NetNut cracked as Google and FBI target 2 million-device botnet
Other residential proxy brands may rely on the same network
Security
NetNut cracked as Google and FBI target 2 million-device botnet
Other residential proxy brands may rely on the same network
Tech companies working with US law enforcement "significantly degraded" the NetNut residential proxy network as part of an ongoing effort to disrupt the tools cybercriminals use to conceal their activity, say researchers.
The work was carried out by Google, Lumen, Shadowserver, the FBI, and others, and marks a continuation of the IPIDEA proxy network disruption from January.
According to Google Cloud, those working on the operation believe NetNut was among the most popular residential proxy network providers and had at least 2 million devices enrolled in its botnet, comprising mainly small TV-streaming hardware. Crims often use residential proxy networks to make it look like their traffic is actually coming from legit homes and businesses.
In the same way that other residential proxy networks expand their pool of enrolled devices, NetNut distributed its own SDK via these devices.
Proxy providers often approach users under the guise of monetizing their spare bandwidth, paying them a fee in exchange for letting their SDK run on their devices.
The official advice is, of course, to refuse any offers of this kind. Not only does it help feed the cybercrime ecosystem, but it can also lead to vulnerabilities elsewhere in home networks.
NetNut offered its own standalone proxy networks, as well as mobile and datacenter proxies, and a slew of scrapers and datasets.
However, it also offered a reseller program, and experts believe many other residential proxy networks are powered by NetNut's own, which means the disruption may have further downstream effects.
"While we expect this disruption to have a larger ripple effect across the residential proxy ecosystem, observations after the disruption of IPIDEA proved that individual networks can appear resilient," Google's Threat Intelligence Group (GTIG) said.
"What we have observed is that when faced with the degradation of their own botnet, proxy operators begin buying capacity from their competitors, effectively becoming a reseller.
"We recognize that creating a lasting disruption in this fluid ecosystem means we must scale our efforts to target the infrastructure of several interconnected providers. We will continue to observe the composition of the NetNut network and map out how its peers adapt to this action."
Residential proxy networks are not illegal, although they are often abused for cybercrime.
These networks are ostensibly pitched as a means to shore up online privacy, and promote ideals such as freedom of expression without risk of being traced.
However, the same privacy-preserving features of these networks are used by cybercriminals to mask their malicious activity.
They enroll ordinary devices, which are connected to innocent residential networks, at scale and offer them to customers as exit nodes.
Cybercriminals can make use of these networks to channel their traffic through these nodes, making the traffic appear to originate from an IP address they do not control.
"In a single week during June 2026, GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups," said Google.
"These bad actors can use NetNut to mask their origin IP address when accessing victim environments, accessing their own infrastructure, and conducting password spray attacks."
Reports also suggest that NetNut has a role to play in other botnet families. GTIG said it found plugin components for large-scale botnets such as Badbox 2.0, while other public reports have noted signs of NetNut being used to infect devices with Mirai variants.
The Register asked GTIG why NetNut's second domain (netnut.io) remains online, while netnut.com returns a "This website has been seized" splash page, but it did not immediately reply.
Google's announcement hinted at similar takedowns to take place in the future, as the residential proxy network market continues to grow.
However, it said these ad hoc disruptions are only effective for so long, and that a long-term approach would require support from ISPs, mobile platforms, and other technology companies. ®
Originally published on The Register

