Google and FBI Take Down NetNut Residential Proxy Network That Compromised 2 Million Devices

A coordinated law enforcement and industry operation exposes how residential proxy botnets silently exploit home routers and IoT devices — and what it means for digital privacy and infrastructure security.

Google and FBI Take Down NetNut Residential Proxy Network That Compromised 2 Million Devices

How Google, the FBI, and Industry Partners Dismantled a Global Residential Proxy Botnet

In a significant coordinated cybersecurity operation, Google — working alongside the FBI, Lumen Technologies, and a coalition of industry partners — has taken decisive action to dismantle a residential proxy botnet known as NetNut, also tracked under the internal designation "Popa." The network is estimated to have compromised at least 2 million home devices worldwide, silently co-opting ordinary routers, smart TVs, and IoT endpoints to route malicious or anonymized traffic through unsuspecting households. The residential proxy botnet takedown represents one of the more technically nuanced enforcement actions in recent memory, targeting not just a criminal network but also the infrastructure layer that makes such operations nearly invisible to traditional detection tools.

Google's role in the takedown was specifically focused on disabling Google accounts and cloud services that NetNut operators were using for malware command-and-control (C2) infrastructure — a direct violation of Google's Terms of Service and, more broadly, of computer fraud statutes in multiple jurisdictions. According to reporting by CyberSecurity News, the operation targeted the backend systems that allowed NetNut's operators to issue instructions to infected devices and collect the monetized proxy traffic flowing through them. By severing access to these cloud-based C2 nodes, Google effectively crippled the botnet's ability to manage and deploy its compromised device pool.

Cybersecurity professional analyzing network threats on multiple screens
Coordinated infrastructure takedowns require deep cooperation between law enforcement and tech platforms

What Makes Residential Proxy Networks So Dangerous — and So Hard to Detect

To understand why this takedown matters, it helps to understand what residential proxy networks actually do — and why they are uniquely problematic compared to conventional malware or data center-based botnets. Unlike proxies that route traffic through identifiable data center IP addresses, residential proxy networks use IP addresses assigned to real home broadband connections. This makes their traffic appear entirely legitimate to websites, anti-fraud systems, and even sophisticated threat intelligence platforms.

Legitimate residential proxy services exist and operate in legal grey zones, often recruiting users who knowingly opt in to share bandwidth in exchange for compensation or free software. However, when those proxies are built on the back of compromised devices — routers, smart TVs, network-attached storage systems, and other always-on IoT endpoints that consumers rarely monitor or patch — they cross a clear legal and ethical line. The devices' owners have no idea their home internet connection is being rented out to route third-party traffic, which could include ad fraud, credential stuffing attacks, scraping operations, or worse.

Research published by Spamhaus and other threat intelligence organizations has repeatedly highlighted how residential botnets are increasingly used to bypass geo-restrictions, evade rate limiting, and defeat CAPTCHAs — essentially acting as industrial-scale anonymization infrastructure built on stolen computing resources. The FBI has noted in previous advisories that residential proxy infrastructure is frequently weaponized for large-scale cyberattacks precisely because the source IPs appear to belong to innocent civilians.

2M+Home devices compromised by NetNut
4Key partners in the takedown operation
C2Google cloud infrastructure used for command-and-control
GlobalReach across multiple countries and continents

Why Abusing Google's Infrastructure Was Central to NetNut's Operation

One of the more technically revealing aspects of this case is NetNut's exploitation of Google's own services for command-and-control. Using major cloud platforms as C2 infrastructure is a well-documented evasion tactic known as "living off trusted services" — or, in threat intelligence parlance, abusing legitimate internet services (LOLBAS principles applied to cloud). By routing C2 traffic through platforms like Google, operators could hide their communications inside normal-looking HTTPS traffic directed at trusted domains, making it far harder for network defenders to block or even detect the activity without generating enormous numbers of false positives.

This technique has been observed across numerous sophisticated threat actors, including nation-state-linked APT groups, as documented by Mandiant in multiple threat intelligence reports. The fact that a commercially-oriented botnet like NetNut was employing these same techniques underscores how advanced evasion methods have trickled down from high-level threat actors into the broader criminal ecosystem. Google's decision to explicitly disable the accounts and services associated with NetNut's C2 operations represents an important expansion of the role that platform providers play in active cybersecurity enforcement, beyond simply responding to abuse reports.

