Google’s Threat Intelligence Group (GTIG) estimates NetNut controls at least 2 million infected devices worldwide, including smart TVs and streaming boxes, and that figure’s what sparked the joint takedown.
Imagine a dark server room in Virginia, where FBI agents stare at a screen flashing the domain netnut.com. The agents, alongside Google engineers, watch the final DNS query disappear – a clear sign the domain’s been seized. That’s the moment the botnet’s public face vanished, and it’s what the original report describes.
Key Takeaways
- GTIG says the botnet comprises at least 2 million compromised Android devices.
- A coordinated effort involving Google, the FBI, Lumen Technologies, and the Shadowserver Foundation led to the shutdown.
- The operation removed the netnut.com domain and other associated domains used by the service.
- Disrupting NetNut is expected to ripple through the residential proxy market because of its extensive reseller program.
- Google disabled malicious apps via Play Protect and shared SDK details with industry partners.
Residential Proxy Botnet Disruption: Google Leads the Takedown
What makes NetNut stand out isn’t just its size; it’s the way it hides behind everyday home internet connections. Threat actors route traffic through victim devices, making the traffic look like ordinary residential browsing. That’s why services that rely on residential IPs—like ad verification or market research—often unwittingly buy access to the botnet.
Google didn’t just pull the plug on a domain; it also disabled the accounts and services on its own infrastructure that NetNut operators used for command‑and‑control. By cutting off that backend, Google ensured the botnet couldn’t simply point to a new domain and keep running. That’s a level of intervention you don’t see every day from a cloud provider.
How NetNut Operated
At its core, NetNut packaged legitimate‑looking proxy plugins into trojanized Android apps. The Badbox 2.0 malware, for example, bundled those plugins and let the botnet operator sell proxy access to anyone with a budget. Once a device was infected—either pre‑installed by a manufacturer or added via a malicious app—it became an exit node, routing unauthorized traffic through its IP.
Because the infected devices are often smart TVs or streaming boxes, the traffic looks like someone watching a movie at home. That’s why many online services flagged the IPs as suspicious or blocked them outright. The botnet’s architecture let cybercriminals and espionage groups mask their activities behind a massive pool of seemingly innocuous addresses.
The Joint Operation Behind the Shutdown
The takedown wasn’t a solo effort. Google teamed up with the FBI, Lumen Technologies, the Shadowserver Foundation, and other industry partners. Each played a distinct role, from identifying the C2 servers to seizing the domain registrations.
Mark Karayan, Communications Manager at Mandiant, confirmed the FBI’s role when he told BleepingComputer, “I checked with the disruption team and confirmed.com domain was also used by them along with other domains taken down.” That’s a clear sign the law‑enforcement side handled the legal takedown while Google tackled the technical side.
Google also shared technical details on NetNut’s SDKs and backend C2 infrastructure with platform providers, law‑enforcement agencies, and other cybersecurity researchers. That sharing means the same playbook can be used to hunt down similar proxy services in the future. It’s a collaborative model that could become the norm for fighting large‑scale botnets.
Impact on the Proxy Ecosystem
NetNut wasn’t just another botnet; it was a backbone for many residential proxy services. Its strong reseller program let operators white‑label the network and sell it under their own brands. That’s why the disruption could cause a noticeable shift in pricing and availability for proxy services that relied on NetNut’s capacity.
Karayan warned that when one proxy service goes down, operators often scramble to buy replacement capacity from competitors, turning them into resellers themselves. “The proxy industry is deeply interconnected where operators constantly buy and resell each other’s botnet capacity, and Netnut is among the largest and most popular residential proxy networks in the world,” he said. That interdependence means the fallout could ripple across multiple services, not just the ones directly using NetNut.
Historical Context
Residential proxy networks have evolved from early attempts to mask traffic behind compromised home routers. Over the past decade, the market shifted toward more sophisticated services that offered APIs, geo‑targeting, and dedicated support. Those services often relied on a hidden layer of infected devices, turning ordinary broadband connections into a commodity for malicious actors.
Before NetNut, other botnets demonstrated the power of using Internet‑of‑Things hardware. Those campaigns proved that a single compromised device could generate enough traffic to affect large‑scale advertising or data‑collection operations. NetNut built on that premise, scaling the model to millions of devices and integrating a reseller ecosystem that blurred the line between legitimate proxy providers and illicit infrastructure.
