Article
Cybersecurity Tech Giants Google Residential proxies

Google and the FBI cripple a hidden network running through 2 million home devices

by TechDefused Newsroom
The image depicts police officers in tactical gear during a public order situation. One officer is prominently featured from behind, wearing a helmet and face shield, with 'POLICE' clearly visible on their uniform. — Credit: Photo by ev on Unsplash c Photo by ev on Unsplash

Google and US law enforcement have taken apart a large chunk of a service most people have never heard of, yet many were unknowingly part of.

The target was NetNut, one of the biggest residential proxy networks in the world. Google's Threat Intelligence Group, working with the FBI, Lumen and others, says it has cut the network's pool of usable devices by millions.

At its peak the operation reached at least 2 million devices worldwide.

What a residential proxy network actually is

A residential proxy network rents out real home internet connections.

When someone buys access, their traffic is routed through an ordinary home address rather than a data centre. To the website on the other end, the visitor looks like a normal person browsing from their sofa.

That is useful for some legitimate tasks, such as price checking or ad verification. It is also perfect for hiding.

Criminals like it because their activity blends in with everyday household traffic, which security systems tend to trust. Data-centre traffic, by contrast, gets flagged and blocked.

Your smart TV, recruited without asking

The uncomfortable part is where those home connections come from.

NetNut built its network by slipping small pieces of software, known as SDKs, into apps running on everyday devices. Smart TVs, streaming boxes and routers were common hosts.

Once installed, the device became what is called an exit node. Other people's traffic then flowed out through your home connection.

Researchers at Synthient examined more than 20 apps tied to the network and found none that asked users for permission in plain terms.

The risk to the owner is real. Strangers route their activity through your line, your address takes the blame for whatever they do, and other gadgets on your network are left exposed.

Who was using it, and for what

This was not a quiet corner of the internet.

In a single week in June 2026, Google counted 316 separate threat groups using suspected NetNut connections. They included both criminal gangs and state-backed espionage teams.

The network was used to mask break-ins to victim systems and to run password-guessing attacks at scale. Components of it have also turned up inside well-known botnets such as Mirai and Badbox 2.0.

What Google actually did

Google took three main steps.

It shut down the Google accounts and services the operators used to control the network. It set Google Play Protect, the security layer built into Android, to disable apps carrying the malicious code. And it shared technical details with law enforcement and other firms.

The FBI seized several NetNut web addresses. The main site, netnut.com, now shows a "This website has been seized" message, though a second address, netnut.io, was still online when The Register asked Google about it.

Why Google calls this a dent, not a death

The takedown is described as degradation, not destruction, and that wording is deliberate.

The reason is the way NetNut sold itself. It ran a reseller programme, letting other companies sell its network under their own brand names. Google says it is confident that many proxy services that look independent are reselling the same pool under new names.

Cut one and the others feel it, but the wider machine survives. These networks have a habit of absorbing rivals and carrying on.

Google says a lasting fix will need internet providers, mobile platforms and other technology firms acting together, not one company at a time.

The company behind it pushes back

NetNut is owned by Alarum Technologies, an Israeli firm listed on the Nasdaq and founded in 2017.

Alarum rejects the botnet label. It says its software supports consented bandwidth sharing and does not harm the devices it runs on, and it dismissed the research as flawed.

For the millions of households whose televisions were doing the routing, that distinction may feel academic.

by TechDefused Newsroom