Google said it disrupted NetNut—also known as Popa—a large residential proxy network that investigators linked to malware delivery, command-and-control activity, and efforts by cybercriminal and espionage actors to mask their origin IP addresses while accessing victim environments. Working with the FBI, Lumen, and other partners, Google disabled accounts and services allegedly used by the operation, shared technical intelligence on NetNut SDKs and backend infrastructure, and used Google Play Protect against apps that incorporated the NetNut SDK. Google estimated the network relied on at least 2 million devices and said 316 threat clusters used suspected NetNut exit nodes during a single week in June.
The coordinated action also included FBI seizures of NetNut-associated domains, a move that parent company Alarum Technologies said disrupted part of the service and could materially affect operations and financial results if the outage persists. Google said the operation significantly degraded the network and cut its available device pool by millions, describing the move as part of a broader campaign against malicious proxy providers after an earlier action against IPIDEA. The disruption is being viewed as a blow not only to a botnet-linked service but also to the broader supply of residential proxy infrastructure relied on by multiple threat actors.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Alarum Technologies, NetNut's parent company, disclosed that FBI seizures of domains associated with NetNut disrupted part of its services. The company said a prolonged disruption could materially affect operations and financial results.
Google said it coordinated with the FBI, Lumen, and other partners to disable Google accounts and services allegedly used by NetNut, also known as Popa, for malware command-and-control and other unauthorized cyber activity. Google said the action significantly degraded the network and reduced its available device pool by millions.
During one week in June 2026, Google observed 316 distinct threat clusters using suspected NetNut exit nodes. Google also assessed NetNut as a residential proxy network involving at least 2 million devices.
Google previously carried out a disruption effort against the IPIDEA proxy network as part of a broader campaign against interconnected malicious proxy providers.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cyberveille.ch
Open sourceblog.alphahunt.io
Open sourcecyberveille.ch
Open sourcesdxcentral.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.