Google, FBI Disrupt NetNut Botnet, Targeting One of the World's Largest Malicious Residential Proxy Networks
Google, in collaboration with the FBI, Lumen, and security partners, has disrupted the NetNut residential proxy network, disabling malware infrastructure, protecting Android users, and significantly reducing a botnet estimated to control more than 2 million compromised devices.
Xcademia Team
Xcademia Research Team

Google and FBI Strike Major Blow Against NetNut Residential Proxy Network
Google has announced a coordinated cybersecurity operation to disrupt NetNut, one of the world's largest malicious residential proxy networks. Working alongside the Federal Bureau of Investigation (FBI), Lumen Technologies, and other industry partners, Google says it has significantly degraded NetNut's infrastructure and reduced its pool of compromised devices by millions.
The action marks Google's second major operation against malicious proxy networks in 2026, following its disruption of the IPIDEA residential proxy network earlier this year.
According to the Google Threat Intelligence Group (GTIG), NetNut has become a key infrastructure provider for cybercriminals and state-sponsored threat actors seeking to conceal malicious online activity behind legitimate residential internet connections.
What Is NetNut?
Residential proxy networks allow internet traffic to appear as though it originates from ordinary home internet connections rather than cloud servers or attacker-controlled infrastructure.
While residential proxies can have legitimate business uses, malicious operators build these networks by compromising consumer devices and secretly turning them into "exit nodes."
Google estimates the NetNut botnet consists of at least 2 million compromised devices distributed worldwide.
Many of these devices include:
Smart TVs
Android TV streaming boxes
Set-top boxes
Other internet-connected home devices
In many cases, users are unaware their devices have been enrolled into the proxy network.

Actions Google Took
As part of the coordinated disruption, Google implemented multiple defensive measures across its ecosystem.
Disabled Malware Infrastructure
Google disabled Google Accounts and cloud services being used as command-and-control (C2) infrastructure for NetNut malware.
These accounts violated Google's Terms of Service and Acceptable Use Policy.
Shared Threat Intelligence
The company distributed technical intelligence, including SDK information and backend infrastructure details, to:
Law enforcement agencies
Security researchers
Platform providers
Industry partners
The goal is to improve detection and enforcement across the broader cybersecurity ecosystem.
Strengthened Android Protection
Google also expanded protections through Google Play Protect, Android's built-in malware defense system.
Play Protect now:
Detects known NetNut-enabled applications
Warns users before installation
Automatically disables affected applications
Continues blocking future installation attempts
These protections are automatically available on certified Android devices.
Why NetNut Is Dangerous
Unlike traditional botnets that focus primarily on spam or denial-of-service attacks, residential proxy networks monetize access to compromised home internet connections.
Attackers purchase access to these residential IP addresses to:
Hide their real location
Conduct cyberattacks anonymously
Evade security detection
Launch credential stuffing attacks
Perform password spraying
Access compromised environments
Because traffic originates from legitimate residential internet providers, many security systems consider it more trustworthy than traffic coming from known hosting providers.
Real-World Threat Activity
Google reports that during one week in June 2026, it observed:
316 distinct threat clusters
Including cybercriminal organizations
Espionage groups
Nation-state actors
using suspected NetNut exit nodes.
The network has also been linked to the distribution of Mirai-based DDoS botnets and components associated with Badbox 2.0, another large-scale Android malware operation.

Ripple Effects Across the Proxy Ecosystem
Google believes NetNut powers not only its own proxy service but also numerous white-label proxy brands sold under different names.
According to GTIG, many residential proxy providers may simply be reselling NetNut infrastructure.
This creates an interconnected ecosystem where disrupting one operator affects numerous downstream services.
However, Google cautions that operators often respond by purchasing proxy capacity from competing botnets, effectively becoming resellers themselves.
For that reason, long-term disruption requires coordinated action against multiple interconnected proxy providers rather than isolated takedowns.
Risks for Consumers
One of Google's strongest warnings is directed at everyday consumers.
Many people unknowingly enroll their devices into residential proxy networks by:
Installing unofficial applications
Downloading modified APK files
Accepting apps promising payment for "sharing unused bandwidth"
Purchasing low-cost connected devices preloaded with malware
Once compromised, a home device may forward unknown internet traffic through the owner's network.
This creates several risks:
Personal IP addresses become associated with criminal activity.
Internet providers may flag or block legitimate traffic.
Attackers may gain access to other devices on the same home network.
Consumer privacy may be compromised.

How Consumers Can Stay Protected
Google recommends several best practices to reduce exposure to malicious residential proxy networks:
Download apps only from official app stores.
Keep Google Play Protect enabled.
Carefully review permissions requested by VPN and proxy applications.
Avoid apps offering payment for unused internet bandwidth.
Purchase connected devices from trusted manufacturers.
Verify Android TV devices are Play Protect Certified before buying.
Following these practices can significantly reduce the risk of unknowingly participating in malicious proxy networks.
Google's Ongoing Campaign Against Proxy Networks
This operation follows Google's January 2026 disruption of the IPIDEA residential proxy network, signaling a broader strategy to dismantle malicious proxy infrastructure.
According to Google, residential proxy operators increasingly rely on overlapping botnets, shared malware, and reseller relationships.
Because of these interconnections, isolated disruptions provide only temporary relief.
Google says it will continue working with:
Internet service providers
Mobile platforms
Law enforcement agencies
Security researchers
Technology companies
to identify malicious command-and-control infrastructure and coordinate future takedowns.
Final Thoughts
Google's latest operation against NetNut highlights the growing importance of collaboration in combating cybercrime. As residential proxy networks become increasingly sophisticated, they offer attackers powerful tools for masking malicious activity while exploiting millions of unsuspecting consumer devices.
By combining threat intelligence, platform security, law enforcement coordination, and ecosystem-wide information sharing, Google aims to reduce the effectiveness of these networks and improve protection for both organizations and everyday users.
While the company acknowledges that disrupting individual proxy networks is only one step, continued industry cooperation could significantly weaken the infrastructure that underpins many modern cyberattacks.
Source: Google Cloud Blog
About the Author