Google Dismantles NetNut Residential Proxy Network Spanning Over Two Million Devices

In a joint operation with the FBI and Lumen, Google has disrupted a massive proxy network that routed cybercriminal traffic through ordinary home devices — including smart TVs and streaming gadgets.

Google Dismantles NetNut Residential Proxy Network Spanning Over Two Million Devices

Google, FBI, and Lumen Strike at the Heart of a Global Residential Proxy Network

In one of the most significant residential proxy network cybersecurity actions in recent memory, Google has joined forces with the FBI and cybersecurity firm Lumen to dismantle NetNut — also known as Popa — a sprawling proxy infrastructure that leveraged the internet connections of more than two million ordinary home users worldwide. The operation involved disabling Google accounts and services that NetNut relied on to control its fleet of compromised devices, and remotely deactivating apps on user devices where NetNut's software was found to be running.

The scale of the disruption is notable. Google confirmed that as a result of the coordinated action, the number of devices available to NetNut has been reduced by millions — a significant blow to the network's operational capacity. For IT professionals, privacy advocates, and digital sovereignty experts, the takedown reveals just how deeply embedded these invisible infrastructures have become in everyday consumer technology.

cybersecurity operations center monitoring network threats
Coordinated law enforcement and tech industry operations are increasingly targeting large-scale proxy botnets exploiting consumer devices.

What Is a Residential Proxy Network — and Why Should Privacy Professionals Care?

A residential proxy network routes internet traffic from paying clients — who can include cybercriminals, credential stuffers, or ad fraudsters — through the real IP addresses of unsuspecting home users. This is fundamentally different from commercial datacenter proxies, because residential IPs appear entirely legitimate. A login attempt coming from a home IP address in the same city as the targeted organisation raises far fewer red flags than one originating from a server farm in an unknown country.

For cybercriminals, this translates into a powerful toolkit: they can bypass geo-restrictions, evade fraud detection systems, and impersonate local users with ease. For GDPR compliance officers and data protection professionals, the implications are deeply concerning. When an attacker uses a residential proxy, attribution becomes nearly impossible — the visible IP address belongs to an innocent citizen, not the perpetrator. This directly undermines digital forensics and incident response procedures that organisations rely on.

According to reporting by KrebsOnSecurity, residential proxy services have become a booming underground economy, with dozens of services offering access to millions of IP addresses for as little as a few dollars per gigabyte of traffic. The business model is deliberately opaque, often hiding behind legitimate-sounding "network testing" or "web analytics" use cases.

2M+Devices in NetNut network
3Organisations in joint operation
↓MDevices removed from network
SDKsPrimary infection vector used

How NetNut Silently Recruited Smart TVs and Streaming Devices Into Its Botnet

NetNut's infection strategy was multi-pronged, and understanding it matters for anyone involved in app development, IoT procurement, or enterprise device management. The network offered software development kits (SDKs) to app developers, incentivising them financially to embed NetNut's code into their applications. When end users installed those apps, their devices were quietly enrolled into the proxy network — without informed consent and, in many cases, without any visible indication of what was happening in the background.

This SDK-based recruitment strategy is not unique to NetNut. As Wired has previously documented, a number of "free" VPN providers and utility apps have used nearly identical tactics, embedding proxy functionality into apps that users trust. Other recruitment vectors for residential proxy networks include: VPN providers with buried contractual clauses allowing traffic routing; compromised IoT devices exploited through known firmware vulnerabilities; malware infection campaigns targeting home routers and media devices; and voluntary paid participation, where users knowingly sell their bandwidth.

In NetNut's case, the SDK was specifically tailored for smart TVs and streaming devices — a category of consumer hardware that is frequently overlooked in enterprise and home security assessments. These devices tend to run stripped-down operating systems with limited logging capabilities, making it difficult for users to detect unusual network behaviour. To make matters worse, some devices in the NetNut network were subsequently infected with variants of Mirai malware, the notorious IoT botnet code first publicly identified around 2016, which was repurposed to launch distributed denial-of-service (DDoS) attacks.

Infection Vector Method User Awareness Device Type
SDK EmbeddingDeveloper paid to include SDK in appNoneSmart TVs, streaming devices
VPN Hidden TermsBuried contractual bandwidth sharingMinimalSmartphones, laptops
IoT ExploitationKnown firmware vulnerabilitiesNoneRouters, cameras, smart devices
MalwareDrive-by infection, phishingNoneAny connected device
Paid ParticipationUser installs proxy software voluntarilyFullAny connected device

Why This Residential Proxy Network Cybersecurity Case Has Serious Digital Sovereignty Implications

For European privacy professionals and policymakers, the NetNut case is more than a law enforcement success story — it is a warning. The network's ability to silently enrol millions of consumer devices into a commercial infrastructure operating entirely outside user consent is a direct challenge to GDPR principles. Article 6 of the GDPR requires a lawful basis for processing personal data, and routing third-party internet traffic through a user's device and IP address almost certainly involves the processing of that user's network metadata without consent.

The Netherlands-based National Cyber Security Centre (NCSC) had already flagged this in a warning issued last May, describing the rise of residential proxy networks as a "worrying trend." The NCSC noted that "the misuse of residential proxies makes it harder to map digital threats and digital attacks. As the scale of digital attacks increases, the resilience of organisations can come under pressure." This is precisely the kind of systemic risk that European digital infrastructure policy must account for.

"The misuse of residential proxies makes it harder to map digital threats and digital attacks. As the scale of digital attacks increases, the resilience of organisations can come under pressure."

— Netherlands National Cyber Security Centre (NCSC)

The case also underlines the inadequacy of relying on platform-level trust alone. Google's ecosystem — including its Play Store and Android TV distribution channels — was instrumentalised to distribute and maintain NetNut's infrastructure. While Google has now taken corrective action, the fact that the network reached two million devices through legitimate app distribution pipelines should prompt serious reflection among enterprise IT decision-makers about the security of their device procurement and app vetting processes.

IoT smart devices connected to home network representing digital privacy risks
Smart TVs and streaming devices are increasingly targeted by proxy networks that exploit their limited security oversight and broad network access.

EFF Calls Out Amazon as Contaminated Android Devices Flood E-Commerce Platforms

The NetNut disruption did not occur in isolation. Just days before Google's announcement, the Electronic Frontier Foundation (EFF) — the American civil liberties organisation — issued a public call urging Amazon and other major online retailers to stop selling Android devices pre-loaded with malware. The EFF's concern mirrors the NetNut situation precisely: consumer electronics reaching buyers through legitimate retail channels, already configured to participate in proxy networks or other malicious activities, entirely without the buyer's knowledge.

This is a supply chain security issue as much as it is a cybersecurity one. Research published by Trend Micro has previously documented cases where Android TV boxes sold on major e-commerce platforms arrived with pre-installed backdoors, turning them into proxy nodes from the moment they were unboxed. The price point of these devices — often dramatically cheaper than branded alternatives — is a key part of the model: manufacturers in unregulated markets subsidise hardware costs by selling access to the device's network connectivity.

Google's advice in the wake of the NetNut operation is straightforward: when purchasing hardware, consumers and organisations should stick to products from recognised manufacturers. But for small businesses and entrepreneurs who may be managing mixed device estates on tight budgets, this guidance creates a real tension. The EFF's broader privacy advocacy points toward the need for regulatory intervention — not just consumer advice — to address the systemic nature of the problem.

Primary device categories targeted by residential proxy networks

Smart TVs
85%
Streaming Devices
72%
Originally reported by RSS App Cybersecurity Feed. Summarised and curated by European Purpose.