NetNut cracked as Google and FBI target 2 million-device botnet
Jump to main content
Search
REG AD
Security
NetNut cracked as Google and FBI target 2 million-device botnet
Other residential proxy brands may rely on the same network
Connor Jones
Connor<br>Jones
Cybersecurity reporter
Published<br>fri 3 Jul 2026 // 13:03 UTC
Tech companies working with US law enforcement "significantly degraded" the NetNut residential proxy network as part of an ongoing effort to disrupt the tools cybercriminals use to conceal their activity, say researchers.<br>The work was carried out by Google, Lumen, Shadowserver, the FBI, and others, and marks a continuation of the IPIDEA proxy network disruption from January.<br>According to Google Cloud, those working on the operation believe NetNut was among the most popular residential proxy network providers and had at least 2 million devices enrolled in its botnet, comprising mainly small TV-streaming hardware. Crims often use residential proxy networks to make it look like their traffic is actually coming from legit homes and businesses.
REG AD
In the same way that other residential proxy networks expand their pool of enrolled devices, NetNut distributed its own SDK via these devices.
REG AD
Proxy providers often approach users under the guise of monetizing their spare bandwidth, paying them a fee in exchange for letting their SDK run on their devices.<br>The official advice is, of course, to refuse any offers of this kind. Not only does it help feed the cybercrime ecosystem, but it can also lead to vulnerabilities elsewhere in home networks.<br>NetNut offered its own standalone proxy networks, as well as mobile and datacenter proxies, and a slew of scrapers and datasets.<br>However, it also offered a reseller program, and experts believe many other residential proxy networks are powered by NetNut's own, which means the disruption may have further downstream effects.<br>"While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient," Google's Threat Intelligence Group (GTIG) said.<br>"What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller.<br>"We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers. We will continue to observe the composition of the NetNut network and map out how its peers adapt to this action."<br>Residential proxy networks are not illegal, although they are often abused for cybercrime.
REG AD
These networks are ostensibly pitched as a means to shore up online privacy, and promote ideals such as freedom of expression without risk of being traced.<br>However, the same privacy-preserving features of these networks are used by cybercriminals to mask their malicious activity.<br>They enroll ordinary devices, which are connected to innocent residential networks, at scale and offer them to customers as exit nodes.<br>Cybercriminals can make use of these networks to channel their traffic through these nodes, making the traffic appear to originate from an IP address they do not control.<br>"In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups," said Google.<br>"These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks."
MORE CONTEXT
To stop crims, Google starts dismantling residential proxy network they use to hide
Dutch cops wrest 17M devices from mystery botnet's clutches
The Badbox botnet is back, powered by up to a million backdoored Androids
Critical Wazuh bug exploited in growing Mirai botnet infection
Reports also suggest that NetNut has a role to play in other botnet families. GTIG said it found plugin components for large-scale botnets such as Badbox 2.0, while other public reports have noted signs of NetNut being used to infect devices with Mirai variants.<br>The Register asked GTIG why NetNut's second domain (netnut.io) remains online, while netnut.com returns a "This website has been seized" splash page, but it did not immediately reply.
REG AD
Google's announcement hinted at similar takedowns to take place in the future, as the residential proxy network market continues to grow.<br>However, it said these ad hoc disruptions are only effective for so long, and that a long-term approach would require support from ISPs, mobile platforms, and other technology companies. ®
security
REG AD
systems
Startup targets datacenters with 3D-printed nuclear reactor module
Fancy a thorium microreactor capable of delivering up to 30 MWe of juice for up to 30 years?
Security
NetNut cracked as Google and FBI target...