensured Google Play Protect, Android’s built-in security protection, automatically warned users and disabled applications known to incorporate NetNut SDKs, and the system will continue to protect users against future install attempts. These efforts to help keep the broader digital ecosystem safe supplement the protections we have to safeguard Android users on certified devices. We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions. In addition to selling access to the network under the NetNut brand, NetNut has a robust reseller program that allows whitelabeling of its network. Google has high confidence that many popular residential proxy brands are in fact whitelabeling the NetNut botnet. While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient. What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller. We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers. We will continue to observe the composition of the NetNut network and map out how its peers adapt to this action. Why it Matters NetNut is among the largest and most popular residential proxy networks. Estimating the size of residential proxy networks is extremely challenging, but Google Threat Intelligence Group (GTIG) estimates the size of the NetNut network to be at least 2 million devices, distributed across the world. Public reporting by KrebsOnSecurity and others, confirmed by Google, illustrates that NetNut populates its botnet by distributing SDKs for devices commonly found in homes, such as smart TVs and streaming boxes. GTIG has also identified NetNut botnet plugin components for large-scale botnets such as Badbox 2.0. Residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers (ISPs), allowing attackers to mask malicious activity by hijacking these IP addresses. A robust residential proxy network requires controlling millions of residential IP addresses to sell to customers for use. To accomplish this, operators need code running on home devices to enroll them into the malicious network as exit nodes. Home devices become part of proxy networks either because they are pre-installed with malware before purchase or because users unknowingly download applications containing hidden proxy code. This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities. Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers. In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups. These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks. Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats. Public reports by Synthient, Spur, Nokia Deepfield, and others have documented the use of NetNut to infect devices with variants of Mirai DDoS botnets. Empowering and Protecting Consumers Consumers should be extremely wary of applications that offer payment in exchange for "unused bandwidth" or "sharing your internet." These applications are primary ways for malicious proxy networks to grow, and could open security vulnerabilities on the device’s home network. We urge users to stick to official app stores, review permissions for third-party VPNs and proxies, and ensure built-in security protections like Google Play Protect are active. Consumers should be careful when purchasing connected devices, such as set top boxes, to make sure they are from reputable manufacturers. For example, to help you confirm whether or not a device is built with the official Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your Android device is Play Protect certified. Future Work As we noted earlier this year, the residential proxy industry appears to be rapidly expanding, and this coordinated disruption is not the end of our work combating malicious residential proxy networks. This industry is deeply connected and operators depend on overlapping botnet networks that are constantly resold. While point-in-time disruptions are a critical tool to protect our users, continued and coordinated effort is needed to reduce malicious proxy networks in the long run. We encourage mobile platforms, ISPs, and other tech platforms to continue sharing intelligence and to take direct action to block malicious C2 infrastructure.
Analysis Summary
# Incident Report: Coordinated Disruption of the NetNut (Popa) Residential Proxy Network
## Executive Summary
In July 2026, Google, in coordination with the FBI and Lumen, executed a major disruption against the NetNut (also known as "Popa") residential proxy network. The operation targeted a botnet of at least 2 million devices used by various threat actors to mask malicious activities, resulting in significant degradation of the network's operational capacity.
## Incident Details
- **Discovery Date:** Ongoing monitoring; significant activity spike noted June 2026
- **Incident Date:** July 2, 2026 (Disruption Action Date)
- **Affected Organization:** NetNut (Popa) Proxy Network (and its white-label resellers)
- **Sector:** Cybercrime Infrastructure / Residential Proxy Services
- **Geography:** Global (Estimated 2 million+ devices worldwide)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing through early 2026
- **Vector:** Malicious Software Development Kits (SDKs) and Malware
- **Details:** NetNut populated its network by embedding SDKs into consumer applications (e.g., those promising pay for "unused bandwidth") and pre-installing malware on low-cost home devices like smart TVs and streaming boxes.
### lateral Movement
- **Details:** Once a device became an exit node, threat actors used the foothold to pivot and access other private devices on the same local home network, exposing internal IoT devices to the internet.
### Data Exfiltration/Impact
- **Impact:** In June 2026 alone, 316 distinct threat clusters (cybercriminal and espionage groups) utilized NetNut to mask IP addresses, conduct password spray attacks, and deploy Mirai DDoS botnet variants.
### Detection & Response
- **Discovery:** Google Threat Intelligence Group (GTIG) identified NetNut components within the Badbox 2.0 botnet and tracked infrastructure through backend C2 analysis.
- **Response:** Coordinated takedown on July 2, 2026, involving account disabling, SDK flagging, and intelligence sharing with law enforcement.
## Attack Methodology
- **Initial Access:** Hidden SDKs in apps; malware pre-installed by manufacturers; deceptive "bandwidth sharing" apps.
- **Persistence:** Botnet plugin components (e.g., Badbox 2.0) integrated into device firmware or core apps.
- **Defense Evasion:** Using legitimate residential IP addresses owned by ISPs to mask malicious traffic and bypass IP-based reputation filters.
- **Lateral Movement:** Exploiting the trusted status of the infected device on the local network to target other home devices.
- **Impact:** Hijacking of residential bandwidth; facilitating unauthorized access to victim environments; DDoS attacks (Mirai).
## Impact Assessment
- **Financial:** Significant degradation of NetNut’s business operations and revenue from their white-label reseller program.
- **Data Breach:** Risk of exposure for private data on home networks where devices acted as exit nodes.
- **Operational:** Removal of millions of devices from the active proxy pool.
- **Reputational:** Public exposure of NetNut’s malicious practices and associated white-label brands.
## Indicators of Compromise
- **Network Indicators:** Traffic routed through suspected NetNut exit nodes; C2 communications to disabled Google-hosted infrastructure.
- **File Indicators:** Applications containing NetNut SDKs; Badbox 2.0 plugin components.
- **Behavioral Indicators:** Devices exhibiting unauthorized network traffic; residential IPs flagged for password spraying or DDoS participation.
## Response Actions
- **Containment:** Google disabled all accounts and services used by NetNut for C2 operations.
- **Eradication:** Google Play Protect automatically warned users and disabled apps containing the malicious SDK.
- **Recovery:** Sharing technical intelligence with ISPs and platform providers to block backend infrastructure.
## Lessons Learned
- **Key Takeaways:** Residential proxy networks are highly fluid; when one botnet is degraded, operators frequently buy capacity from competitors to remain resilient.
- **Ecosystem Interconnectivity:** Many "legitimate" looking proxy brands are simply white-labeling illegal botnets.
## Recommendations
- **Consumer Safety:** Avoid applications that offer payment for "sharing internet." Purchase connected devices (Android TV, etc.) only from Play Protect certified partners.
- **Enterprise Defense:** Do not rely solely on IP reputation for security, as attackers use residential proxies to appear as legitimate home users.
- **Industry Collaboration:** Persistent sharing of C2 infrastructure intelligence between ISPs and cloud providers is required to keep pace with botnet resilience.