TL;DR
- what: Google's GTIG, with the FBI, Lumen, and partners, degraded NetNut (tracked as Popa), a residential proxy network of at least 2 million home devices including smart TVs and streaming boxes.
- impact: In one June week, 316 distinct threat clusters, including cybercrime and espionage groups, routed traffic through NetNut exit nodes to mask their location and run password-guessing attacks, with home users' IP addresses taking the blame.
- fix: There is no patch; consumers should avoid apps that pay for 'unused bandwidth,' stick to official app stores, keep Google Play Protect on, and buy streaming hardware from known brands.
- who: Home users running the software (often via cheap off-brand devices or bundled free apps) and any organization whose defenses trust residential IP traffic.
Google has significantly degraded NetNut, one of the largest networks that quietly turns home devices into rented relays for other people's traffic. Working with the FBI, Lumen, and other partners, Google's Threat Intelligence Group (GTIG) said this week it cut the network's pool of usable devices by millions. GTIG estimates NetNut, which it also tracks as Popa, spans at least 2 million home devices worldwide, including smart TVs and streaming boxes.
The impact is direct. If one of these devices sits in your home, strangers can route their own traffic through your internet connection, and your IP address gets the blame for whatever they do with it. In a single week in June, GTIG counted 316 distinct threat clusters, including cybercriminal and espionage groups, using suspected NetNut exit nodes to hide their real location and run password-guessing attacks.
How a Residential Proxy Network Works
A residential proxy network sells access to real home internet addresses. Attackers pay to route traffic through your connection so it looks like ordinary home browsing, not the datacenter traffic that security tools routinely block. To build that pool, operators need their code running on home devices. Some devices ship with it pre-installed on cheap off-brand hardware; others pick it up when someone installs a free app that hides it.
Once running, the device becomes an 'exit node,' a doorway that other people's traffic flows through. Google notes an exit node also brings outside traffic inside the home network, giving attackers a foothold to reach other devices on it. Some of these gadgets have been pulled into large attack botnets such as Mirai and Badbox 2.0, whose components overlap with Popa.
⚠️ Why this matters for defenders — Residential proxy traffic is designed to defeat IP reputation and geo-based controls. If your detection logic trusts traffic simply because it originates from a consumer ISP, password-spraying and account-takeover attempts routed through NetNut will look like legitimate home users. Reputation on residential ranges is not a reliable signal.
The Company Behind It
Unlike most proxy botnets, NetNut traces back to a public company. In June, researchers at Qurium, Synthient, Nokia Deepfield, and Spur tied Popa to NetNut, a proxy provider owned by publicly traded Israeli firm Alarum Technologies (NASDAQ: ALAR). In a controlled test, Synthient said traffic it sent into NetNut's commercial gateway came out through a device it had enrolled in Popa, evidence of the traffic path rather than proof of what NetNut knew or intended. Google's own intelligence aligns: it treats NetNut and Popa as the same network.
Alarum rejects the 'botnet' label, calling the research 'demonstrably inaccurate assertions and flawed deductions rather than verified facts,' and says its software is for consented bandwidth-sharing that does not compromise the devices it runs on. The testing complicates that defense: Synthient reported that none of the more than 20 apps it examined actually showed users a consent prompt.
Why One Takedown Isn't Enough
Cutting off NetNut is messy by design. NetNut runs a reseller program that lets other companies sell its network under their own brand names. Google says it has high confidence that many popular, seemingly independent proxy brands are really reselling the same NetNut pool, so a single takedown ripples across brands that look separate but are not.
That is why Google calls this degradation, not a kill. Its earlier action against the similar IPIDEA network showed these operations look resilient: operators start buying capacity from rivals, in effect becoming resellers themselves. Real, lasting damage, Google says, means going after several connected providers at once.
- January 2026: Google and partners disrupted IPIDEA, a China-based network that at its peak was one of the largest of its kind.
- July 2025: Google took the operators of Badbox 2.0 to court, the botnet of hijacked Android TV devices whose components overlap with Popa.
- Each time, the networks proved stubborn and demand for home addresses simply migrated.
What to Do
There is no CVE and no patch here; this is a hardware-and-behavior problem. The single clearest warning sign is an app that offers to pay you for your 'unused bandwidth' or for 'sharing your internet.' That is one of the main ways these networks grow.
Practical guidance — Stick to official app stores and check what permissions a VPN or proxy app requests. Keep built-in protections like Google Play Protect switched on. Buy streaming boxes and smart TVs from known manufacturers, not no-name brands. For platforms and defenders, the next signal to watch is whether NetNut-linked traffic resurfaces under reseller brands.
The demand for residential IP addresses does not disappear when a network goes down; it moves. Treat this disruption as a temporary dent in supply, not the end of the threat, and tune detections that currently give residential ranges the benefit of the doubt.
Originally published on RedEye Threat Intelligence.
Top comments (0)