---
url: "https://xcademia.com/news/google-fbi-disrupt-netnut-botnet-targeting-one-of-the-world-s-largest-malicious-residential-proxy-networks"
title: "Google, FBI Disrupt NetNut Botnet, Targeting One of the World's Largest Malicious Residential Proxy Networks"
description: "Google, the FBI, and partners disrupt the NetNut residential proxy network, protecting millions of Android devices and targeting infrastructure used by cybercriminals."
publishedAt: "2026-07-03T06:38:24.954+00:00"
updatedAt: "2026-07-03T08:34:12.610553+00:00"
type: news
category: cybersecurity
source_name: Google Cloud Blog
source_url: "https://cloud.google.com/blog/topics/threat-intelligence/google-continued-disruption-residential-proxy-networks"
tags:
  - "#Cybersecurity"
  - "#GoogleThreatIntelligence"
  - "#NetNut"
  - "#Botnet"
  - "#ResidentialProxy"
  - "#AndroidSecurity"
  - "#ThreatIntelligence"
  - "#GooglePlayProtect"
---

# Google, FBI Disrupt NetNut Botnet, Targeting One of the World's Largest Malicious Residential Proxy Networks

> Google, in collaboration with the FBI, Lumen, and security partners, has disrupted the NetNut residential proxy network, disabling malware infrastructure, protecting Android users, and significantly reducing a botnet estimated to control more than 2 million compromised devices.

Source: **Google Cloud Blog** · 3 July 2026

## Google and FBI Strike Major Blow Against NetNut Residential Proxy Network

Google has announced a coordinated cybersecurity operation to disrupt **NetNut**, one of the world's largest malicious residential proxy networks. Working alongside the **Federal Bureau of Investigation (FBI)**, **Lumen Technologies**, and other industry partners, Google says it has significantly degraded NetNut's infrastructure and reduced its pool of compromised devices by millions.

The action marks Google's second major operation against malicious proxy networks in 2026, following its disruption of the **IPIDEA** residential proxy network earlier this year.

According to the **Google Threat Intelligence Group (GTIG)**, NetNut has become a key infrastructure provider for cybercriminals and state-sponsored threat actors seeking to conceal malicious online activity behind legitimate residential internet connections.

## What Is NetNut?

Residential proxy networks allow internet traffic to appear as though it originates from ordinary home internet connections rather than cloud servers or attacker-controlled infrastructure.

While residential proxies can have legitimate business uses, malicious operators build these networks by compromising consumer devices and secretly turning them into "exit nodes."

Google estimates the NetNut botnet consists of **at least 2 million compromised devices** distributed worldwide.

**Many of these devices include:**

- Smart TVs
- Android TV streaming boxes
- Set-top boxes
- Other internet-connected home devices

In many cases, users are unaware their devices have been enrolled into the proxy network.

![info-1](https://0a515t3ure77wbvx.public.blob.vercel-storage.com/articles/1783056568379-info-1--28-.webp)

## Actions Google Took

As part of the coordinated disruption, Google implemented multiple defensive measures across its ecosystem.

### Disabled Malware Infrastructure

Google disabled Google Accounts and cloud services being used as **command-and-control (C2)** infrastructure for NetNut malware.

These accounts violated Google's Terms of Service and Acceptable Use Policy.

### Shared Threat Intelligence

The company distributed technical intelligence, including SDK information and backend infrastructure details, to:

- Law enforcement agencies
- Security researchers
- Platform providers
- Industry partners

The goal is to improve detection and enforcement across the broader cybersecurity ecosystem.

### Strengthened Android Protection

Google also expanded protections through **Google Play Protect**, Android's built-in malware defense system.

Play Protect now:

- Detects known NetNut-enabled applications
- Warns users before installation
- Automatically disables affected applications
- Continues blocking future installation attempts

These protections are automatically available on certified Android devices.

## Why NetNut Is Dangerous

Unlike traditional botnets that focus primarily on spam or denial-of-service attacks, residential proxy networks monetize access to compromised home internet connections.

Attackers purchase access to these residential IP addresses to:

- Hide their real location
- Conduct cyberattacks anonymously
- Evade security detection
- Launch credential stuffing attacks
- Perform password spraying
- Access compromised environments

Because traffic originates from legitimate residential internet providers, many security systems consider it more trustworthy than traffic coming from known hosting providers.

