top of page
OutSystems-business-transformation-with-gen-ai-ad-300x600.jpg
OutSystems-business-transformation-with-gen-ai-ad-728x90.jpg
TechNewsHub_Strip_v1.jpg

LATEST NEWS

Google and FBI dismantle NetNut residential proxy network hijacking 2 million home devices

  • Marijan Hassan - Tech Journalist
  • 13 hours ago
  • 2 min read

In a major coordinated strike against the global cybercrime backend, Google’s Threat Intelligence Group (GTIG), the FBI, and telecom partner Lumen Technologies have crippled NetNut, a massive residential proxy network that turned at least two million ordinary home internet connections into anonymous routing tunnels for threat actors. The multi-pronged operation resulted in the seizure of core command-and-control domains by law enforcement, alongside technical updates pushed across Google's software ecosystem to neutralize the malware components.



Traced back to a publicly traded Nasdaq entity, Israel-based Alarum Technologies Ltd, NetNut operated under a dual identity, positioning itself as a legitimate commercial web-scraping tool while covertly generating the "Popa" botnet to fuel state-sponsored espionage and automated credential theft.


The trojanized SDK pipeline

Unlike traditional botnets that break into networks using exploit payloads, NetNut scaled its reach by embedding hidden software development kits (SDKs) inside low-cost, off-brand Android smart TVs, streaming media boxes, and unverified utility apps available online. Unsuspecting consumers unknowingly rented out their home networks by accepting cash-for-bandwidth apps or plugging in pre-infected, no-name streaming hardware.


Once activated on a home local area network (LAN), the hijacked device became an "exit node." When NetNut’s paying customers or cybercriminals funneled traffic through the service, the connections appeared to web servers as legitimate domestic internet users, completely bypassing data-center blacklists and rate-limiting triggers.


Masking state-sponsored operations

The appeal of residential proxy networks to elite hacking groups has turned them into a top priority for federal law enforcement. Google Threat Intelligence reported that in a single seven-day window in June 2026, researchers tracked 316 distinct threat clusters utilizing NetNut exit nodes to hide their digital origins.


The malicious activity masked by the network included:

Password-Spraying Campaigns: Brute-forcing enterprise software environments using thousands of unique domestic IP addresses to evade security blocks.

Ad-Fraud Infrastructure: Simulating human browsing behavior to siphon millions in digital ad revenue.

State-Sponsored Intelligence: Advanced Persistent Threat (APT) groups using local relays to map target victim environments and download exfiltrated corporate documentation.


Implementing technical countermeasures

To prevent the platform from immediately rebuilding its infrastructure, Google deployed sweeping, automated mitigations across the Android ecosystem. Google Play Protect was updated to automatically identify and disable any applications containing the malicious NetNut SDK, while all Google accounts used by the provider to host malware command infrastructure were permanently terminated.


Security experts warn that while the intervention severely degraded NetNut's pool of active devices, the residential proxy market remains highly resilient due to white-label reseller programs, prompting federal advisories urging consumers to avoid unverified "bandwidth monetization" applications entirely.

wasabi.png
Gamma_300x600.jpg
paypal.png
bottom of page