A concerted effort by Google, the FBI, and other organizations has dismantled NetNut, a sprawling residential proxy network. This network, also known as Popa, consisted of over two million Android devices, including smart TVs and streaming boxes, compromised through malware such as Badbox 2.0. NetNut's operator, linked to Israeli firm Alarum Technologies Ltd, rented these residential proxies to various threat actors, including cybercriminal and espionage groups. In June alone, Google identified 316 distinct threat clusters leveraging NetNut to obscure the origins of password-spray attacks and infiltrate victim environments.

As part of this operation, Google disabled accounts and services used for command-and-control, effectively dismantling the botnet's backend. The company also utilized Google Play Protect to disable infected applications and alerted victims about the threat. By sharing threat intelligence with industry partners and law enforcement, Google aims to create a lasting impact on the ecosystem. The takedown of NetNut follows the earlier disruption of IPIDEA in January, signaling a broader strategy to target interconnected providers in the proxy network market.

Google reports that the degradation of NetNut's proxy network has significantly reduced the available pool of compromised devices for its operator. The company warns that proxy operators, when faced with such disruptions, tend to purchase capacity from competitors, becoming resellers in the process. This underscores the need for continued efforts to disrupt the infrastructure of multiple interconnected providers to achieve a lasting impact in this dynamic ecosystem.