Google and law enforcement partners have successfully disrupted NetNut, a residential proxy network operating across approximately 2 million infected Android devices. The operation severed access to compromised smartphones, smart TVs, and streaming boxes that attackers leveraged to mask malicious traffic and conduct large-scale cyberattacks.
NetNut functioned as a proxy service, routing internet traffic through legitimate consumer devices without their owners' knowledge or consent. This infrastructure enabled threat actors to conduct click fraud, credential stuffing, account takeover attacks, and distributed denial-of-service operations while hiding behind residential IP addresses. The anonymity layer made detection and attribution significantly harder for defenders.
The disruption represents a major blow to cybercriminals who relied on residential proxies to evade detection. Unlike datacenter proxies that security teams easily identify and block, residential proxies appear as legitimate traffic from home networks, making them particularly effective for fraud and abuse campaigns. Organizations struggle to distinguish between legitimate users and attackers routing through compromised devices.
Device owners faced multiple risks from NetNut infection. Attackers consumed bandwidth from infected systems, degraded performance, and exposed devices to additional malware payloads. Users were largely unaware their devices participated in criminal infrastructure.
Google's involvement signals increased coordination between technology companies and law enforcement against proxy networks. The search giant has previously targeted similar botnets and abuse infrastructure. This operation required identifying the network's command infrastructure, legal proceedings to obtain court orders, and coordination with ISPs and hosting providers to terminate services.
The disruption removes access to millions of compromised devices from the criminal ecosystem. However, similar residential proxy networks likely remain operational. Attackers continuously rebuild botnets through malware distribution, social engineering, and exploit kits targeting unpatched Android devices.
Organizations should implement residential proxy detection capabilities and monitor for suspicious proxy traffic patterns. Device manufacturers and ISPs need to improve security baseline