### Real-World Threat Activity

Google reports that during **one week in June 2026**, it observed:

- **316 distinct threat clusters**
- Including cybercriminal organizations
- Espionage groups
- Nation-state actors

using suspected NetNut exit nodes.

The network has also been linked to the distribution of **Mirai-based DDoS botnets** and components associated with **Badbox 2.0**, another large-scale Android malware operation.

![info-2](https://0a515t3ure77wbvx.public.blob.vercel-storage.com/articles/1783057374746-info-2--7-.webp)

## Ripple Effects Across the Proxy Ecosystem

Google believes NetNut powers not only its own proxy service but also numerous white-label proxy brands sold under different names.

According to GTIG, many residential proxy providers may simply be reselling NetNut infrastructure.

This creates an interconnected ecosystem where disrupting one operator affects numerous downstream services.

However, Google cautions that operators often respond by purchasing proxy capacity from competing botnets, effectively becoming resellers themselves.

For that reason, long-term disruption requires coordinated action against multiple interconnected proxy providers rather than isolated takedowns.

## Risks for Consumers

One of Google's strongest warnings is directed at everyday consumers.

Many people unknowingly enroll their devices into residential proxy networks by:

- Installing unofficial applications
- Downloading modified APK files
- Accepting apps promising payment for "sharing unused bandwidth"
- Purchasing low-cost connected devices preloaded with malware

Once compromised, a home device may forward unknown internet traffic through the owner's network.

This creates several risks:

- Personal IP addresses become associated with criminal activity.
- Internet providers may flag or block legitimate traffic.
- Attackers may gain access to other devices on the same home network.
- Consumer privacy may be compromised.

![info-3](https://0a515t3ure77wbvx.public.blob.vercel-storage.com/articles/1783058398165-info-3--5-.webp)

## How Consumers Can Stay Protected

Google recommends several best practices to reduce exposure to malicious residential proxy networks:

- Download apps only from official app stores.
- Keep **Google Play Protect** enabled.
- Carefully review permissions requested by VPN and proxy applications.
- Avoid apps offering payment for unused internet bandwidth.
- Purchase connected devices from trusted manufacturers.
- Verify Android TV devices are **Play Protect Certified** before buying.

Following these practices can significantly reduce the risk of unknowingly participating in malicious proxy networks.

## Google's Ongoing Campaign Against Proxy Networks

This operation follows Google's January 2026 disruption of the **IPIDEA** residential proxy network, signaling a broader strategy to dismantle malicious proxy infrastructure.

According to Google, residential proxy operators increasingly rely on overlapping botnets, shared malware, and reseller relationships.

Because of these interconnections, isolated disruptions provide only temporary relief.

Google says it will continue working with:

- Internet service providers
- Mobile platforms
- Law enforcement agencies
- Security researchers
- Technology companies

to identify malicious command-and-control infrastructure and coordinate future takedowns.

## Final Thoughts

Google's latest operation against NetNut highlights the growing importance of collaboration in combating cybercrime. As residential proxy networks become increasingly sophisticated, they offer attackers powerful tools for masking malicious activity while exploiting millions of unsuspecting consumer devices.

By combining threat intelligence, platform security, law enforcement coordination, and ecosystem-wide information sharing, Google aims to reduce the effectiveness of these networks and improve protection for both organizations and everyday users.

While the company acknowledges that disrupting individual proxy networks is only one step, continued industry cooperation could significantly weaken the infrastructure that underpins many modern cyberattacks.

## Original source

https://cloud.google.com/blog/topics/threat-intelligence/google-continued-disruption-residential-proxy-networks

## Tags

`#Cybersecurity` · `#GoogleThreatIntelligence` · `#NetNut` · `#Botnet` · `#ResidentialProxy` · `#AndroidSecurity` · `#ThreatIntelligence` · `#GooglePlayProtect`

---

## About this content

This Markdown news article is the citation-grade twin of [Google, FBI Disrupt NetNut Botnet, Targeting One of the World's Largest Malicious Residential Proxy Networks](https://xcademia.com/news/google-fbi-disrupt-netnut-botnet-targeting-one-of-the-world-s-largest-malicious-residential-proxy-networks). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite.

When citing or quoting, please attribute *Xcademia* and link back to the source URL above.

- Source: https://xcademia.com/news/google-fbi-disrupt-netnut-botnet-targeting-one-of-the-world-s-largest-malicious-residential-proxy-networks
- Publisher: Xcademia — https://xcademia.com
- Catalogue index: https://xcademia.com/llms-full.txt
