Skip to content
Malware

Google Dismantles NetNut Residential Proxy That Hacked 2 Million Home Devices

Google, working alongside the FBI, Lumen Technologies, and other industry partners, has taken action to dismantle the NetNut residential proxy network, also tracked as “Popa,” which is estimated to have compromised at least 2 million home devices worldwide. Google disabled Google accounts and servic...

· Jul 03, 2026 · 3 min read · 👁 1 views
Google Dismantles NetNut Residential Proxy That Hacked 2 Million Home Devices

Google, working alongside the FBI, Lumen Technologies, and other industry partners, has taken action to dismantle the NetNut residential proxy network, also tracked as “Popa,” which is estimated to have compromised at least 2 million home devices worldwide.

Google disabled Google accounts and services that NetNut used for malware command-and-control, a direct violation of its Terms of Service and Acceptable Use Policy.

The company also shared technical intelligence on NetNut’s SDKs and backend C2 infrastructure with law enforcement, platform providers, and research firms to drive broader ecosystem enforcement.

Additionally, Google Play Protect was updated to automatically warn users and disable applications bundled with NetNut SDKs, extending protection against future installation attempts on Android devices.

This operation builds on Google’s January 2026 disruption of the IPIDEA proxy network, reflecting a sustained campaign against malicious residential proxy operators. Google noted that NetNut operates a robust reseller program that enables white-labeling of its infrastructure, meaning many popular proxy brands may, in fact, be repackaging the NetNut botnet under different names.

Google Dismantles NetNut Residential Proxy

Independent investigative reporting by KrebsOnSecurity has linked the Popa botnet directly to NetNut, a subsidiary of the publicly traded Israeli firm Alarum Technologies Ltd (NASDAQ: ALAR) .

Popa functions as a plugin component of the larger Vo1d botnet, which targets unofficial Android-based TV boxes bundled with pirated streaming apps such as CRICFy, DooFlix, and Flixoid . Security firm Qurium traced Popa’s control infrastructure to domains including ninjatech[.]io, linked to Moishi Kramer, a former NetNut VP of R&D who denied current operational control over the infrastructure .

Proxy-tracking firm Synthient independently analyzed Popa’s SDK and found outbound traffic conclusively tied to NetNut clients, stating with “high confidence” that Popa devices actively forward NetNut proxy traffic.

Alarum Technologies has disputed the “botnet” characterization, asserting that NetNut’s SDKs facilitate consensual bandwidth-sharing and that the company enforces KYC and misuse-monitoring policies . However, proxy-tracking service Spur countered that NetNut lacks meaningful corporate verification, allowing individuals to purchase proxy access with minimal validation.

Lumen’s Black Lotus Labs estimates the Popa botnet cycles through 1.5 to 2.5 million distinct IP addresses daily, directed by roughly 250-300 controller domains, making it one of the most widely resold proxy networks in the criminal ecosystem.

Nokia Deepfield researchers suggest the true device population could be significantly higher, based on relay-node traffic sampling. In a single week during June 2026, Google’s Threat Intelligence Group observed 316 distinct threat clusters, including cybercriminal and espionage groups, leveraging suspected NetNut exit nodes for password spraying and infrastructure obfuscation.

Home devices become unwitting proxy nodes either through pre-installed malware or hidden SDKs bundled in free apps, exposing other devices on the same network to external threats and Mirai-variant DDoS infections.

Google urges consumers to avoid apps promising payment for “unused bandwidth,” stick to official app stores, and verify Play Protect certification status before purchasing connected devices like smart TVs and streaming boxes.

Google emphasized that the residential proxy industry is deeply interconnected, with operators frequently reselling capacity from rivals when their own infrastructure is disrupted a resilience pattern already observed following the IPIDEA takedown.

The company is calling for continued cross-industry intelligence sharing and coordinated infrastructure blocking to achieve lasting impact against this fluid, resale-driven threat ecosystem.

Source: CybersecurityNews.com

Follow ShomoySoft for more: Follow on Facebook

💬 Comments (0)

Login to join the discussion.

No comments yet. Be the first!

Recommended for you