Google, in collaboration with the FBI, Lumen Technologies, and other industry partners, has successfully dismantled the NetNut residential proxy network, also known as “Popa,” which had compromised at least 2 million home devices globally.
The operation involved disabling Google accounts and services utilized by NetNut for malware command-and-control, actions that violated Google’s Terms of Service and Acceptable Use Policy. Additionally, Google shared technical intelligence regarding NetNut’s software development kits (SDKs) and backend command-and-control infrastructure with law enforcement agencies, platform providers, and research organizations to facilitate broader enforcement efforts. To further protect users, Google Play Protect was updated to automatically warn users and disable applications containing NetNut SDKs, preventing future installations on Android devices.
This initiative follows Google’s January 2026 disruption of the IPIDEA proxy network, indicating a sustained campaign against malicious residential proxy operators. Notably, NetNut operates a robust reseller program that allows for the white-labeling of its infrastructure, meaning many popular proxy brands may actually be repackaging the NetNut botnet under different names.
Investigative Findings
Independent investigations have linked the Popa botnet directly to NetNut, a subsidiary of the publicly traded Israeli firm Alarum Technologies Ltd. Popa functions as a plugin component of the larger Vo1d botnet, which targets unofficial Android-based TV boxes bundled with pirated streaming apps such as CRICFy, DooFlix, and Flixoid. Security firm Qurium traced Popa’s control infrastructure to domains including ninjatech[.]io, associated with Moishi Kramer, a former NetNut Vice President of Research and Development, who denied current operational control over the infrastructure.
Proxy-tracking firm Synthient analyzed Popa’s SDK and found outbound traffic conclusively tied to NetNut clients, stating with “high confidence” that Popa devices actively forward NetNut proxy traffic.
Industry Response
Alarum Technologies has disputed the characterization of NetNut as a botnet, asserting that its SDKs facilitate consensual bandwidth-sharing and that the company enforces Know Your Customer (KYC) and misuse-monitoring policies. However, proxy-tracking service Spur countered that NetNut lacks meaningful corporate verification, allowing individuals to purchase proxy access with minimal validation.
Lumen’s Black Lotus Labs estimates that the Popa botnet cycles through 1.5 to 2.5 million distinct IP addresses daily, directed by approximately 250-300 controller domains, making it one of the most widely resold proxy networks in the criminal ecosystem. Nokia Deepfield researchers suggest the true device population could be significantly higher, based on relay-node traffic sampling. In a single week during June 2026, Google’s Threat Intelligence Group observed 316 distinct threat clusters, including cybercriminal and espionage groups, leveraging suspected NetNut exit nodes for password spraying and infrastructure obfuscation.
Home devices become unwitting proxy nodes either through pre-installed malware or hidden SDKs bundled in free apps, exposing other devices on the same network to external threats and potential infections.
This takedown underscores the critical need for vigilance among consumers regarding the devices and applications they use. It also highlights the importance of industry collaboration in combating large-scale cyber threats. As residential proxy networks continue to evolve, ongoing efforts to detect and dismantle such infrastructures are essential to maintaining cybersecurity.