NetNut cracked as Google and FBI target 2M-device botnet
Google and the FBI have dismantled a botnet of 2 million devices operated by the residential proxy service NetNut. The takedown involved cracking NetNut's infrastructure, which was used to route malicious traffic through compromised home routers and IoT devices without owners' knowledge.
Background
- NetNut is an Israeli residential proxy service — it sells access to a pool of IP addresses from real home/office devices around the world, letting customers route traffic through those devices to bypass geoblocks or appear as ordinary users.
- Law enforcement and Google just disrupted a 2-million-device botnet that was powered by NetNut's infrastructure. The victims' devices (routers, IoT gadgets, computers) were infected with malware that turned them into proxies without owners' knowledge.
- This is part of a broader crackdown on "proxy botnets," which criminals use for credential stuffing (mass login attempts), ad fraud, and account takeover. Google's Threat Analysis Group (TAG) and the FBI worked together to take down the command-and-control servers and seize NetNut's infrastructure.
- NetNut had previously marketed itself as a legitimate service for web scraping and market research, but security researchers had long flagged that its IP pool included infected devices. The case shows how hard it is to distinguish "legitimate" proxy services from criminal botnets.
The FBI has seized hundreds of domains linked to NetNut, a residential proxy service owned by Israeli firm Alarum Technologies, following an investigation connecting NetNut to the Popa botnet—a network of at least two million compromised devices.
Researchers have linked the Android-based Popa botnet, which has compromised millions of TV boxes for advertising fraud and data scraping over four years, to NetNut, a residential proxy provider owned by the publicly-traded Israeli firm Alarum Technologies Ltd.