Google Says It Has Weakened NetNut Residential Proxy Network Linked to Millions of Home Devices

Google says it has disrupted a large residential proxy network associated with NetNut, reducing the number of devices available to route traffic through home internet connections. The company said the...

Google says it has disrupted a large residential proxy network associated with NetNut, reducing the number of devices available to route traffic through home internet connections. The company said the effort was carried out with help from the FBI, Lumen, and other partners as part of a broader campaign to limit abuse of consumer devices.

Google Threat Intelligence Group (GTIG) said the network, which it tracks as Popa and associates with NetNut, spans smart TVs, streaming boxes, and other home electronics around the world. Google estimates the pool includes at least 2 million devices. In practice, that means traffic from unrelated users can be sent through a residential connection, making it appear to come from a normal household rather than a data center or known proxy service.

How the network operates

Residential proxy services rely on software running on consumer hardware. In some cases, the software is bundled with inexpensive devices; in others, users install apps that quietly enroll the device in bandwidth-sharing or proxy activity. Once activated, the device can become an exit node that forwards traffic for paying customers.

Google said the setup can create security and privacy risks for the home network itself, since outside traffic is effectively carried through the same connection as the owner’s devices. GTIG also said it observed 316 distinct threat clusters using suspected NetNut exit nodes in a single week in June, including groups involved in cybercrime and espionage activity.

Researchers from Qurium, Synthient, Nokia Deepfield, and Spur previously linked Popa to NetNut. Synthient said a controlled test showed traffic sent into NetNut’s commercial gateway emerging through a device enrolled in Popa. NetNut’s parent company, Alarum Technologies, has denied that the service is a botnet and says its software is intended for consent-based bandwidth sharing.

Google described its action as a degradation rather than a complete takedown, noting that these networks can shift capacity between affiliated brands and resellers. The company pointed to earlier work against IPIDEA and Badbox 2.0 as examples of how similar infrastructure can reappear under different names.

  • Avoid apps that promise payment for “unused bandwidth” or internet sharing.
  • Install software only from trusted app stores and review requested permissions carefully.
  • Keep built-in protections such as Google Play Protect enabled.
  • Buy smart TVs and streaming devices from reputable manufacturers.

Following the reported domain seizures, Alarum said it would cooperate with law enforcement and investigate any misuse of its infrastructure.