HackMyIP
← Back to News
2026-07-03 BleepingComputer

NetNut Botnet Dismantled: 2 Million Infected Devices Cut Off

MalwareIncident ResponseThreat Intel

A coordinated law enforcement and industry operation has dismantled NetNut, one of the world's largest residential proxy networks, cutting off access to an estimated two million compromised Android devices including smart TVs and streaming boxes. Also tracked as Popa, the botnet routed malicious traffic through legitimate home IP addresses, allowing cybercriminals and espionage groups to anonymize attacks such as password-spraying campaigns and unauthorized access to victim infrastructure. Google Threat Intelligence Group (GTIG) reported observing 316 distinct threat clusters leveraging suspected NetNut exit nodes in a single week last month, underscoring the network's scale and reach across global threat actors.

The takedown combined the efforts of the FBI, Google, Lumen Technologies, The Shadowserver Foundation, and other industry partners. The FBI seized the netnut.com domain along with additional infrastructure used by the operators, while Google disabled accounts and services on its cloud that supported the botnet's command-and-control (C2) backend. Investigators traced the network's scale to trojanized applications and affiliated botnets such as Badbox 2.0, which bundle proxy plugins into infected consumer devices, effectively turning home routers, smart TVs, and set-top boxes into exit nodes that route unauthorized traffic. Security researchers noted that residential proxy abuse like NetNut often makes infected endpoints appear suspicious to ISPs and online platforms, since traffic patterns from those IPs deviate sharply from normal consumer behavior. Users concerned about exposure can run a DNS leak test to verify whether their traffic is being routed through unexpected intermediaries.

For end users, Google activated Play Protect on Android to automatically warn affected customers and disable malicious applications installed on their devices. The company also published technical indicators tied to NetNut's SDKs and C2 infrastructure to help defenders detect residual infections. Mandiant confirmed that the netnut.com domain was among those seized alongside other NetNut-linked infrastructure.

Organizations that suspect past credential exposure from password-spraying operations routed through the botnet should validate accounts against known leaks using an email breach checker and rotate any reused passwords immediately. Threat hunters and network defenders can also probe suspicious egress IPs through a WHOIS lookup and validate residential traffic anomalies with a VPN/proxy detector to identify whether observed connections originate from legitimate consumer networks or known proxy infrastructure.

Source: BleepingComputer →

Related Tools

Check whether this kind of story affects you — free, no signup:

IP Lookup →IP Blacklist Check →VPN & Proxy Detector →

Related Guides

Learn the background behind this story:

What is a DDoS attack? →What is a proxy server? →Is my IP blacklisted? →