HackMyIP
← Back to News
2026-07-02 The Hacker News

Google Disrupts NetNut Proxy Network Spanning 2 Million Hacked Home Devices

MalwareThreat IntelPrivacy

Google has significantly disrupted NetNut, one of the largest residential proxy networks in operation, in a coordinated takedown with the FBI, Lumen's Black Lotus Labs, and academic researchers. Google's Threat Intelligence Group (GTIG) announced this week that the action reduced the network's pool of usable compromised devices by millions, cutting into a botnet that GTIG estimates controls at least 2 million home devices worldwide. NetNut—also tracked by researchers as "Popa"—has been linked to smart TVs, streaming boxes, and other internet-of-things hardware infected through pre-installed firmware on cheap off-brand products or hidden inside free applications downloaded by unsuspecting users.

The network operates as a commercial residential proxy service: subscribers pay to route their traffic through real home internet connections, making abusive activity look like ordinary consumer browsing rather than traffic from a datacenter that security tools would block. GTIG observed 316 distinct threat clusters leveraging suspected NetNut exit nodes during a single week in June 2026, including both financially motivated cybercriminal groups and espionage-aligned actors conducting password-spraying and credential-stuffing operations. Users whose devices have been recruited can run a VPN/proxy detector to see whether their connection is being flagged as a relay, while a broader privacy checkup can surface other signs of compromise on a home network.

Unlike most proxy botnets, NetNut traces back to a publicly traded company. Researchers at Qurium, Synthient, Nokia Deepfield, and Spur tied Popa traffic flows to NetNut's commercial gateway earlier this year, and NetNut is owned by Israeli firm Alarum Technologies (NASDAQ: ALAR). Alarum rejects the "botnet" label, calling the research "demonstrably inaccurate assertions" and asserting that its software is installed only with user consent for bandwidth sharing. That defense is complicated by Synthient's testing, which found that more than 20 of the apps linked to the network showed users no consent prompt at all. Google says its own intelligence aligns with the independent researchers, treating NetNut and Popa as the same operation.

The takedown is unlikely to be final. NetNut operates a reseller program that distributes access across multiple brands, fragmenting the network across many operators, and infected devices can be re-recruited or re-infected after cleanup. Some of the same hardware classes have previously been swept up in larger IoT botnets such as Mirai and Badbox 2.0, suggesting the underlying infection vectors remain active. For consumers worried about exposure, verifying outbound connections with a browser fingerprint test can help confirm whether a device is presenting the digital identity its owner expects, rather than one borrowed by an attacker routing traffic through the home.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Email Breach Check →Privacy Checkup →VPN & Proxy Detector →

Related Guides

Learn the background behind this story:

What is a DDoS attack? →What is a proxy server? →Is my IP blacklisted? →