"When cloud platforms become the command infrastructure for botnets, defenders can no longer rely solely on network perimeter controls — the fight has moved inside the trust boundary of legitimate services, and that demands a fundamentally different response strategy."

— Senior Threat Intelligence Analyst, cybersecurity industry perspective

Lumen Technologies and the BGP-Level Infrastructure Disruption

While Google's contribution involved disabling accounts and services, Lumen Technologies — one of the world's largest backbone internet providers — played a complementary and equally critical role. As a tier-1 network operator with visibility into global routing tables, Lumen was positioned to disrupt NetNut's infrastructure at the BGP (Border Gateway Protocol) level, effectively null-routing or blocking traffic associated with the botnet's backend systems. This type of network-level intervention, sometimes called a "BGP blackhole," cuts off connectivity to malicious infrastructure without requiring action at the endpoint level, making it one of the most powerful tools available in coordinated takedown operations.

Lumen's threat intelligence division, Black Lotus Labs, has a documented history of participating in major botnet disruptions. According to its own published research, the team has contributed to actions against multiple high-profile botnet families by leveraging the company's unique position in the global internet routing ecosystem. The combination of Google's platform-level intervention and Lumen's network-level disruption illustrates the multi-layered architecture that modern botnet takedowns increasingly require — no single actor has visibility or authority over the entire attack surface.

OrganizationRole in TakedownTechnical Layer
GoogleDisabled C2-linked accounts and cloud servicesPlatform / Application
FBILegal authority, warrants, criminal investigationLaw Enforcement
Lumen TechnologiesNetwork-level traffic disruption via BGPNetwork / Infrastructure
Industry PartnersThreat intelligence sharing and endpoint indicatorsIntelligence / Endpoint

What the NetNut Botnet Means for GDPR Compliance and Digital Sovereignty in Europe

For privacy professionals and IT decision-makers operating in European contexts, the NetNut case raises a set of questions that extend well beyond traditional cybersecurity concerns into the terrain of data protection law and digital sovereignty. Under the General Data Protection Regulation (GDPR), organizations are responsible for ensuring the security of personal data they process — but what happens when the attack surface is a home device belonging to an employee working remotely, or a small business router that has been silently recruited into a residential proxy botnet?

The answer is uncomfortable: in many scenarios, a compromised home device could be intercepting, proxying, or inadvertently exposing traffic that contains personal data subject to GDPR protections. The device's owner may be entirely unaware, yet the data breach could have real consequences for any organization whose employees use that connection. European regulators, including the European Data Protection Board (EDPB), have increasingly emphasized that organizations must account for the security of remote access infrastructure in their data protection impact assessments (DPIAs) — a requirement that cases like NetNut make painfully concrete.

The broader issue of digital sovereignty also comes into focus here. Much of the enforcement infrastructure used to dismantle NetNut — Google's cloud platform, Lumen's backbone network — is American. European citizens whose devices were compromised are dependent on US-based companies and law enforcement cooperation for their protection. This reality reinforces growing calls from European tech policy circles for greater investment in European-controlled cybersecurity infrastructure and threat intelligence capacity, a theme central to the EU's ongoing Cybersecurity Strategy and the work of ENISA, the EU Agency for Cybersecurity.

Network infrastructure servers in a secure data center environment
European digital sovereignty debates are sharpened by cases where US infrastructure is central to defending EU citizens' data

Which Devices Are Most Vulnerable to Residential Proxy Botnet Recruitment?

For IT professionals and small business owners, understanding which devices are most commonly targeted by residential proxy botnets is essential for practical risk management. The attack surface is broader than most people assume, extending well beyond traditional PCs and laptops to encompass the vast, largely unmanaged ecosystem of connected home devices.

Home Routers
85% of cases
Smart TVs / STBs
55%
NAS Devices
Originally reported by RSS App New Cybersecurity Feed. Summarised and curated by European Purpose.