Google Disrupts NetNut, a 2-Million-Device Residential Proxy Network Tied to Popa Botnet
- Abuse detected: In one week, GTIG tracked over 300 distinct threat clusters using suspected NetNut exit nodes.
- Scale confirmed: GTIG estimates the NetNut network, also known as Popa, spans at least 2 million hijacked home devices worldwide.
- Reseller risk: Many popular residential proxy brands may white-label the NetNut network, meaning this disruption may not affect every service built on it.
Google Threat Intelligence Group (GTIG) observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups, over the course of one week in June 2026 to mask unauthorized access to victim environments. It disabled Google accounts and associated services that NetNut used for malware command-and-control (C2), a direct violation of its Terms of Service.
GTIG shared technical intelligence on NetNut's software development kits (SDKs) and backend C2 infrastructure with law enforcement, platform providers, and research firms, and updated Google Play Protect to automatically warn users and disable apps found to contain NetNut SDKs.
Why the NetNut (Popa) Botnet Puts Home Devices at Risk
Residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers (ISPs), thereby allowing attackers to hijack them. Device owners’ home IP addresses can be used by attackers for hacking and other unauthorized activities, such as password spraying.
When a home device becomes an exit node, unauthorized traffic passes through it, exposing other private devices on the same home network to internet threats.
NetNut is populated via SDKs distributed on home devices like smart TVs and streaming boxes, covertly enrolling them in the malicious network as exit nodes, as per KrebsOnSecurity and others, confirmed by Google.
GTIG also identified NetNut botnet plugin components for large-scale botnets such as the Badbox 2.0 botnet, whose operator it sued in July 2025.
NetNut Reseller Brands: How to Protect Your Devices
Google says it has high confidence that many popular residential proxy brands are white-labeling the NetNut network through its reseller program, so the disruption may not reach every service. Because operators historically respond by buying capacity from competitors, a lasting impact will require targeting several interconnected providers.
Google urges consumers to:
- Be wary of any app offering payment in exchange for "unused bandwidth" or "sharing your internet," the primary way these networks recruit devices.
- Use only official app stores,
- Review permissions for third-party VPNs and proxies,
- Ensure built-in security protections, such as Google Play Protect, are active.
The takedown, disclosed July 2, 2026, was coordinated with the FBI, Lumen, and other industry partners, building on Google's January 2026 disruption of the IPIDEA proxy network. “NetNut has been incredibly common among resellers, and they were on par with IPIDEA in terms of their daily traffic, quality, size, price per gigabyte, all of it,” Synthient founder Benjamin Brundage has told KrebsOnSecurity.
Google's findings align with independent public reporting from Synthient, Spur, and Nokia Deepfield, which have documented the use of NetNut to infect devices with variants of Mirai DDoS botnets.








