Google Dismantles NetNut Residential Proxy Network Affecting 2M Devices
Google's Threat Intelligence Group, working with the FBI and Lumen, has significantly degraded NetNut, a major residential proxy network that compromised millions of home devices. The coordinated action demonstrates how threat actors abuse consumer infrastructure to facilitate malicious traffic and bypass security controls.
TL;DR
- Google disrupted NetNut, a residential proxy network operating across ~2 million compromised home devices
- Coordinated effort involved FBI, Lumen, and Google's Threat Intelligence Group to degrade the network's operational capacity
- Residential proxies enable attackers to mask malicious traffic and evade detection by appearing to originate from legitimate home networks
- This action highlights the security risks of compromised IoT and home devices being weaponized for large-scale abuse
Google's Threat Intelligence Group has announced a significant disruption of NetNut, one of the largest residential proxy networks operating globally. Working alongside the FBI and infrastructure provider Lumen, Google degraded the network's operational capacity by reducing its pool of usable compromised devices by millions.
Residential proxy networks like NetNut pose a serious security threat because they convert ordinary home devices into relay points for malicious traffic. This allows threat actors to mask their activities behind legitimate residential IP addresses, making it significantly harder for security teams to detect and block attacks. The network's scale—spanning approximately 2 million devices—underscores the scope of the abuse problem.
How Residential Proxy Networks Enable Attacks
- Residential proxies route traffic through compromised home devices, making attacks appear to originate from legitimate consumer networks
- Security teams struggle to block malicious activity when it originates from residential IP ranges typically associated with normal users
- Threat actors use these networks for credential stuffing, account takeover, scraping, and bypassing rate-limiting and geographic restrictions
- The distributed nature of residential proxies makes them harder to identify and shut down compared to centralized data center proxies
Implications for Web Application Security Teams
- Organizations must implement behavioral analysis and anomaly detection to identify proxy-based attacks beyond simple IP reputation checks
- Rate limiting, CAPTCHA challenges, and device fingerprinting become essential defenses against distributed residential proxy abuse
- Security teams should monitor for patterns of requests originating from unusual residential IP combinations or geographic inconsistencies
- Coordinated industry and law enforcement action demonstrates the importance of threat intelligence sharing to combat infrastructure abuse at scale
The Broader Context
- NetNut, also tracked as Popa, represents one of the most significant residential proxy networks targeting enterprise security controls
- This disruption follows increased focus on supply chain and infrastructure abuse as critical attack vectors
- The involvement of multiple stakeholders—Google, FBI, and Lumen—shows how coordinated action can degrade attacker infrastructure
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.