Regulators have started to notice the trend, with several jurisdictions proposing rules that would require proxy providers to prove the provenance of their IP pools. While no universal standard exists yet, the NetNut takedown underscores why such oversight may become a prerequisite for operating in the residential proxy space.
Technical Architecture Deep Dive
The botnet’s command‑and‑control relied on a combination of domain‑based lookups and hard‑coded SDK endpoints. Once an infected device contacted the C2 server, it received a list of proxy endpoints and authentication tokens. Those tokens allowed the operator to route arbitrary traffic through the device without raising local alerts.
Google’s involvement gave investigators a view into the exact API calls the malware used. The SDK exposed methods for establishing TLS tunnels, rotating exit nodes, and reporting usage metrics back to the C2. By disabling the SDK on its own cloud platform, Google prevented new devices from registering and existing ones from receiving fresh instructions.
Network traffic analysis showed that most communications were short bursts, designed to evade detection by typical flow‑based monitoring tools. The botnet also employed fallback domains—if the primary domain was seized, a secondary domain could take over. The joint operation removed both primary and secondary entries, effectively cutting off the communication channel.
What the Numbers Reveal
GTIG observed 316 distinct threat clusters using suspected NetNut exit nodes in just one week last month. Those clusters included both cybercriminal groups and state‑aligned espionage actors. That’s a stark illustration of how diverse the customer base was.Threat actors used NetNut for a range of activities: accessing their own infrastructure, running password‑spraying attacks, and reaching victim environments that would otherwise block their traffic. The scale of the operation shows why shutting down the botnet matters for more than just a handful of malicious campaigns.
- At least 2 million devices were compromised, spanning Android phones, smart TVs, and streaming boxes.
- The botnet used malware families like Badbox 2.0 to distribute proxy plugins.
- Google disabled infected apps via Google Play Protect, automatically warning users.
- FBI seized the netnut.com domain, removing a public entry point.
- GTIG logged 316 threat clusters in a single week, indicating broad abuse.
What This Means For You
If you run a security operation that relies on IP reputation, you’ll see a sudden drop in alerts coming from NetNut‑related IP ranges. That doesn’t mean the threat has vanished; it just means the traffic is being rerouted through other proxy providers. You’ll need to update your blocklists and stay alert for new residential proxy services that might fill the gap.
Developers building apps for Android should double‑check that they aren’t inadvertently distributing trojanized binaries. Google Play Protect will flag suspicious packages, but a proactive review of third‑party SDKs can prevent your app from becoming part of another botnet. In short, treat every third‑party component as a potential attack surface.
Looking ahead, the question is whether the industry will move toward more transparent proxy services or keep relying on opaque botnet‑backed networks. If the latter persists, we might see another massive takedown in the near future.
Security teams that manage outbound traffic should consider adding heuristics that detect unusual ratios of residential IP usage. Attackers often prefer residential endpoints because they bypass common corporate defenses. Introducing an anomaly‑based rule can surface hidden proxy traffic before it reaches critical assets.
Businesses that currently purchase residential proxies for web‑scraping or SEO monitoring may need to reassess vendor contracts. A sudden loss of capacity could disrupt data pipelines, forcing teams to either switch to datacenter proxies or negotiate with providers that can prove clean IP sources. The disruption highlights the risk of depending on a single, opaque provider.
End users whose devices were part of the botnet may notice a brief slowdown in network performance. While the takedown removes the malicious traffic, it also means the device will no longer be burdened with proxy workloads. Users should still run a security scan to confirm that no residual components remain.
“GTIG estimates Netnut controls at least 2 million infected devices globally (including smart TVs and streaming boxes), powered by trojanized applications and botnets like Badbox 2.0 that package proxy plugins,” Google told BleepingComputer.
We’ve seen a coordinated effort finally cut off a massive residential proxy botnet, but the underlying business model—selling compromised home IPs—still exists. Whether regulators, platform owners, or the security community can curb that model remains to be seen.
Key Questions Remaining
- Will other large‑scale residential proxy networks adopt similar defensive postures, making future takedowns harder?
- How quickly will new domains and C2 infrastructure emerge to replace the seized netnut.com entry point?
- What role will platform providers play in proactively disabling malicious SDKs before they reach end users?
- Can industry‑wide sharing of threat intelligence keep pace with the rapid evolution of proxy‑based botnets?
The answers will shape the next chapter of the proxy wars. Until then, vigilance remains the best defense.

