---
title: "Google, FBI Disrupt NetNut Residential Proxy Network"
date: 2026-07-03
author: "Sofia Ramirez"
featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/07/google-fbi-disrupt-netnut-residential-proxy-network.jpg"
categories:
  - name: "Cybersecurity"
    url: "/cybersecurity.md"
tags:
  - name: "News"
    url: "/tag/news.md"
---

# Google, FBI Disrupt NetNut Residential Proxy Network

Google said on July 2, 2026, that it worked with the FBI to disrupt NetNut, a residential proxy network built on at least 2 million compromised devices. NetNut’s operator, Alarum Technologies, confirmed the FBI had seized domains tied to the service.

## Quick Summary – TLDR:

- Google, working with the FBI, disrupted NetNut (also tracked as “Popa”), a residential proxy network powered by at least 2 million compromised devices, including smart TVs and streaming boxes.
- In one week in June 2026, Google spotted 316 distinct hacking groups using NetNut’s compromised devices to guess passwords and break into accounts.
- Alarum Technologies and its subsidiary NetNut Ltd. confirmed the FBI had seized domains connected to NetNut, the same day as Google’s disclosure.
- Google says the action follows its January 2026 takedown of the IPIDEA residential proxy network.
- Google disabled accounts NetNut used for command and control and activated Play Protect to warn users and disable NetNut’s SDK apps.

## What Happened?

NetNut distributed malware software development kits (SDKs) through trojanized apps, enrolling home devices as exit nodes that routed malicious traffic through legitimate ISP-owned IP addresses to mask the activity. Google published the disruption on its Threat Intelligence Group blog the same day Alarum issued its own statement.

“**On July 2, 2026 Alarum and its subsidiary NetNut Ltd. (‘NetNut’) were made aware of the seizure of certain domains associated with NetNut by the FBI**,” the company said in a statement released via GlobeNewswire.

Google’s blog links NetNut’s operator to **Alarum Technologies Ltd**., saying it rented network access to threat actors including [cybercriminals](https://sqmagazine.co.uk/cybercrime-statistics/) and nation-state espionage groups. Alarum, for its part, said it “**takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.**“

That statement frames the seizure as third-party misuse of Alarum’s infrastructure rather than a NetNut-run scheme, a distinction regulators and investors are likely to test. Most residential-proxy takedowns hit anonymous operators with no shareholders to answer to; NetNut’s parent does.

> ❗️ BREAKING: Over 2 million hijacked consumer devices, including smart TVs and streaming boxes, were quietly acting as residential proxy exit nodes. All of them, per Google, were part of the NetNut residential proxy network.  
>   
> Google, working with the FBI and Lumen, has moved to… [pic.twitter.com/4oKPHDJfnU](https://t.co/4oKPHDJfnU)
> 
> — International Cyber Digest (@IntCyberDigest) [July 2, 2026](https://x.com/IntCyberDigest/status/2072744743600275717?ref_src=twsrc%5Etfw)

 ## A Pattern, Not a One-Off

Google said the NetNut action follows its January 2026 disruption of the **IPIDEA residential proxy network** and its ongoing work against Badbox 2.0, with partners named including Lumen Technologies, the Shadowserver Foundation, and IRS Criminal Investigation. Google disabled accounts NetNut used for command and control, activated Play Protect to warn users and disable NetNut’s SDK apps, and shared technical intelligence with platform providers and law enforcement. Google said it believes the coordinated actions caused significant degradation to NetNut’s proxy network and business operations, reducing the operator’s available device pool by millions.

Residential proxy services sell access to real consumer IP addresses, letting buyers route traffic through what looks like an ordinary home connection instead of a datacenter, the quality that draws both ad-fraud operators and attackers trying to blend in with legitimate login traffic.

## Why Residential Proxies Evade Enterprise Filters?

In a single week in June 2026, Google observed **316** distinct threat clusters using suspected NetNut exit nodes for password-spray attacks and unauthorized access to victim environments. That figure matters because most enterprise [cybersecurit](https://sqmagazine.co.uk/cybersecurity-attacks-statistics/)y blocklists are tuned to flag datacenter and VPN IP ranges, not residential ISP addresses. Traffic passed through a [hijacked smart TV](https://sqmagazine.co.uk/smart-home-statistics/) on a home network carries the same IP reputation as an ordinary household connection, so login-attempt rate limits built around known hosting-provider ranges simply do not fire.

Enterprises can help reduce that exposure without a network overhaul: elevated scrutiny on logins from residential-IP ranges that don’t match a user’s known location, and treating unexplained smart-TV or IoT traffic spikes on corporate or BYOD networks as worth investigating, both narrow the gap NetNut exploited, though no single control eliminates credential-stuffing risk. Reviewing [cybersecurity threat data](https://sqmagazine.co.uk/cybersecurity-statistics/) on password-spray trends and current [API security breach statistics](https://sqmagazine.co.uk/api-security-breach-statistics/) gives teams a baseline for what normal credential-attempt volume looks like before a spike like this shows up in the logs.

## What’s Next?

Alarum has not disclosed how many domains the FBI seized or detailed the scope of its cooperation beyond its short statement. Watch for a follow-up Alarum filing or investor call addressing the financial and operational impact on NetNut’s business, and for Google to publish further indicators that let defenders block remaining NetNut infrastructure. Play Protect’s SDK-disabling action should reduce new device enrollment, though existing infected devices need vendor or user action to fully clear.

## SQ Magazine’s Takeaway

This disruption reads as evidence that residential-proxy abuse has become a scaled, semi-formalized business rather than a fringe criminal tool, one with a Nasdaq listed company attached to at least one node in its supply chain. The 316 threat clusters figure is the more consequential number for security teams: it shows how thin the line has become between legitimate residential-proxy commerce and attacker tooling that needs no extra infrastructure once purchased.

This takedown, seven months after **January’s IPIDEA network**, also signals that removing one operator does not shrink demand for residential exit-node access. Buyers displaced from NetNut and January’s IPIDEA network are likely already migrating to remaining providers, so the defensive posture this event calls for, closer scrutiny of anomalous residential-IP logins, outlasts any single company’s collapse.