Google and FBI Shut Down NetNut, a Criminal Anonymity Network Built on Millions of Hijacked Home Devices
NetNut rented out access to infected home and business routers so criminals and foreign spies could hide their tracks. A joint operation has disrupted it.

Key points
- Google and the FBI jointly disrupted NetNut, a residential proxy network, in 2025.
- NetNut operated by renting criminal access to millions of devices infected with malicious software, without their owners' knowledge.
- Customers included cybercriminals and nation-state hackers — government-backed operatives working on behalf of foreign powers.
- The network allowed attackers to make their internet traffic appear to come from ordinary home addresses, defeating many standard security checks.
- Affected device owners were unknowingly funnelled into a criminal service they had no idea they were part of.
Most people think of their home router — the small box that provides their Wi-Fi — as a harmless appliance. NetNut turned millions of those boxes into cover for criminals.
NetNut was a residential proxy network, meaning it was a service that routes internet traffic through infected everyday devices — home routers, smart TVs, office computers — to disguise where that traffic really comes from. When a criminal uses such a network, an attack appears to originate from a family home in Ohio rather than a criminal operation in Eastern Europe.
The business model was straightforward and ugly. NetNut infected devices with malware — software secretly installed without the owner's consent — then rented that hidden access to paying customers. Those customers included ransomware gangs, fraudsters, and nation-state hackers carrying out espionage operations.
Why does it matter that attacks look like they come from home addresses?
Because most security systems trust them. Corporate firewalls, banking websites, and government portals routinely flag or block traffic from known criminal servers. Traffic from a residential address in a quiet suburb raises no alarms. NetNut's entire value was selling that trust — traffic laundering, in effect.
Google and the FBI moved against the network in a coordinated disruption operation, first reported by SecurityWeek. Neither agency has published a full technical breakdown at the time of writing, but the action follows a pattern seen in earlier proxy-network takedowns: seizing or sinkholing the infrastructure that coordinates the infected devices, cutting the criminal operators off from their rented fleet.
For ordinary people, the immediate question is whether their device was part of this. Signs of a hijacked home router include unexplained slowdowns, unusual spikes in data usage on your broadband bill, and a router admin panel that has been locked or altered. Restarting your router clears some infections temporarily, but a full factory reset and a firmware update — installing the latest software version from your router manufacturer's website — is the stronger fix.
For businesses, the incident is a reminder that attacks routed through residential proxies are specifically designed to slip past perimeter defences. Blocking by IP reputation alone is not enough. Behavioural monitoring — watching for unusual login patterns and access volumes regardless of where the traffic appears to come from — catches what address-based filters miss.
NetNut's disruption removes one anonymity service. The criminal economy that funds these networks will look for the next one.



