Cybercrime

Google Dismantles NetNut-Linked “Popa” Residential Proxy Botnet That Hijacked 2 Million Home Devices

dark6 3 July 2026

Screenshot

Read Time:3 Minute, 8 Second

Google, working alongside the FBI, Lumen Technologies, and other industry partners, has taken action to dismantle the NetNut residential proxy network, also tracked as “Popa,” which is estimated to have compromised at least 2 million home devices worldwide.

Google disabled Google accounts and services that NetNut used for malware command-and-control, a direct violation of its Terms of Service and Acceptable Use Policy. The company also shared technical intelligence on NetNut’s SDKs and backend C2 infrastructure with law enforcement, platform providers, and research firms to drive broader ecosystem enforcement. Google Play Protect was updated to automatically warn users and disable applications bundled with NetNut SDKs, extending protection against future installation attempts on Android devices.

Linked to a Publicly Traded Company

Independent investigative reporting by KrebsOnSecurity has linked the Popa botnet directly to NetNut, a subsidiary of the publicly traded Israeli firm Alarum Technologies Ltd (NASDAQ: ALAR).

Popa functions as a plugin component of the larger Vo1d botnet, which targets unofficial Android-based TV boxes bundled with pirated streaming apps such as CRICFy, DooFlix, and Flixoid. Security firm Qurium traced Popa’s control infrastructure to domains including ninjatech.io, linked to Moishi Kramer, a former NetNut VP of R&D who has denied current operational control over the infrastructure.

Proxy-tracking firm Synthient independently analyzed Popa’s SDK and found outbound traffic conclusively tied to NetNut clients, stating with “high confidence” that Popa devices actively forward NetNut proxy traffic.

Scale of the Network

  • At least 2 million compromised home devices worldwide, according to Google’s estimate
  • Lumen’s Black Lotus Labs estimates the botnet cycles through 1.5 to 2.5 million distinct IP addresses daily
  • Roughly 250-300 controller domains direct the network
  • Nokia Deepfield researchers suggest the true device population could be significantly higher based on relay-node traffic sampling
  • In a single week in June 2026, Google’s Threat Intelligence Group observed 316 distinct threat clusters – including cybercriminal and espionage groups – leveraging suspected NetNut exit nodes for password spraying and infrastructure obfuscation

Company Response

Alarum Technologies has disputed the “botnet” characterization, asserting that NetNut’s SDKs facilitate consensual bandwidth-sharing and that the company enforces KYC and misuse-monitoring policies. However, proxy-tracking service Spur countered that NetNut lacks meaningful corporate verification, allowing individuals to purchase proxy access with minimal validation.

How Devices Get Compromised

Home devices become unwitting proxy nodes either through pre-installed malware or hidden SDKs bundled in free apps, exposing other devices on the same network to external threats, including Mirai-variant DDoS infections. Google noted that the residential proxy industry is deeply interconnected, with operators frequently reselling capacity from rivals when their own infrastructure is disrupted – a resilience pattern already observed following Google’s January 2026 disruption of the IPIDEA proxy network.

Why This Matters for Defenders

Residential proxy networks like NetNut/Popa are increasingly used to mask the true origin of credential-stuffing, password-spraying, and account-takeover campaigns, since traffic appears to originate from ordinary home IP addresses rather than known hosting-provider ranges. Security teams that rely on IP reputation or geolocation-based blocking should treat this takedown as a reminder that residential-proxy-sourced traffic can still carry malicious intent, and should combine IP-based defenses with behavioral detection to catch abuse that blends in with legitimate consumer traffic.

Google’s Recommendations

  • Avoid apps that promise payment in exchange for “unused bandwidth”
  • Stick to official app stores rather than sideloaded APKs
  • Verify Play Protect certification status before purchasing connected devices such as smart TVs and streaming boxes

Google is calling for continued cross-industry intelligence sharing and coordinated infrastructure blocking to achieve lasting impact against what it describes as a fluid, resale-driven threat ecosystem, where popular proxy brands may in fact be repackaging the same underlying botnet infrastructure under different names.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su Google Dismantles NetNut-Linked “Popa” Residential Proxy Botnet That Hijacked 2 Million Home Devices, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community