Google Threat Intelligence, in coordination with the U.S. Federal Bureau of Investigation and Lumen Technologies, has disrupted the NetNut residential proxy network. The operation significantly degraded a service that had leveraged more than two million home devices worldwide to relay internet traffic for malicious purposes.
NetNut, also known as Popa, sold access to residential internet addresses. This allowed buyers to route traffic through real home connections, making malicious activity appear as ordinary browsing to security tools. Google estimates the network included smart TVs and streaming boxes with preinstalled or concealed proxy code.
The takedown involved disabling Google accounts used for malware command and control, sharing technical intelligence with partners, and warning users about applications carrying the NetNut software. The scale of abuse was large, with threat intelligence identifying hundreds of threat clusters using the network for espionage and cyberattacks in a single week.
The network is linked to Alarum Technologies Ltd., an Israeli company publicly traded on the Nasdaq. The firm has disputed characterizations of the network as a botnet, stating its software involves consented bandwidth sharing. This action follows Google's recent disruption of the China-based IPIDEA network and legal action against the Badbox 2.0 botnet.