The Circuitry
THE CIRCUITRYYour one-stop source for all tech news
HOMETODAYNEWSFEEDEVENTS
BOOKMARKS
RSS
© 2026 The Circuitry
About UsSourcesContactCorrectionsPrivacy
  • Today
  • Feed
  • Events
  • Saved
Scroll for more
Verification
VERIFIEDConfidence: HIGH
Source identified
Claims cross-referenced
No discrepancies found
Fact-check summary

Multiple outlets (Reuters, Krebs on Security, The Register, The Hacker News) confirm Google and FBI disrupted the NetNut/Popa proxy botnet spanning at least 2 million devices.

Sourcing
4independent sources

via BleepingComputer

BleepingComputer · track record
57Stories
100%Verified
3530d
All sources →
Markets
GOOGL···

Live quote · not investment advice

Home/Tech/Google, FBI disrupt NetNut proxy botnet of 2M devices
VERIFIEDBy Xavier Rivera· ·2.5 min read

Google, FBI disrupt NetNut proxy botnet of 2M devices

Google and partners including the FBI have disrupted the NetNut residential proxy botnet, cutting off an estimated 2 million compromised Android devices used by hundreds of threat actors. The operation degrades a major tool for concealing cyberattacks and is expected to ripple through the interconnected proxy services industry.

Source:BleepingComputer
Post
Google, FBI disrupt NetNut proxy botnet of 2M devices
TL;DRAI · 60 sec read

Google and the FBI disrupt NetNut, a residential proxy botnet that turned 2 million compromised Android devices into exit nodes for cybercriminals and espionage groups. Coordinated action seizes domains and blocks command infrastructure, reducing threat actors' ability to hide attacks behind victims' legitimate IP addresses.

A joint operation involving Google has disrupted NetNut, a residential proxy network also known as Popa that gave cybercriminals and espionage groups access to at least 2 million compromised Android devices worldwide, including smart TVs and streaming boxes.

NetNut powered attacks through infected consumer hardware. The botnet turned compromised home devices into always-on residential proxy nodes, allowing threat actors to conceal malicious traffic by routing it through victims' legitimate residential IP addresses. According to the Google Threat Intelligence Group, NetNut comprised at least 2 million infected devices powered by trojanized applications and botnets like Badbox 2.0 that package proxy plugins. Krebs on Security reports the network was operated by publicly traded Alarum Technologies, listed on NASDAQ as ALAR.
The botnet turned compromised home devices into always-on residential proxy nodes, allowing threat actors to conceal malicious traffic by routing it through victims' legitimate residential IP addresses.

Infected devices typically became part of the botnet after malware was pre-installed before purchase or added via malicious or trojanized applications downloaded by users. As exit nodes, they routed unauthorized network traffic, often resulting in the devices being flagged as suspicious or blocked by internet service providers and online services. The Register notes the botnet mainly consisted of small TV-streaming hardware.

Coordinated takedown targeted infrastructure and domains. The effort included Google, the FBI, Lumen Technologies, The Shadowserver Foundation and other industry partners. The FBI seized the netnut.com domain along with hundreds of other domains tied to the network. Google disabled accounts and services on its infrastructure that NetNut operators used for malware command-and-control, blocking access to critical backend infrastructure.
From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →

Google also protected users by automatically warning them and disabling infected applications through Google Play Protect. The company shared technical details on NetNut's software development kits and backend command-and-control infrastructure with platform providers, law enforcement agencies and cybersecurity researchers.
The malicious proxy service is considered one of the largest in the world.

NetNut served hundreds of threat actors last month alone. Google Threat Intelligence Group observed 316 distinct threat clusters using suspected NetNut exit nodes in one week last month, including cybercriminal and espionage groups. Threat actors used the network to access their own infrastructure, conduct password-spraying attacks and reach victim environments. The malicious proxy service is considered one of the largest in the world.
Disruption follows earlier action against similar networks. Google expects the move to have a broader impact in the proxy industry because NetNut operated a robust reseller program that allowed whitelabeling of its network, with many popular residential proxy services fueled by it. Mark Karayan, Communications Manager at Mandiant, told BleepingComputer that the proxy industry is deeply interconnected, with operators constantly buying and reselling each other's botnet capacity. The action against NetNut follows the disruption of IPIDEA earlier this year and is part of Google's commitment to dismantle residential proxy botnets.
Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported
DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE
From The Circuitry

See what’s happening right now

The Feed runs all day — short, verified briefs the moment they break.

Open the Feed →
From The Circuitry

Follow @thecircuitry_

Every story we publish, as it happens. No noise between.

Follow on X ↗On Bluesky ↗

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee
cybersecuritybotnetGoogle
More fromBleepingComputer
  • CISA Warns of Active Exploitation of SharePoint RCE Flaw

    Tech · 1d
  • DHS confirms hackers breached HSIN info-sharing platform

    Tech · 2d
  • Anthropic to restore Claude Fable 5 access Wednesday

    Tech · 2d
More inTech
  • Ecolab Acquires CoolIT Systems for $4.75 Billion

    Tech · 4h
  • AdaptHealth Reports Social Engineering Attack Stole Patient Records via Contractor

    Tech · 5h
  • TSMC secures approval for $20B Arizona expansion

    Tech · 18h
SupportThe Work

The Circuitry is reader-supported. If you find the daily brief useful, you can buy me a coffee to keep it going.

Buy a coffee →
SubscribeCircuitry Brief

Daily brief at 7 AM ET. Top tech stories, every morning.

MORE IN TECH

Ecolab Acquires CoolIT Systems for $4.75 Billion

Ecolab agreed to purchase CoolIT Systems from KKR for about $4.75 billion in cash to expand its offerings in AI data center liquid cooling. The business is forecast to add approximately $550 million in sales over the next year and become accretive to earnings by 2028.

AdaptHealth Reports Social Engineering Attack Stole Patient Records via Contractor

AdaptHealth told the SEC that social engineering against a contractor allowed thieves to steal patient PII, PHI, and an insurance billing password file. The firm activated its response plan on June 15, later deemed the breach material, and has applied extra safeguards while its investigation proceeds.

TSMC secures approval for $20B Arizona expansion

Taiwan's Department of Investment Review has approved TSMC's US$20 billion capital injection into its US subsidiary TSMC Arizona. The approval clears the way for the semiconductor foundry to expand its manufacturing operations in the United States.