Google has helped disrupt one of the world’s largest residential proxy botnets, known as NetNut, a malicious network that gave cybercriminals access to millions of compromised Android devices, including smart TVs and streaming boxes.
The operation was carried out alongside the FBI, Lumen Technologies, The Shadowserver Foundation, and several other cybersecurity partners.
According to Google’s Threat Intelligence Group (GTIG), NetNut controlled at least two million infected devices worldwide. The botnet relied on malware hidden inside trojanized apps and large-scale botnets such as Badbox 2.0, which secretly installed proxy software on victims’ devices.
Residential proxy networks allow attackers to route their internet traffic through real home internet connections instead of data centers. By using the residential IP addresses of infected devices, cybercriminals can disguise malicious activity, making attacks appear as though they are coming from ordinary users. These networks are commonly used to avoid detection during hacking campaigns.
Many affected devices become infected either because malware is pre-installed before purchase or because users unknowingly install malicious or modified applications. Once compromised, the devices silently forward internet traffic for the botnet, potentially causing owners’ home internet connections to be flagged or blocked by online services and internet providers.
As part of the coordinated takedown, the FBI seized domains linked to the operation, including netnut.com, which was reportedly used by the proxy network. Google also shut down accounts and infrastructure used by the attackers to control infected devices, cutting off access to critical command-and-control systems.
Google said it detected 316 separate threat clusters using suspected NetNut exit nodes during a single week last month. These groups included financially motivated cybercriminals as well as espionage actors that used the service for password-spraying attacks, accessing their own infrastructure, and targeting victim networks while hiding behind residential IP addresses.
To protect Android users, Google used Play Protect to automatically identify and disable infected applications while warning affected users. The company also shared technical information about NetNut’s software development kits (SDKs) and command-and-control infrastructure with platform providers, cybersecurity researchers, and law enforcement agencies to support broader defensive efforts.
Researchers believe the disruption could have a significant impact across the residential proxy industry because NetNut operated a large reseller program that allowed other proxy providers to rebrand and resell its network. Since many proxy services rely on shared botnet infrastructure, taking down a major provider can affect numerous interconnected services.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Google says this latest operation is part of its ongoing effort to dismantle residential proxy botnets. It follows the company’s earlier disruption of the IPIDEA proxy network and reflects continued collaboration between technology companies and law enforcement to reduce the infrastructure used by cybercriminals.





