Google's Threat Intelligence Group has substantially disrupted NetNut, a residential proxy network that compromised approximately 2 million home devices to relay traffic for paying customers. The operation involved collaboration with the FBI and infrastructure provider Lumen.

NetNut, also tracked as Popa, operates by injecting malware or adware into residential devices without explicit owner consent. Once infected, these machines function as traffic relays, allowing clients to route internet requests through legitimate home networks. This capability masks malicious activity, enables credential stuffing attacks, facilitates price scraping, and bypasses geographic restrictions. The network's scale made it one of the largest residential proxy operations globally.

Google's action reduced the operational pool of usable devices by millions, effectively crippling the network's core infrastructure. The disruption targeted botnet command-and-control systems, DNS hijacking mechanisms, and the mechanisms distributing malware across compromised devices.

For organisations, NetNut posed direct threats. Attackers leveraging the network conducted account takeovers against enterprise systems, automated fraud, and large-scale credential abuse campaigns. The residential proxy layer defeated IP-based blocking and traditional fraud detection systems relying on blacklist enforcement. For individuals, infected home devices became unwitting participants in criminal activity while consuming bandwidth and degrading network performance.

The takedown reflects growing collaboration between tech companies and law enforcement against large-scale botnet infrastructure. Google's action included working with ISPs to identify and notify affected users, remove malware samples, and block distribution mechanisms.

NetNut's operators likely maintain backup infrastructure or migration pathways. Residential proxy networks continue proliferating as attackers seek evasion mechanisms against security controls. Organisations should monitor for proxy-based attack patterns, implement device-level security controls, and review authentication logs for anomalous geographic patterns consistent with relay-based abuse.