Google said it has weakened a large network of internet-connected devices that was being used to hide and route malicious online activity.
The tech giant said it took action against the NetNut residential proxy network, also known as Popa, in partnership with the FBI and Lumen, among others.
Google said it disabled accounts and services used in NetNut-related malware command-and-control operations and shared technical intelligence on the group’s infrastructure with law enforcement and industry partners to support broader enforcement efforts.
Residential proxy networks allow users to route internet traffic through consumer IP addresses, which can mask the origin of online activity and help bypass security defences.
Such networks can be used for legitimate purposes, but they are also often abused for cybercrime because they obscure the true source of traffic.
“We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions,” Google said in a blog.
Be wary of “share your internet” apps, Google says
NetNut offers rotating residential, ISP, mobile, and datacentre proxies.
It was founded in 2017 as a subsidiary of Alarum Technologies, a cyber security firm in Israel.
NASDAQ-listed Alarum responded to the allegations with a statement:
“On July 2, 2026 Alarum and its subsidiary NetNut Ltd. (“NetNut”) were made aware of the seizure of certain domains associated with NetNut by the FBI.
Alarum takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account,” the company said .
Google’s Threat Intelligence Group (GTIG) said the NetNut software ends up in ordinary household electronic devices such as smart TVs and streaming boxes.
Sometimes it is pre-installed on cheap, off-brand hardware, and also comes in bundled inside free apps, as a so called software development kit (SDK).
GTIG warned that the latter, which offer consumers payments in exchange for “unused bandwidth” or “sharing your internet” are risky: unauthorised traffic passing through devices with NetNut installed could expose other equipment on the same home network to the Internet.
The advice from GTIG is to avoid such as apps.
Google has added detection to find and disable Android apps that come with the NetNut SDK through its built-in Play Protect malware defence.
While exactly sizing proxy networks is difficult, GTIG estimated that at least two million devices were compromised by NetNut.
The botnet ecosystem has become a large-scale problem over recent years with operator overlap and white-labelling of SDKs taking place.
GTIG said it found NetNut plugin components inside the Badbox 2.0 Android botnet that Google pursued with litigation in July 2025.
It also pointed to its January take-down of the IPIDEA proxy network as a guide to what could happen next, with disrupted proxy operators potentially buying capacity from competitors, and quietly pivoting to becoming resellers themselves.
Google said it intends to target the infrastructure of several interconnected proxy providers at once, rather than treating each network as a standalone problem.
— With addional reporting by iTnews.

