Google has significantly degraded NetNut, one of the largest residential proxy networks that turns home devices into rented relays for other people's traffic. Working with the FBI, Lumen, and others, the company reduced the network's pool of usable devices by millions.
Google identifies NetNut, also tracked as Popa, as a network spread across home devices worldwide. The network holds at least 2 million devices, including smart TVs and streaming boxes. If one of those devices is in your home, strangers can route their own traffic through your internet connection. Your address gets the blame for whatever they do with it.
How Residential Proxy Networks Work
A residential proxy network sells access to real home internet addresses. Attackers pay to route their traffic through your connection so it looks like ordinary home browsing, not the datacenter traffic that security tools tend to block.
To build that pool, operators need their code running on home devices. Some devices ship with it pre-installed on cheap off-brand hardware. Others pick it up when someone installs a free app that hides it. Once running, the device becomes an "exit node," a doorway that other people's traffic flows through.
An exit node brings outside traffic inside the home network, giving attackers a foothold to reach other devices on it. Some of these home gadgets have also been pulled into large attack botnets such as Mirai and Badbox 2.0.
The Scale of Abuse
In a single week in June, Google counted 316 distinct threat clusters using suspected NetNut exit nodes. These included cybercriminal and espionage groups hiding their real location and running password-guessing attacks.
The demand for residential proxies is driven by their ability to bypass security controls. Datacenter IP addresses are easily blocked. Home IP addresses are not. Attackers know this, and they pay for access.
The Company Behind NetNut
Unlike most proxy botnets, NetNut traces back to a public company. Researchers recently tied Popa to NetNut, a proxy provider owned by publicly traded Israeli company Alarum Technologies. In a controlled test, traffic sent into NetNut's commercial gateway came out through a device enrolled in Popa.
Alarum rejects the "botnet" label. The company calls the research "demonstrably inaccurate assertions and flawed deductions rather than verified facts" and says its software is for consented bandwidth-sharing that does not compromise the devices it runs on.
The researchers' testing complicates that defense: none of the more than 20 apps examined actually showed users a consent prompt.
Why One Takedown Isn't Enough
Cutting off NetNut is messy by design. The network runs a reseller program that lets other companies sell its network under their own brand names. Many popular, seemingly separate proxy brands are really reselling the same NetNut pool. A single takedown ripples across a lot of brands that look independent but are not.
That is why Google calls this degradation, not a kill. The company's earlier action against a similar IPIDEA network showed these networks can look resilient. Operators start buying capacity from rivals, in effect becoming resellers themselves. Real, lasting damage means going after several connected providers at once.
A Pattern of Disruption
This is not Google's first action against residential proxy networks. In January, Google and partners disrupted IPIDEA, a China-based network that at its peak was one of the largest of its kind. In July 2025, Google took the operators of Badbox 2.0 to court, the botnet of hijacked Android TV devices whose components overlap with Popa. Each time, the networks proved stubborn.
What Consumers Should Do
The single clearest warning sign is an app that offers to pay you for your "unused bandwidth" or for "sharing your internet." That is one of the main ways these networks grow.
Beyond that:
1. Stick to official app stores, and check what permissions a VPN or proxy app is asking for.
2. Keep your system’s existing protection mechanisms turned on, such as Google Play Protect.
3. Buy streaming boxes and smart TV hardware from known manufacturers, not no-name brands.
The Bottom Line
The NetNut residential proxy botnet disruption shows how attackers have industrialized home internet abuse. Two million devices. Thousands of threat groups. A publicly traded company at the center.
The demand for these home addresses does not disappear when a network goes down. It just moves. For defenders and platforms, the next signal to watch is whether NetNut-linked traffic resurfaces under reseller brands.
FAQ Section
What is NetNut?
NetNut is a residential proxy network that turns home devices into traffic relays. It is owned by Alarum Technologies and has an estimated 2 million devices in its network.
How does NetNut work?
Devices running NetNut software become exit nodes. Strangers route their traffic through these home internet connections, making it appear as ordinary home browsing.
Why is this a problem?
Exit nodes bring outside traffic inside home networks, giving attackers a foothold to reach other devices. Threat groups use these networks to hide their real location and run attacks.
Is NetNut a botnet?
Google and researchers treat NetNut and Popa as the same network. Alarum rejects the "botnet" label, saying its software is for consented bandwidth-sharing.
What did Google do?
Google worked with the FBI and others to degrade the network, reducing its pool of usable devices by millions. The company calls it a degradation, not a kill.
What should consumers do?
Avoid apps that offer to pay for unused bandwidth. Stick to official app stores. Keep Google Play Protect enabled. Buy hardware from known manufacturers.