Google Takes Action Against Malicious Residential Proxy Networks
Google Takes Action Against Malicious Residential Proxy Networks 🚨
Today, in coordination with the FBI, Lumen, and others, Google took decisive action against the NetNut residential proxy network, also known as Popa. This initiative builds on our previous disruption of the IPIDEA proxy network that occurred in January 2026 and continues Google’s mission to dismantle malicious residential proxy networks.
As part of this disruption, Google disabled accounts and services associated with NetNut that were used for malware command and control (C2), which directly violates Google’s Terms of Service and Acceptable Use Policy. Additionally, Google shared technical intelligence regarding NetNut’s software development kits (SDKs) and backend C2 infrastructure with platform providers, law enforcement, and research firms to enhance ecosystem-wide awareness and enforcement.
Google has high confidence that many popular residential proxy brands are actually whitelabeling the NetNut botnet, which is estimated to consist of at least 2 million devices worldwide. Public reporting, confirmed by Google, shows that NetNut populates its botnet by distributing SDKs for devices commonly found in homes, such as smart TVs and streaming boxes.
Risks of Residential Proxy Networks ⚠️
Residential proxy networks allow attackers to route traffic through IP addresses owned by internet service providers (ISPs), masking malicious activities. Home devices can become part of these proxy networks either through pre-installed malware or by users unknowingly downloading applications containing hidden proxy code. This poses serious risks for unsuspecting device owners, as their home IP addresses can be exploited by attackers for hacking and other unauthorized activities.
In June 2026 alone, the Google Threat Intelligence Group (GTIG) observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups. These bad actors can leverage NetNut to obscure their origin IP addresses while accessing victim environments and conducting password spray attacks.
Consumer Awareness 🛡️
Consumers should be extremely cautious of applications that offer payment in exchange for “unused bandwidth” or “sharing your internet.” These applications are primary methods for malicious proxy networks to expand, potentially opening security vulnerabilities on the device’s home network. Users are encouraged to stick to official app stores, review permissions for third-party VPNs and proxies, and ensure built-in security protections like Google Play Protect are active.
This coordinated disruption is just the beginning of the fight against malicious residential proxy networks, as the industry is interconnected and operators rely on overlapping botnet networks that are continuously resold. Ongoing and coordinated efforts are essential to mitigate malicious proxy networks in the long term.