Google Disrupts NetNut: Millions of Home Devices Deployed as Covert Residential Proxies
Google's Threat Intelligence Group, in collaboration with the FBI and Lumen, has significantly degraded **NetNut**, a massive residential proxy network. This network, also tracked as **Popa**, covertly leverages millions of unsuspecting home devices, including smart TVs and streaming boxes, to route malicious traffic, posing significant security and privacy risks to users.

**Google** has announced a major disruption to **NetNut**, identified as one of the largest networks turning consumer home devices into rented relays for illicit traffic. Working alongside the **FBI** and **Lumen**, **Google's Threat Intelligence Group (GTIG)** reported a reduction of millions in the network's pool of usable devices.
**NetNut**, also known as **Popa**, operates by embedding its code on home devices globally, including smart TVs and streaming boxes. **GTIG** estimates this network comprises at least 2 million compromised devices. If your device is part of this network, attackers can route their traffic through your internet connection, effectively masking their activities and attributing them to your IP address.
## How Residential Proxy Networks Operate
Residential proxy networks sell access to legitimate home internet addresses. Attackers leverage these proxies to make their traffic appear as ordinary home browsing, bypassing security tools that typically block datacenter traffic.
To build this vast network, operators install their code on home devices, often pre-installed on cheap, off-brand hardware or hidden within seemingly innocuous free applications. Once installed, these devices become "exit nodes," through which other people's traffic flows.
**Google** warns that an exit node introduces external traffic into the home network, creating a potential foothold for attackers to access other devices within. Some of these compromised gadgets have also been assimilated into large-scale botnets such as **Mirai** and **Badbox 2.0**.
In a single week in June, **GTIG** observed 316 distinct threat clusters utilizing suspected **NetNut** exit nodes. These included cybercriminal and espionage groups seeking to conceal their true location and conduct activities like password-guessing attacks.

## The Company Behind the Network
Unlike many proxy botnets, **NetNut** has been linked to a publicly traded company. In June, researchers from **Qurium**, **Synthient**, **Nokia Deepfield**, and **Spur** connected **Popa** to **NetNut**.
**NetNut** is a proxy provider owned by **Alarum Technologies (NASDAQ: ALAR)**, an Israeli publicly traded company. **Synthient** conducted a controlled test, demonstrating that traffic sent through **NetNut's** commercial gateway exited through a device enrolled in **Popa**.
While **Synthient** presented this as evidence of the traffic path rather than proof of **NetNut's** intent, **Google's** intelligence aligns with this, treating **NetNut** and **Popa** as the same network. **Google** states that public reporting corroborates its understanding of how **NetNut** constructs its botnet.

**Alarum** has refuted the "botnet" label, describing the research as "demonstrably inaccurate assertions and flawed deductions rather than verified facts." The company maintains that its software is for consented bandwidth-sharing and does not compromise devices. However, **Synthient's** research complicates this defense, as their examination of over 20 apps found no explicit consent prompts for users.

## Why Disruption Requires Sustained Effort
Disrupting **NetNut** is inherently complex due to its reseller program, which allows other companies to sell its network capacity under different brand names. **Google** has high confidence that many popular, seemingly independent proxy brands are, in fact, reselling from the same **NetNut** pool. This means a single takedown can have a widespread impact across numerous brands that appear distinct but are interconnected.
**Google** characterizes this action as degradation rather than a complete shutdown. Previous efforts against similar networks, such as **IPIDEA**, have shown their resilience, with operators often shifting to buying capacity from rivals. **Google** emphasizes that lasting damage necessitates simultaneous action against several connected providers.
In January, **Google** and its partners disrupted **IPIDEA**, a China-based network that was once among the largest of its kind. In July 2025, **Google** also took legal action against the operators of **Badbox 2.0**, a botnet of hijacked Android TV devices with overlapping components with **Popa**. Each of these instances demonstrated the tenacious nature of these networks.
## Advice for Consumers
The clearest indicator that your device might be compromised is an app offering to pay you for "unused bandwidth" or for "sharing your internet." This is a primary method these networks use to expand.
Beyond that, consumers should:
* Exclusively use official app stores and carefully review the permissions requested by any VPN or proxy application.
* Keep built-in protections like **Google Play Protect** enabled.
* Purchase streaming boxes and smart TV hardware from reputable, well-known manufacturers, avoiding generic or no-name brands.
The demand for residential IP addresses will persist even as individual networks are disrupted. For cybersecurity defenders and platform providers, the next critical step is to monitor whether **NetNut**-linked traffic resurfaces under other reseller brands.
### UPDATE
**Alarum** has provided an official response to the takedown. **Omer Weiss**, corporate legal counsel for **Alarum**, stated that the company and **NetNut** were informed of the FBI's seizure of some of its domains on July 2, 2026. **Weiss** affirmed that **Alarum** "takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account."