Google’s Threat Intelligence Group and the FBI jointly dismantled NetNut — also tracked internally as Popa — one of the largest residential proxy networks tied to criminal and espionage operations. The enforcement action executed on July 3 seized several NetNut domains and disabled the Google accounts and cloud services used for NetNut’s command-and-control infrastructure, cutting criminal operators off from a proxy pool built from 2 million hijacked home devices across at least 130 countries.
How NetNut Built a Two-Million-Device Criminal Proxy Pool
NetNut expanded its exit-node network by secretly installing software on home devices — primarily smart TVs and Android streaming boxes — without any notification to device owners. Once enrolled, each infected device served as a rentable exit node, allowing paying criminal customers to route their traffic through residential IP addresses that appeared to security tools as ordinary consumer internet connections rather than attacker infrastructure.
The residential nature of those exit nodes is the core of NetNut’s commercial value to criminal operators. Reputation-based defenses can reliably block datacenter IP ranges, but residential addresses from home internet connections carry legitimate reputation scores. Traffic originating from a compromised smart TV in a suburban home bypasses the IP blocklists that stop the same attack routed through a datacenter server. NetNut monetized that gap by maintaining a network of infected consumer devices and renting their internet connections to anyone willing to pay.
NetNut’s Reseller Ecosystem Amplified the Network’s Criminal Reach
NetNut’s model went beyond direct access sales. The network operated a reseller program allowing other companies to rebrand and sell access to the same underlying proxy pool under different names. Google’s Threat Intelligence Group and the FBI identified that several seemingly independent proxy services were NetNut resellers, sharing the same infrastructure backend while presenting separate brands to criminal customers.
That reseller layer means the enforcement action disrupts a broader portion of the proxy-for-hire market than the NetNut name alone implies. Criminal operators who believed they were purchasing from an independent proxy provider may have been routing through NetNut infrastructure without knowing it. Those reseller relationships extend NetNut’s operational footprint and complicate efforts by smaller operators to rebuild under new branding after the seizures.
The Scale of NetNut’s Criminal Customer Base
In a single representative week in June 2026, Google’s Threat Intelligence Group counted 316 distinct threat clusters using suspected NetNut exit nodes to mask their location, conduct password-guessing attacks, and evade IP-based detection controls. That figure represents not a single criminal organization but a cross-section of the global threat actor community purchasing proxy access as a commodity infrastructure service.
The breadth of that customer base confirms that residential proxy networks have become standard operational infrastructure for a wide range of criminal and espionage activity. Credential-stuffing campaigns, espionage operations, and fraud schemes all share the same need to disguise their origin, and NetNut satisfied that need across hundreds of separate threat groups simultaneously.
Why 316 Threat Clusters Could Use a Single Network Undetected
The same properties that make residential proxies attractive to criminal operators make them difficult for defenders to identify at the network layer. No single IP address signals NetNut traffic because NetNut exit nodes are ordinary home internet connections distributed across 130 countries. Blocking them requires either behavior-based detection or real-time threat intelligence feeds listing known NetNut exit nodes — neither of which is available to most enterprise security teams without specialist data sources.
Google’s Three-Part Enforcement Response Against NetNut
Google’s response operated on three simultaneous fronts. It disabled the Google accounts and cloud services supporting NetNut’s command-and-control backend, cutting operators from their management infrastructure. It shared technical intelligence on NetNut’s software development kits and backend systems with law enforcement agencies, platform providers, and security research firms to enable detection and coordinated response. Finally, it updated Google Play Protect to warn users and disable Android applications confirmed to embed the NetNut SDK.
The FBI’s parallel domain seizures removed NetNut’s public-facing infrastructure, preventing operators from directing infected devices to replacement servers using established domain names. The combined approach — backend account suspension paired with domain seizure — reflects a coordinated takedown structure that addresses both the control systems and the naming infrastructure simultaneously. Operators attempting to rebuild cannot simply point existing infected devices to new domains if those domains are also seized, and cannot fall back to the Google-hosted backend after those accounts are suspended.
Device owners whose smart TVs or Android streaming boxes appear in Google Play Protect warnings should treat the device as potentially compromised. A factory reset and network credential rotation are the appropriate response for any device flagged as embedding the NetNut SDK.
