Google and FBI Kneecap NetNut, Cutting Millions of Home Devices From Proxy Pool
Google's Threat Intelligence Group says a joint operation with the FBI and Lumen has stripped millions of infected home devices from NetNut, also tracked as Popa.

Key points
- Google's Threat Intelligence Group announced this week it had degraded the NetNut residential proxy network, also tracked as Popa.
- The operation was run jointly with the FBI and Lumen, and reduced NetNut's usable device pool by millions.
- NetNut is spread across home devices worldwide and rents that traffic capacity to third-party customers.
- Google framed the takedown as a disruption rather than a full seizure, meaning operator infrastructure remains active in some form.
Google has taken a hammer to NetNut.
The company's Threat Intelligence Group (GTIG) said this week it had gutted one of the largest residential proxy networks in operation, working alongside the FBI, Lumen and other partners. GTIG estimated the joint action stripped millions of compromised home devices out of NetNut's rentable pool.
NetNut, also tracked internally at Google as Popa, is a residential proxy operator. That is the polite term. In practice, these networks turn routers, smart TVs, phones and other consumer gear into relays that route somebody else's web traffic — often traffic that the paying customer would rather not run from their own IP. Ad fraud crews use them. Credential stuffers use them. So do scrapers, sanctions evaders and state-linked actors looking for a domestic-looking egress point.
The economics are simple. Whoever controls the largest, cleanest pool of residential IPs wins the enterprise contracts and the criminal ones.
Google did not disclose the specific technical mechanism it used to shrink NetNut's footprint. GTIG described the effort as a degradation rather than a full seizure, which suggests the operator's command infrastructure and business front-end remain reachable even as its inventory craters. The Hacker News first flagged the disclosure.
What should defenders patch first?
Residential proxy abuse rarely shows up as a CVE. It shows up as login attempts from IP space that looks like a Comcast subscriber in Ohio.
That is the point of the service. It defeats geo-blocks, IP reputation lists and simple velocity checks. Fraud teams at banks, retailers and ticketing platforms have been raising the alarm for years about the sheer scale of traffic laundered through networks like NetNut, Bright Data and their smaller competitors.
Home users usually have no idea their device is enrolled. Enrollment happens through bundled SDKs in free VPN apps, cracked software, and outright malware. Once installed, the device quietly answers proxy requests in the background, consuming bandwidth the owner is paying for.
For defenders, the practical takeaway is narrower than the headline suggests. NetNut's pool will rebuild. Operators of this kind rotate infrastructure, buy fresh installs from pay-per-install brokers, and re-enroll devices within weeks. Detections that rely on blocklists of known proxy exit nodes will get a temporary lift, then decay.
More durable controls sit at the behavioural layer: device fingerprinting, session consistency checks, and treating residential ASN traffic as suspicious when it hits sensitive endpoints like login, checkout or password reset.
Google has done similar takedowns before. GTIG and its predecessor teams disrupted Glupteba in 2021 and have kept up a steady drumbeat against botnet-for-hire operators since. None of those actions killed the underlying market. They raised the cost of doing business, briefly, and pushed customers to competitors.
NetNut's operators have not publicly responded. The FBI has not filed unsealed charges tied to the action as of publication. Whether this stays a technical disruption or graduates into indictments is the next thing worth watching.



