All incidents

Google and FBI disrupt NetNut residential proxy botnet

breachopenJul 3, 2026 — Jul 6, 2026
Google, FBI disrupt NetNut botnet, freeing hijacked home devices

GOOGLE and the FBI have disrupted the NetNut botnet, a residential proxy network that hijacked millions of home devices to sell bandwidth for malicious web traffic according to Google’s Threat Intelligence Group. The joint operation, which also involved Lumen, took down key infrastructure and freed the compromised devices from the attackers’ control.

The botnet spread through seemingly legitimate Android applications that promised users money for sharing their unused internet bandwidth as reported by Malwarebytes. Once installed, the apps enrolled the device in a peer-to-peer proxy system that routed other users’ traffic through the infected handset’s residential IP address. This allowed criminals to mask fraudulent activity, account takeover attempts and distributed denial-of-service attacks behind ordinary home connections.

Authorities seized dozens of domains associated with the NetNut operation and dismantled the command-and-control servers that managed the proxy swarm according to Infosecurity Magazine. Google’s Threat Intelligence Group said the disruption affected roughly two million devices that had been co-opted without the owners’ full knowledge. The takedown follows a similar action against the IPIDEA network earlier this year, showing a pattern of abuse in the residential proxy market.

Researchers have linked the NetNut infrastructure to Alarum Technologies Ltd, a firm that markets bandwidth-sharing software under the premise of user consent as noted by SecurityAffairs. However, security analysts argue that the consent mechanisms were opaque and that many installations occurred via deceptive bundling. No CVEs were assigned to the botnet’s distribution method, indicating the threat relied on social engineering rather than a software vulnerability. The FBI’s involvement highlights the growing cooperation between law enforcement and private sector teams to disrupt cybercrime-as-a-service operations.

Users should review the list of installed applications on their Android devices and remove any that offer payment for bandwidth sharing unless they recognise the publisher. Monitoring data usage for unexpected spikes can also help detect a device that is acting as a proxy without the owner’s knowledge. Keeping the operating system and apps up to date reduces the chance of malicious software gaining a foothold through outdated components. Finally, running a reputable mobile security solution that flags suspicious network behaviour adds an extra layer of protection.

Google has pledged to continue monitoring for attempts to rebuild the NetNut infrastructure and will push updates to its Play Protect service to block known malicious apps. Organisations that rely on residential IP reputation should consider incorporating threat intelligence feeds that flag newly observed proxy networks. Staying vigilant about the source of bandwidth-sharing offers remains the most effective defence against enrolment in such botnets.

Intelligence briefing updated Jul 6, 2026

Root sourcecloud.google.com
Timeline Coverage

Swipe to explore timeline