Google and FBI Dismantle Massive NetNut Botnet Targeting 2 Million Devices

by Anika Shah - Technology
0 comments

Google, in coordination with the FBI, Lumen Technologies, and other security partners, has effectively crippled the NetNut proxy network, a global infrastructure that compromised an estimated two million residential devices. The operation targeted the network, also known as Popa, by seizing hundreds of associated domains and blocking accounts used to manage the botnet’s command-and-control operations, according to Google’s Threat Intelligence Group.

How the NetNut Botnet Operated

The NetNut network functioned by hijacking the residential IP addresses of unsuspecting consumers. By routing malicious traffic through these private connections—including smart TVs, routers, and streaming boxes—operators made cyberattacks appear as if they originated from legitimate home networks. This technique allowed malicious actors to evade security filters that typically flag and block traffic coming from known data centers.

How the NetNut Botnet Operated

According to Google, the infrastructure was primarily distributed through malicious software development kits (SDKs). These components were often embedded within free applications or pre-installed on low-cost, "no-name" hardware. In some cases, users were incentivized to install these apps with the promise of earning money by sharing their unused internet bandwidth.

The Scale of Criminal Exploitation

The reach of the NetNut network was extensive, serving as a primary tool for hundreds of criminal hacking groups. Data from Google’s security analysts revealed that in a single week in June 2026, 316 distinct threat clusters utilized NetNut exit nodes to conduct cyberattacks.

These groups employed the hijacked IP addresses for a variety of illicit activities, including:

  • Credential Stuffing: Attempting to gain unauthorized access to accounts using large-scale, automated login attempts.
  • Infrastructure Hosting: Directing traffic to support other malware campaigns, including links to the Badbox 2.0 botnet.
  • Targeted Espionage: Conducting reconnaissance and data theft while masked by residential IP addresses.

Impact of the Disruption

The coordinated intervention has significantly degraded the network’s capacity. Google stated that the operation reduced the pool of available devices for the proxy operator by millions. As part of the cleanup effort, the company is using Google Play Protect on Android devices to automatically detect and disable applications containing known NetNut components to prevent further exploitation of consumer hardware.

Cyber News Daily July 4 2026 NetNut Popa 2M Botnet KDDI CrownX Singapore Oracle EBS

The network’s business model was multifaceted, involving both direct sales to cybercriminals and a reseller program that allowed third-party providers to market the infrastructure under their own branding. By targeting the command-and-control domains, the FBI and its partners have severed the central oversight required to manage this global proxy fleet.

Key Takeaways for Device Security

  • Residential Masking: Cybercriminals favor residential proxies because they bypass standard security blocks, making malicious traffic appear as legitimate home activity.
  • Supply Chain Risks: Malware is often introduced through third-party SDKs hidden inside seemingly harmless apps or inexpensive, unbranded smart devices.

Related Posts

Leave a Comment