Google and FBI disrupt NetNut residential proxy network tied to 2 million devices
Google says it has worked with US law enforcement and several security partners to reduce the reach of NetNut, a residential proxy service that researchers believe was built on a botnet of more than 2...
Google says it has worked with US law enforcement and several security partners to reduce the reach of NetNut, a residential proxy service that researchers believe was built on a botnet of more than 2 million devices. The operation involved Google, the FBI, Lumen, Shadowserver and other organizations, and follows a similar disruption effort aimed at the IPIDEA proxy network earlier this year.
According to Google Cloud, NetNut was among the largest providers in the residential proxy market and appears to have relied heavily on small TV-streaming devices. Residential proxy services route internet traffic through ordinary home or consumer connections, which can make malicious activity look like it is coming from legitimate residential addresses instead of a data center or known attacker infrastructure.
How the network was used
Proxy operators often recruit device owners by claiming they can earn money by sharing unused bandwidth. In practice, that can mean installing software development kits or other components on devices that then become part of a larger network of exit nodes. Google warned that this model not only supports cybercrime, but can also create security risks inside home networks.
NetNut reportedly sold standalone proxy access, along with mobile and datacenter proxy services, and also marketed scrapers, datasets, and a reseller program. Researchers suspect that parts of the wider residential proxy ecosystem may have depended on NetNut infrastructure, which could widen the impact of the takedown.
Google said that in one week in June 2026 it observed 316 separate threat clusters using suspected NetNut exit nodes. Those groups included both criminal actors and espionage-related activity. Common uses included hiding the source of malicious traffic, reaching victim systems, contacting attacker-controlled infrastructure, and carrying out password-spraying attacks.
Broader impact and next steps
Researchers also noted possible links between NetNut and other botnet families, including components associated with Badbox 2.0. Public reporting has additionally pointed to NetNut-related infrastructure being used in Mirai-based infections.
Google said it expects the disruption to affect more than one provider, but also cautioned that this market can adapt quickly, with operators sometimes buying capacity from competitors when their own systems are affected. The company said longer-term disruption will likely require continued coordination among internet providers, mobile platforms, and other technology firms.
