In a joint operation, Google, the FBI, and other partners have dealt a significant blow to the residential proxy ecosystem by disrupting the NetNut (also tracked as Popa) botnet.
NetNut is a malicious service built on millions of hijacked consumer devices. NetNut marketed itself as a high-quality residential proxy provider, selling access to “real” home IP addresses for web data collection and other benign-sounding use cases.
The FBI’s definition of a residential proxy:
“A residential proxy is an intermediary server between individuals and websites they visit to make their connections appear to originate elsewhere. Legitimate IP addresses assigned by an Internet Service Provider (ISP) to consumers’ Internet of Things (IoT) devices, such as TV streaming devices, digital picture frames, smartphones, tablets, and routers are used to route traffic. Once an internet-connected device is compromised, the device’s IP address can be used by threat actors to mask their online illegal activity, making the consumer appear responsible.”
The most common method used to add devices to the NetNut network was to trick users into installing “bandwidth sharing” or proxyware apps that promised payouts for “sharing your unused internet” but buried the true risks in fine print or skipped meaningful consent altogether. Less commonly, devices are sold pre-compromised through grey-market supply chains and shipped with malicious firmware or side-loaded apps.










