Google has struck again. On July 2, 2026, the company’s Threat Intelligence Group announced fresh action against NetNut, a residential proxy service also known as Popa. The move, carried out with the FBI, Lumen and several research partners, targeted infrastructure that turned more than two million consumer devices into unwitting exit nodes for cybercriminals and state-backed operators.
This latest effort follows the January 2026 takedown of IPIDEA, one of the largest such networks observed to date. In that earlier operation Google and its allies removed domains, pulled hundreds of apps from Google Play and reduced the pool of available devices by millions. The pattern is clear. Google intends to keep hitting these networks until their business model collapses. But the resilience of the ecosystem makes the task anything but simple.
Residential proxy services promise legitimate users the ability to route traffic through real consumer IP addresses. The pitch sounds harmless enough. Yet the same infrastructure routinely masks password-spray campaigns, credential stuffing, ad fraud and espionage. Attackers pay for access to these proxies precisely because the traffic looks ordinary. It comes from homes, not data centers. Detection becomes far harder.
NetNut populated its network through software development kits slipped into mobile apps, smart-TV software and streaming devices. Some gadgets arrived preloaded with the malicious code. Others tricked users who installed apps that quietly shared bandwidth in exchange for small payments. The result was the same. Ordinary households became part of a global botnet. Their internet connections served as launchpads for attacks while exposing devices on the local network to additional risk.
In a single week in June 2026, Google observed 316 distinct threat clusters using suspected NetNut exit nodes. The groups ranged from run-of-the-mill cybercriminals to espionage actors. They used the proxies to hide their true locations when logging into victim environments, managing their own command servers or spraying passwords across corporate directories. Google Cloud Blog detailed the activity and noted that unauthorized traffic passing through a compromised home device could let attackers pivot to other machines on the same Wi-Fi.
The disruption itself followed a familiar playbook. Google disabled accounts and services NetNut used for command and control, citing violations of its terms of service. Technical indicators on the SDKs and backend servers were shared with platform operators, law enforcement and researchers. Google Play Protect began warning users and disabling known malicious apps while blocking future installs. These steps, the company said, caused significant degradation and cut the available device pool by millions.
Yet the proxy business has proven adaptable. After the IPIDEA action, operators simply bought capacity from rivals and rebranded themselves as resellers. NetNut itself ran a large whitelabel program. Many popular proxy brands were quietly reselling access to its network, according to Google analysts. The January disruption of IPIDEA affected more than a dozen services, among them 922 Proxy, LunaProxy, PyProxy, IP2World, PIA S5 Proxy, 360Proxy, ABC Proxy, Cherry Proxy, Tab Proxy, Galleon VPN, Radish VPN, Door VPN and Asocks. Google Cloud Blog listed the brands and described how SDKs named Castar, Earn, Hex and Packet had been embedded in hundreds of applications.
That earlier operation also drew on partnerships with Spur, Lumen’s Black Lotus Labs and Cloudflare. Legal pressure forced the removal of storefront domains. More than 600 Android apps were removed from the Play Store. Over 7,400 command-and-control servers went offline. In the immediate aftermath the number of available IPs dropped sharply. But the market proved fluid. Operators pivoted. Some networks appeared to recover portions of their capacity by purchasing from competitors.
Public reporting added important color. Security journalist Brian Krebs linked the Popa botnet to a publicly traded Israeli firm, raising fresh questions about corporate oversight in the proxy supply chain. KrebsOnSecurity reported the connection in June 2026. Google confirmed the reporting and noted that NetNut components had also appeared inside variants of the Badbox 2.0 malware family. Other researchers documented NetNut traffic being used to seed Mirai-based DDoS bots. Reports from Synthient, Spur and Nokia Deepfield painted a consistent picture of lateral-movement risk inside home networks.
The consumer impact is direct and often invisible. A smart TV or streaming box quietly routing traffic for strangers can slow performance, trigger ISP blocks or expose the household to follow-on attacks. When that traffic is flagged as malicious, the legitimate owner may find their own accounts locked or their IP reputation damaged. And the incentives remain perverse. Some app developers receive payments based on how many users install the bandwidth-sharing SDK. The arrangement looks like easy money until the device owner discovers the hidden cost.
Google’s advice is straightforward. Avoid apps that pay for unused bandwidth. Stick to official stores. Keep Google Play Protect enabled. When buying connected devices, choose models from reputable manufacturers and verify they carry official Android certification. The company’s Android TV partner list and device-check instructions offer practical steps. But the warnings only go so far. Millions of low-cost streaming boxes and smart-home gadgets already circulate with preinstalled malware. The supply chain problem persists.
Industry observers have watched the proxy market expand rapidly. Demand now comes not only from cybercriminals but from large AI companies seeking residential IPs for data scraping and model training. That broader commercialization has drawn fresh regulatory and law-enforcement attention. The FBI issued a public service announcement in March 2026 urging consumers to guard against proxy enrollment. Bitsight’s research later mapped overlaps between residential proxy services and malware distribution networks. GreyNoise reported a persistent baseline of compromised residential IPs even after the IPIDEA action.
John Hultquist, chief analyst at Google, captured the challenge in an earlier statement on the IPIDEA operation. “By taking down the infrastructure used to run the IPIDEA network, we have effectively pulled the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices.” The same logic applies to NetNut. Yet rugs can be replaced. The marketplace is interconnected. Operators share infrastructure. When one network shrinks, others absorb the traffic.
So the campaign continues. Google has signaled it will map how NetNut’s peers adapt and target additional infrastructure as needed. Coordination with platforms and ISPs remains central. Law enforcement pressure on the corporate entities behind these services is increasing. The January IPIDEA action showed what sustained effort can achieve. The July NetNut operation demonstrates that Google views this as a long-term fight rather than a one-off success.
Threat actors have already begun testing alternatives. Some are shifting toward fresh SDKs or different device types. Others simply buy capacity from surviving providers. The proxy economy rewards scale. Whoever controls the largest pool of residential IPs holds the advantage. Google’s repeated interventions aim to erode that advantage piece by piece.
For security teams the implications are concrete. Corporate defenses must account for traffic that appears to originate from residential addresses but actually comes from compromised consumer devices. Attribution grows harder. Rate limiting and behavioral analysis become more important. At the same time, organizations should scan their own networks for signs of proxy SDKs that might expose them to liability or performance drag.
The broader lesson is simpler. Consumer devices are now infrastructure. A cheap streaming box or an obscure Android app can become part of an attack chain that reaches corporate networks halfway around the world. The distance between a living-room TV and a boardroom server has shrunk. And the companies that profit from blurring that line are finding their business model under sustained assault.
Google shows no sign of stopping. Each disruption buys time for defenders and raises the cost for operators. Whether the cumulative pressure eventually collapses the worst actors remains an open question. For now the campaign rolls on. One network at a time.


WebProNews is an iEntry Publication