A takedown that reaches into the living room
On July 2, Google, the FBI, and the IRS Criminal Investigation division announced a coordinated disruption of NetNut, one of the largest commercial residential proxy networks in operation. The action seized netnut.com, the sister brand proxyjet.io, and divinetworks.com, a supplier that fed the service with static residential proxy servers contracted directly from internet providers. In parallel, Google disabled the accounts, apps, and software kits that stitched the network together, and flagged the offending code in Play Protect so that infected devices could be identified.
What makes this operation notable is not the raw device count, though 2 million compromised endpoints is substantial. It is where those devices live. The Popa botnet that powered NetNut did not colonize corporate servers or cloud instances. It burrowed into consumer electronics, the smart televisions and streaming dongles sitting in ordinary homes. That places the fight against proxy abuse squarely inside the consumer supply chain, a place enterprise security teams have almost no visibility into and even less control over.
How the Popa botnet actually worked
The mechanics are deceptively simple. NetNut and its partners embedded deceptive software development kits into inexpensive, off-brand Android devices and into unofficial applications such as unauthorized clients for popular streaming tools. When a consumer plugged the device in or installed the app, their home internet connection was quietly enrolled as a proxy exit node. The device kept working as advertised, so the owner had no reason to suspect anything, while their bandwidth was rented out to whoever paid NetNut for clean residential IP addresses.
Google's threat team was blunt about the purpose. As the company put it, these bad actors can use NetNut to mask their origin address when accessing victim environments. That masking is the entire product. A criminal running credential stuffing from a data center IP is trivial to block. The same criminal routing through a residential television in a suburban neighborhood looks, to most defenses, like a legitimate customer logging in from home. The proxy network exists to erase the single most useful signal defenders have.
The scale of the abuse the network enabled
According to Google's reporting, at least 316 distinct threat clusters used NetNut exit nodes in a single week in June 2026 alone. Their activities read like a catalog of everything that keeps a fraud team awake: password spraying against enterprise logins, credential stuffing with stolen username and password pairs, advertising fraud, and large scale scraping of sensitive data. The service was not a niche tool for a handful of sophisticated actors. It was shared infrastructure for a broad marketplace of abuse.
That breadth is the point worth sitting with. A residential proxy provider is a force multiplier. It does not commit the fraud itself, it lowers the cost and raises the success rate for hundreds of unrelated operators at once. Taking one down does not stop any single campaign, but it raises the price of anonymity across the whole ecosystem. Security researcher Benjamin Brundage observed that the disruption would meaningfully hurt cybercriminals, especially coming after the earlier takedown of a competitor.
A publicly traded company at the center
The most awkward detail is corporate. NetNut was operated by Alarum Technologies, an Israeli company listed on the Nasdaq under the ticker ALAR. This was not a shadowy operation run from an anonymous bulletproof host. It was a regulated, publicly traded firm selling proxy access as a legitimate data collection and web scraping service. Legal counsel for the company said it would fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated.
That posture, cooperation rather than denial, reflects the genuine ambiguity of the residential proxy business. Providers routinely argue that they sell a neutral tool with lawful uses in ad verification, price comparison, and market research. Regulators and platform owners increasingly disagree, at least about how the underlying nodes are acquired. When a service is built on millions of devices whose owners never consented, the lawful use case does little to change the character of the network itself.
Why residential proxies break enterprise defenses
For most organizations, the reflex defense against automated abuse is address reputation. Block or challenge traffic from known data centers, hosting providers, and flagged ranges, and a large share of unsophisticated attacks disappears. Residential proxy networks are engineered specifically to defeat that reflex. The exit addresses belong to real consumer broadband accounts with clean histories, so they sail past the reputation filters that stop cruder attacks cold.
The practical consequence is that IP based defenses degrade quietly over time. Teams that rely on them may believe their bot problem is under control while the successful attacks simply migrate to residential exit nodes and vanish from the metrics. The durable answer is behavioral. Device fingerprinting, velocity analysis, and anomaly detection that look at how a session behaves, rather than merely where it originates, are the only signals a residential proxy cannot cheaply launder away.
What security leaders should take from this
The immediate action is unglamorous but real: revisit any control that treats a residential IP as inherently trustworthy. Rate limits, step up authentication triggers, and fraud rules keyed to address reputation should all be reviewed on the assumption that a determined attacker can present as any home in the country. Where step up authentication is currently skipped for residential traffic, that exemption is now a liability rather than a convenience.
The broader takeaway is about dependency. Enterprise security increasingly rests on the integrity of a consumer device supply chain that no single company governs. This takedown was possible only because a platform owner with deep visibility, Google, partnered with law enforcement that could seize infrastructure. That model works, but it is reactive and it does not scale to every provider. The proxy market has already shown it treats each seizure as a temporary setback, which means defenders should plan for the next NetNut, not celebrate the last one.



