NetNut botnet takes a hit. Don’t be part of the next one.

| July 6, 2026
Successful operation NetNut

In a joint operation, Google, the FBI, and other partners have dealt a significant blow to the residential proxy ecosystem by disrupting the NetNut (also tracked as Popa) botnet.

NetNut is a malicious service built on millions of hijacked consumer devices. NetNut marketed itself as a high-quality residential proxy provider, selling access to “real” home IP addresses for web data collection and other benign-sounding use cases.

The FBI’s definition of a residential proxy:

“A residential proxy is an intermediary server between individuals and websites they visit to make their connections appear to originate elsewhere. Legitimate IP addresses assigned by an Internet Service Provider (ISP) to consumers’ Internet of Things (IoT) devices, such as TV streaming devices, digital picture frames, smartphones, tablets, and routers are used to route traffic. Once an internet-connected device is compromised, the device’s IP address can be used by threat actors to mask their online illegal activity, making the consumer appear responsible.”

The most common method used to add devices to the NetNut network was to  trick users into installing “bandwidth sharing” or proxyware apps that promised payouts for “sharing your unused internet” but buried the true risks in fine print or skipped meaningful consent altogether. Less commonly, devices are sold pre-compromised through grey-market supply chains and shipped with malicious firmware or side-loaded apps.

Once enrolled, these devices could be used to relay password-spraying attacks, account takeover attempts, advertising fraud, and even Mirai-variant DDoS attacks.

The disruption focused on three levers: disabling Google accounts used for NetNut’s command-and-control (C2), sharing detailed indicators on NetNut’s SDKs and infrastructure with platforms and law enforcement, and using Google Play Protect to warn users and automatically disable apps that included NetNut code.

Reportedly, this has significantly disrupted the NetNut botnet, reducing the available pool of devices for the proxy operator by millions.

How to stay safe

A typical home user is unlikely to notice that their devices are part of the NetNut botnet, although they may experience slower performance, reduced internet speeds, faster battery drain, and additional wear and tear on affected devices.

After this blow, the botnet’s operators will likely try to rebuild their network by compromising new devices, or another botnet may take its place. So it’s important to stay vigilant. Some basic tips:

  • Be extremely wary of apps that pay you for unused bandwidth.
  • Stick to official app stores.
  • Check VPN and proxy permissions on your devices.
  • Favor reputable, Play Protect–certified vendors for connected devices.
  • Use an up-to-date, real-time anti-malware solution on devices that are eligible.
Malwarebytes blocks netnut.com
Malwarebytes blocks netnut.com

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

About the author

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.