All incidents

FBI and Google dismantle NetNut residential proxy botnet

breachopenJul 2, 2026 — Jul 3, 2026
FBI and Google dismantle NetNut residential proxy botnet

THE FBI and Google’s Threat Intelligence Group have disrupted the NetNut residential proxy network, which had hijacked more than two million Android devices to relay malicious traffic.

The network relied on the Popa botnet, malware that posed as a legitimate bandwidth‑sharing SDK and turned infected handsets into proxies that masked attackers behind real residential IP addresses.

As part of the takedown Google disabled the accounts linked to the malicious apps, shared intelligence on the malware’s SDKs and backend infrastructure with the FBI, and strengthened Google Play Protect warnings to prevent reinstallation.

Earlier actions against the IPIDEA proxy had already shown how criminals lease such networks for credential stuffing, ad fraud and other illicit activities, and security researchers noted that multiple threat clusters had been observed using NetNut for the same purposes.

Defenders should review device telemetry for unexplained outbound connections from Android handsets, enforce Play Protect alerts and block any applications that advertise unused bandwidth sharing.

Organisations can also block known NetNut command‑and‑control domains, monitor for traffic exiting through residential IP ranges that lack legitimate business justification and keep endpoint software up to date to close the initial infection vector.

Intelligence briefing updated Jul 3, 2026

Timeline Coverage

Swipe to explore timeline