Botnet of 2 Million Devices Dismantled: Impact on Residential Proxies
Google, FBI, and other entities 'significantly degraded' the NetNut network, one of the largest providers of residential proxies used by cybercriminals
July 6, 2026 · 4 min read
TL;DR: A joint operation by Google, FBI, Lumen, and Shadowserver degraded the NetNut proxy network, which used 2 million devices to hide criminal activity. It affects cybercriminals, but the ecosystem is resilient.
What happened?
On July 3, 2026, a coordinated operation between Google, the FBI, Lumen Technologies, and Shadowserver announced the 'significant degradation' of the NetNut residential proxy network, which operated with at least 2 million compromised devices, primarily smart TVs and streaming boxes. The action, which included the seizure of the domain netnut.com (though netnut.io remains active) and the disruption of control servers, represents the second major offensive of 2026 against this type of infrastructure, following the dismantling of IPIDEA in January. According to Google Cloud, NetNut was one of the most popular providers among cybercriminals: in one week of June 2026, Google's telemetry detected 316 threat groups using its nodes, including financial cybercrime actors and state-sponsored espionage groups. The network operated via an SDK integrated into streaming device firmware, allowing attackers to route their traffic through legitimate residential IPs, making detection difficult.
Why is it important?
Residential proxy networks are a critical tool for cybercriminals, as they mask malicious traffic to make it appear as if it originates from real homes. This enables brute force attacks, access to corporate infrastructure, evasion of geo-blocking, and fraud campaigns. NetNut, in particular, offered not only residential proxies but also mobile and data center proxies, along with scraping tools and datasets. Its popularity stemmed from its reseller program: many other proxy networks relied on NetNut's infrastructure, amplifying the impact of its degradation. The FBI and Google have noted that the operation not only affects NetNut but could have 'ripple effects' across the entire ecosystem, as resellers lose their primary source of nodes. However, the market's resilience was demonstrated after IPIDEA's takedown: many operators simply bought capacity from competitors, as noted by the Google Threat Intelligence Group (GTIG).
Consequences and context
The operation against NetNut is part of a broader strategy of public-private collaboration to dismantle criminal infrastructure. However, Google warns that the ecosystem is 'fluid and resilient.' After IPIDEA's takedown, proxy operators quickly adapted, and the same is expected now. Additionally, components of NetNut were found in botnets like Badbox 2.0 and variants of Mirai, suggesting the network not only served as a proxy but as part of broader attack infrastructure. The seizure of the main domain and disruption of servers have reduced operational capacity, but the persistence of netnut.io indicates operators are trying to maintain the service. The FBI has emphasized that the investigation continues and that those responsible are being sought, but the global nature of these networks makes total eradication difficult. For users, the lesson is clear: accepting payments for 'sharing bandwidth' may be unknowingly fueling these networks, exposing their devices to vulnerabilities and contributing to cybercrime.
What should readers know?
- Residential proxies are not illegal per se, but their abuse for cybercrime is massive. They are promoted as privacy tools, but criminals exploit them to hide their activities.
- Users who accept payments for 'sharing bandwidth' may be unknowingly fueling these networks. The official recommendation is to reject such offers, as they not only support the criminal ecosystem but also introduce security risks into homes.
- The operation is not definitive: Google has stated it will continue mapping how providers adapt and that long-term solutions beyond 'ad hoc disruptions' are needed. Cooperation between tech companies and law enforcement is key, but not sufficient for a structural problem.
The fight against residential proxy networks is a cat-and-mouse game. As long as there is criminal demand, there will be supply. Cooperation between tech companies and law enforcement is key, but not enough.
Technical analysis and future
The NetNut network was based on an SDK integrated into streaming devices, often through agreements with manufacturers or via modified firmware. Attackers used these devices as exit nodes, routing their traffic through residential IPs. The seizure of the main domain and disruption of control servers have reduced its capacity, but the persistence of netnut.io suggests operators are trying to maintain the service. Moreover, the residential proxy market continues to grow, driven by demand from cybercriminals and also legitimate businesses that use them for scraping or geolocation testing. It is likely that new providers will emerge or existing ones will absorb the demand. The coordinated action with the FBI indicates a more aggressive legal approach, but the global nature of these networks makes total eradication difficult. Google has announced it will continue monitoring ecosystem adaptation and scale its efforts to attack interconnected infrastructures. However, as long as the 'share bandwidth' business model remains profitable, it will be difficult to completely eliminate these networks.