Google's Threat Intelligence Group (GTIG) has dealt a major blow to NetNut, one of the world's largest residential proxy networks, which had enlisted more than 2 million home devices as unwitting traffic relays. In a coordinated operation alongside the FBI and Lumen Technologies, GTIG announced it had reduced the network's pool of usable devices by millions — significantly degrading its ability to anonymize malicious traffic.
What Is a Residential Proxy Network?
Residential proxy networks route internet traffic through real home devices — routers, smart TVs, laptops, and mobile phones — rather than through data centre servers. This makes the traffic appear to originate from legitimate home users, allowing it to bypass IP-based blocklists, geo-restrictions, and fraud detection systems.
NetNut operated one of the largest such services, advertising millions of residential IPs to customers who used them for purposes ranging from ad verification to credential stuffing attacks, web scraping, and bypassing security controls.
Google's Disruption Action
According to GTIG's disclosure, the operation targeted NetNut's infrastructure at multiple levels:
- Device pool reduction: Coordinated action cut the number of available proxy nodes by millions, limiting NetNut's capacity.
- Infrastructure takedowns: Lumen Technologies severed network-level connectivity to key NetNut infrastructure components.
- Law enforcement coordination: The FBI participated in the broader effort, signalling potential criminal referrals.
Google stated that residential proxy networks like NetNut are increasingly being exploited by threat actors — including nation-state groups — to mask the origin of cyber operations such as phishing campaigns, credential stuffing, and espionage activity.
Why Residential Proxies Are a Threat Intelligence Problem
Residential proxy services create a significant attribution challenge for defenders. Because the traffic originates from real home IP addresses:
- Standard IP reputation feeds cannot reliably block the traffic
- Geolocation-based access controls are defeated
- Fraud detection and bot mitigation systems are bypassed
- Attack traffic blends into normal residential internet activity
Nation-state actors have been documented using residential proxy networks to conduct reconnaissance, exploit public-facing vulnerabilities, and stage data exfiltration operations — all while appearing as ordinary home users from targeted countries.
NetNut's Operations
NetNut marketed itself as a legitimate commercial service, but its residential IP pool has repeatedly been linked to malicious activity. The network sourced home device participation through bundled software — users unknowingly installed applications that silently enrolled their device as a proxy node in exchange for "free" services.
This model, known as a proxyware ecosystem, has become a persistent grey-area threat. While some proxyware operators claim informed consent, the disclosures are often buried in lengthy terms of service that users do not read.
Industry Implications
Google's action against NetNut is part of a broader trend of technology companies taking active, pre-litigation disruption measures against infrastructure enabling cybercrime:
- Microsoft has executed dozens of legal domain seizures against nation-state threat actors
- Cloudflare and Lumen have previously severed hosting for ransomware infrastructure
- The FBI and international partners have dismantled major proxy and botnet operations including Volt Typhoon-linked router botnets
The NetNut disruption signals that residential proxy services enabling malicious activity — even those operating under commercial legitimacy — are increasingly subject to coordinated industry and law enforcement action.
Defensive Takeaways
Organizations concerned about proxy-masked attacks should consider:
- Behavioural analytics over IP reputation: Since residential IPs appear legitimate, focus on detecting anomalous behaviour patterns rather than blocking by IP.
- Velocity and session analysis: Credential stuffing via residential proxies often shows high request rates from distributed, geographically inconsistent IPs.
- Device inventory audits: Home networks and BYOD devices enrolled in corporate environments may be running proxyware unintentionally.
- Threat intelligence feeds: Subscribe to feeds that track known residential proxy IP ranges, even if these change frequently.
As residential proxy ecosystems grow, disruption actions like Google's will need to be paired with sustained infrastructure enforcement to have lasting effect.