Threat Intelligence Bearish 7

316 Threat Clusters Hit as Google, FBI Dismantle 2M-Node NetNut Proxy

· 4 min read · Verified by 2 sources ·
Share

Key Takeaways

  • Google and the FBI disrupted NetNut, a massive residential proxy botnet with over 2 million infected devices, cutting off 316 distinct threat clusters in a single week.
  • The operation, targeting Alarum-linked operators, highlights the proxy-as-a-service threat to enterprise security.

Mentioned

Google company GOOGL FBI organization NetNut product Alarum Technologies Ltd company IPIDEA product Badbox 2.0 malware Android technology

Key Intelligence

Key Facts

  1. 1NetNut comprised over 2 million infected Android devices, primarily smart TVs and streaming boxes, via trojanized apps and Badbox 2.0 malware.
  2. 2In June 2026, Google observed 316 distinct threat clusters using NetNut for password-spray attacks and other malicious activities in a single week.
  3. 3The operator is linked to the publicly-traded Israeli firm Alarum Technologies Ltd, which rented proxies to cybercriminals and espionage groups.
  4. 4Google disabled C&C accounts, removed infected apps via Play Protect, and warned victims, significantly degrading the botnet’s device pool.
  5. 5NetNut operated a reseller program, allowing popular proxy brands to whitelabel the botnet, complicating disruption efforts.
  6. 6The takedown follows the January 2026 disruption of IPIDEA, indicating an ecosystem where disruption leads to capacity shifting among competitors.

We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions.

Google Statement via SecurityWeek
Botnet Nodes Degraded
2M+

Google's actions reduced NetNut's device pool by millions.

Analysis

For cybersecurity professionals, the NetNut takedown is both a lesson in the scale of modern botnets and a call to action. With 2 million compromised IoT devices and 316 threat clusters actively using them for password spraying, the operation reveals how residential proxy networks have become critical infrastructure for attackers — and how public-private collaboration can dismantle them overnight.

In a coordinated operation in June 2026, Google’s Threat Analysis Group (TAG) and the Federal Bureau of Investigation (FBI) dismantled NetNut, one of the largest residential proxy networks ever discovered, comprising over 2 million compromised Android devices. The botnet, also known as Popa, was used by hundreds of cybercriminal and state-sponsored actors for credential theft, espionage, and anonymizing illicit activities. Google’s action, which included severing command-and-control (C&C) infrastructure, disabling associated accounts, and deploying Google Play Protect to clean infected devices, marked a significant escalation in the ongoing fight against proxy-as-a-service botnets.

NetNut leveraged trojanized applications and malware like Badbox 2.0 to infect smart TVs, streaming boxes, and other Android-based IoT devices, turning them into unwitting proxies.

NetNut leveraged trojanized applications and malware like Badbox 2.0 to infect smart TVs, streaming boxes, and other Android-based IoT devices, turning them into unwitting proxies. The operator, linked to the publicly-traded Israeli firm Alarum Technologies Ltd, sold access to this residential proxy network under the NetNut brand and also operated a reseller program, allowing other proxy providers to whitelabel the botnet. This business model enabled a fluid ecosystem where disruption of one botnet could simply push demand to another. Indeed, Google noted that when faced with degradation of their own botnet, proxy operators begin buying capacity from competitors, becoming resellers themselves. The January 2026 takedown of IPIDEA, another large proxy network, had already demonstrated this phenomenon, and Google observed a spillover effect now with NetNut’s dismantling.

The scale of malicious activity funneled through NetNut was staggering. In a single week in June, Google identified 316 distinct threat clusters using the proxy network to hide their true locations during attacks, including widespread password-spray campaigns against cloud services and enterprise accounts. Such residential proxies are invaluable to attackers because they make traffic appear to originate from legitimate home IP addresses, bypassing geo-fencing and IP reputation filters. NetNut’s proxies were rented by diverse adversaries: financially motivated cybercriminals, nation-state espionage groups, and even initial-access brokers (IABs) who would then sell access to compromised networks.

The technical impact of the takedown is substantial. Google disabled Google accounts and associated services that served as the botnet’s backend C&C, effectively paralyzing command logic and telemetry collection. Simultaneously, Google Play Protect — the built-in security system on Android devices — remotely disabled the infected applications across millions of devices, automatically warning victims and mitigating the threat without user intervention. This dual-pronged approach of neutralizing infrastructure and cleansing endpoints is a model for future botnet operations. Nevertheless, Google acknowledged the inherent fluidity of the proxy marketplace: operators may simply absorb residual bots and relaunch under a different brand or via reseller networks. Creating lasting disruption requires sustained, scalable targeting of the entire infrastructure chain, from command servers to payment processors.

From an industry perspective, this operation underscores the escalating threat posed by residential proxy botnets, which have become a critical component of the cybercrime supply chain. The NetNut case highlights how consumer IoT devices — often with weak security and long patch cycles — are increasingly conscripted into botnets. The involvement of a publicly-traded company also raises questions about corporate accountability and due diligence in the proxy market. Alarum Technologies’s association (even if indirect) signals that proxy services can operate in regulatory gray zones, and that deeper scrutiny from financial regulators and exchanges may be needed.

What to Watch

Looking ahead, the ripple effects are likely to be felt across the proxy ecosystem. With millions of nodes suddenly unavailable, proxy demand will spike, potentially increasing rents for remaining networks. This economic pressure could incentivize more aggressive infection campaigns or spur innovation in proxy resilience. For defenders, the intelligence shared by Google with industry partners — including indicators of compromise and C&C signatures — will be pivotal in detecting and blocking future iterations. The operation also demonstrates the power of public-private collaboration: Google, the FBI, and other international partners coordinated effectively, a model that will be essential as proxy botnets become ever more sophisticated.

Ultimately, the NetNut takedown is a tactical victory but a strategic battle. The cyber threat landscape rewards adaptability, and while millions of devices have been cleaned, the underlying market for residential proxies persists. The true measure of success will be whether this disruption cascades into a broader dismantling of the proxy-as-a-service economy, forcing actors to retreat to less efficient and more traceable anonymization methods. For now, security teams should review any connections to known NetNut proxy IPs and reinforce protections against credential-stuffing and password-spray attacks, which were heavily facilitated by this network.

Timeline

Timeline

  1. IPIDEA Proxy Network Disrupted

  2. NetNut Botnet Disrupted by Google and FBI

  3. Public Disclosure of NetNut Takedown

Sources

Sources

Based on 2 source articles

Cite This Page

"316 Threat Clusters Hit as Google, FBI Dismantle 2M-Node NetNut Proxy." Cyber Intelligence Brief, July 3, 2026. https://getcyberbrief.com/story/google-fbi-netnut-316-threat-clusters

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.