Google Disrupts NetNut Residential Proxy Network Covering 2 Million Home Devices

Google has lowered the ranking significantly NetNutone of the largest networks that turns home devices into leased relays for other people’s traffic.
Working with the FBI, Lumen, and others, the Google Threat Intelligence Group (GTIG) said this week it has reduced the number of network exploits by millions.
Google identifies NetNut, which is also tracked as Popeas the network is broadcast to home devices worldwide, including smart TVs and set-top boxes, and GTIG estimates that the network carries at least 2 million devices.
If one of those devices is in your home, strangers can route their traffic through your Internet connection, and your address gets blamed for anything they do with it.
How It Works
A residential proxy network sells access to real Internet addresses at home. Attackers pay to route their traffic through your connection so it looks like normal home browsing, not the datacenter traffic that security tools usually block.
To build that pool, operators need their code to run on home devices. Some devices come pre-installed on cheap off-brand hardware; others pick it up when someone installs a free app that hides it. Once active, the device becomes an “exit point,” a door through which other people’s traffic flows.
Google says the exit point brings external traffic inside the home network, giving attackers access to other devices on it. Some of these home gadgets have also been drawn into major botnets such as Mirai and Badbox 2.0.
In one week in June, GTIG counted 316 different threat groups using suspected NetNut outlets, including cybercrime and espionage groups, to hide their real location and perform password-guessing attacks.

The Company Behind You
Unlike most proxy botnets, NetNut traces back to a public company. In June, researchers from Qurium, Synthient, Nokia Deepfield, and Spur tied Popa and NetNut.
NetNut is a proxy provider owned by Israeli publicly traded company Alarum Technologies (NASDAQ: ALAR). In a controlled trial, Synthient said the traffic it sent to NetNut’s commercial gateway came through a device it had registered with Popa.
Synthient presented that as evidence of the traffic pattern, not evidence of what NetNut knew or intended. Google’s own intelligence is consistent: it treats NetNut and Popa as the same network, and says that public reporting matches its view of how NetNut builds its botnet. Hacker News compiled the researchers’ findings at the time of publication.

The alarm rejects the “botnet” label. It calls the study “inaccurate and flawed claims rather than proven facts,” and says its software is for agreed bandwidth sharing that doesn’t compromise the devices it runs on.
The researchers’ tests made that defense difficult: Synthient reported that none of the more than 20 apps it tested showed users a permission prompt.

Why One Downgrade Is Not Enough
Cutting NetNut is messy by design. NetNut operates a secondary marketing program that allows other companies to sell their network under their own brand names. Google says it has high hopes that many popular, seemingly disparate proxies are reselling the same NetNut pool.
So one reduction is associated with many products that look independent but are independent.
This is also why Google calls this defamation, not murder. It says that its previous action against the same network of IPIDEA showed that these networks can look strong: operators start buying capacity from competitors, in fact becoming sellers themselves. The real, lasting damage, Google says, means going after several connected providers at once.
In January, Google and its partners disrupted IPIDEA, a China-based network that at its height was one of the largest of its kind. In July 2025, Google took the operators of Badbox 2.0 to court, a botnet of hacked Android TV devices whose components overlap with Popa. Each time, the networks seem stubborn.
What Buyers Should Do
One clear warning sign is an app that offers to pay you for “unused bandwidth” or for “sharing your internet.” That is one of the main ways these networks grow.
In addition:
- Stick to official app stores, and check what permissions the VPN or proxy app is asking for.
- Keep built-in protections like Google Play Protect turned on.
- Buy streaming boxes and smart TV hardware from well-known manufacturers, not no-name brands.
The need for these home addresses does not disappear when the network goes down; it just moves. For defenders and platforms, the next signal to watch for is if the traffic linked by NetNut appears under vendor products.



