Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices
Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices
NEWS

Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices

Working alongside the FBI and Lumen Technologies, Google's Threat Intelligence Group has significantly degraded NetNut — one of the largest networks that...

Dylan H.

News Desk

July 2, 2026
4 min read

Google's Threat Intelligence Group (GTIG) has dealt a major blow to NetNut, one of the world's largest residential proxy networks, which had enlisted more than 2 million home devices as unwitting traffic relays. In a coordinated operation alongside the FBI and Lumen Technologies, GTIG announced it had reduced the network's pool of usable devices by millions — significantly degrading its ability to anonymize malicious traffic.

What Is a Residential Proxy Network?

Residential proxy networks route internet traffic through real home devices — routers, smart TVs, laptops, and mobile phones — rather than through data centre servers. This makes the traffic appear to originate from legitimate home users, allowing it to bypass IP-based blocklists, geo-restrictions, and fraud detection systems.

NetNut operated one of the largest such services, advertising millions of residential IPs to customers who used them for purposes ranging from ad verification to credential stuffing attacks, web scraping, and bypassing security controls.

Google's Disruption Action

According to GTIG's disclosure, the operation targeted NetNut's infrastructure at multiple levels:

  • Device pool reduction: Coordinated action cut the number of available proxy nodes by millions, limiting NetNut's capacity.
  • Infrastructure takedowns: Lumen Technologies severed network-level connectivity to key NetNut infrastructure components.
  • Law enforcement coordination: The FBI participated in the broader effort, signalling potential criminal referrals.

Google stated that residential proxy networks like NetNut are increasingly being exploited by threat actors — including nation-state groups — to mask the origin of cyber operations such as phishing campaigns, credential stuffing, and espionage activity.

Why Residential Proxies Are a Threat Intelligence Problem

Residential proxy services create a significant attribution challenge for defenders. Because the traffic originates from real home IP addresses:

  • Standard IP reputation feeds cannot reliably block the traffic
  • Geolocation-based access controls are defeated
  • Fraud detection and bot mitigation systems are bypassed
  • Attack traffic blends into normal residential internet activity

Nation-state actors have been documented using residential proxy networks to conduct reconnaissance, exploit public-facing vulnerabilities, and stage data exfiltration operations — all while appearing as ordinary home users from targeted countries.

NetNut's Operations

NetNut marketed itself as a legitimate commercial service, but its residential IP pool has repeatedly been linked to malicious activity. The network sourced home device participation through bundled software — users unknowingly installed applications that silently enrolled their device as a proxy node in exchange for "free" services.

This model, known as a proxyware ecosystem, has become a persistent grey-area threat. While some proxyware operators claim informed consent, the disclosures are often buried in lengthy terms of service that users do not read.

Industry Implications

Google's action against NetNut is part of a broader trend of technology companies taking active, pre-litigation disruption measures against infrastructure enabling cybercrime:

  • Microsoft has executed dozens of legal domain seizures against nation-state threat actors
  • Cloudflare and Lumen have previously severed hosting for ransomware infrastructure
  • The FBI and international partners have dismantled major proxy and botnet operations including Volt Typhoon-linked router botnets

The NetNut disruption signals that residential proxy services enabling malicious activity — even those operating under commercial legitimacy — are increasingly subject to coordinated industry and law enforcement action.

Defensive Takeaways

Organizations concerned about proxy-masked attacks should consider:

  • Behavioural analytics over IP reputation: Since residential IPs appear legitimate, focus on detecting anomalous behaviour patterns rather than blocking by IP.
  • Velocity and session analysis: Credential stuffing via residential proxies often shows high request rates from distributed, geographically inconsistent IPs.
  • Device inventory audits: Home networks and BYOD devices enrolled in corporate environments may be running proxyware unintentionally.
  • Threat intelligence feeds: Subscribe to feeds that track known residential proxy IP ranges, even if these change frequently.

As residential proxy ecosystems grow, disruption actions like Google's will need to be paired with sustained infrastructure enforcement to have lasting effect.

#Google#Threat Intelligence#Residential Proxy#Botnet#FBI

Related Articles

NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off

Google's Threat Intelligence Group and the FBI have dismantled NetNut, a residential proxy network built on 2 million compromised Android smart TVs and...

4 min read

North Korean Hackers Publish 108 Malicious Packages in PolinRider Campaign

Threat actors linked to North Korea's Contagious Interview campaign have published 108 malicious packages and browser extensions across npm, Packagist,...

4 min read

China-Nexus Actor Spies on US Researchers Undetected for a Year

Google's Threat Intelligence Group discovered and disrupted a sprawling China-nexus espionage campaign that stole RedCAP credentials to silently breach...

5 min read
Back to all News