FlashProxy Logo

FlashProxy

TechnologyProxiesCase StudiesIndustry Insights

Google and the FBI Just Took Down NetNut's Residential Proxy Botnet: Here's What It Means for the Industry

Google and the FBI Just Took Down NetNut's Residential Proxy Botnet: Here's What It Means for the Industry

Google and the FBI took down NetNut's 2M-device residential proxy botnet. Here's what it means for the proxy industry and how to choose an ethical provider.

F
FlashProxy Team
July 2, 2026
6 min read

Today, Google's Threat Intelligence Group announced that it worked with the FBI, Lumen, and other partners to take down the NetNut residential proxy network. NetNut, also known as "Popa," is a botnet that hijacked over two million consumer devices around the world. This comes just six months after Google's takedown of the IPIDEA proxy network in January 2026.

The message is pretty clear: if your proxy infrastructure runs on compromised devices, you're on borrowed time.

At FlashProxy, we think this crackdown is long overdue.

What Actually Happened

Google shut down the accounts and cloud services that NetNut was using for malware command and control. They shared technical intelligence on NetNut's SDKs and backend infrastructure with law enforcement and platform providers, and made sure Google Play Protect now blocks any app that contains NetNut's code. The result is that millions of devices have been cut off from NetNut's network.

So how did NetNut build a network of two million devices in the first place? By distributing SDKs targeting everyday home devices like smart TVs and streaming boxes. Some of these devices came pre-loaded with proxy malware before they even left the factory. Others got infected after users installed apps that had NetNut's code hidden inside. Either way, the people who owned these devices had no idea their home internet connections were being sold as commercial proxy exits.

To give you a sense of scale: in just one week in June 2026, Google observed over 300 distinct threat clusters routing traffic through suspected NetNut exit nodes. That includes cybercriminal groups and state-sponsored espionage operations using these IPs to hide their tracks, break into victim environments, and run credential stuffing attacks.

The Whitelabel Problem Is Bigger Than NetNut

The most important part of Google's report isn't about NetNut alone. It's about how deep the rot goes.

Google said with high confidence that many popular residential proxy brands are whitelabeling the NetNut botnet. In plain terms: they're reselling access to a network of hijacked devices under their own brand name, and their customers have no idea.

This is how the residential proxy underground actually works. When a provider's own botnet gets degraded, whether from a law enforcement takedown, ISP blocking, or just devices going offline, they don't shut down. They buy capacity from other botnets and keep selling. Everyone becomes a reseller of everyone else. The whole ecosystem is tangled together.

What this means for businesses buying residential proxies is simple: the brand name on your dashboard might have nothing to do with where your traffic is actually going.

Why Proxy Buyers Should Care

If you're using residential proxies for web scraping, ad verification, market research, or competitive intelligence, here's why this matters to you directly.

You might have legal exposure. When your traffic routes through devices that were enrolled without the owner's consent, you're part of a chain that starts with unauthorized access to consumer hardware. "I didn't know my provider was using malware-infected smart TVs" is not a strong legal defense, and it's getting weaker as regulators pay more attention to this space.

Your infrastructure is fragile. Botnet-sourced networks are unstable by nature. They depend on devices staying online, staying infected, and not getting cleaned up. Google just proved, for the second time in six months, that it can degrade these networks at scale. If your business depends on residential proxy access, you don't want to be building on top of a botnet.

Your IPs carry baggage. Google's report directly links residential proxy botnets to espionage groups, DDoS infrastructure, and credential stuffing campaigns. If your provider's network overlaps with theirs, the IP addresses you're using have that history attached. That means higher block rates, more CAPTCHAs, and the risk of showing up in threat intelligence databases alongside actual threat actors.

How FlashProxy Does Things Differently

FlashProxy has never operated a botnet. We've never distributed SDKs designed to silently enroll consumer devices into our network, and that's not going to change.

Our residential proxy infrastructure is built on consent-based sourcing. Every device in our network participates voluntarily, with full transparency about what the software does and how bandwidth is used. This isn't marketing language. It's a fundamental architectural decision that shapes how we onboard supply-side partners and how we structure our SDK agreements.

We also run a diversified infrastructure across residential, datacenter, ISP, mobile, and IPv6 proxies in 190+ countries. Our customers aren't dependent on a single residential network that could get wiped out by a law enforcement operation, because our network isn't built on compromised devices.

When Google warns consumers to be "extremely wary" of apps that offer payment for "unused bandwidth" or "sharing your internet," they're describing a supply model that we've intentionally stayed away from. We're building for long-term durability and compliance, not for scale at any cost.

What Comes Next

Google has made it clear that this isn't a one-off. The IPIDEA takedown in January and today's NetNut operation are part of a pattern, and they've said more disruptions are coming. They've also called on mobile platforms, ISPs, and tech companies to share intelligence and take action against malicious proxy infrastructure.

Here's what we expect to see:

Harder questions from buyers. Enterprise proxy customers are going to start asking where IPs actually come from. Providers who can't show consent-based sourcing are going to lose deals to those who can.

Market consolidation. As botnet networks get degraded, the smaller operators who were reselling that capacity will either shut down or scramble to find new sources. The market is going to consolidate around providers with legitimate infrastructure.

More regulatory pressure. The FBI co-led this operation. That tells you proxy botnets are being treated as a criminal infrastructure problem, not just a security nuisance. Regulation will follow.

Declining effectiveness of botnet proxies. IP reputation databases are already flagging residential proxy exit nodes. As more intelligence gets shared, botnet-sourced proxies will see higher block rates, heavier fingerprinting, and less value for the people using them.

How to Evaluate Your Proxy Provider After Today

If this news makes you want to take a closer look at who you're buying proxies from, here are the questions worth asking:

How does the provider source its residential IPs? If you get vague answers about "peer-to-peer networks" or "bandwidth sharing communities" without any real documentation of informed consent, that should concern you.

Can they prove their supply-side participants opted in knowingly? Real consent means more than a buried clause in an app's terms of service. It means the user understands they're sharing their IP address and bandwidth with a commercial proxy network.

Do they operate their own infrastructure, or are they reselling? Google's report makes it clear that whitelabeling is everywhere. If your provider can't tell you exactly where your traffic is routing, there's a good chance they don't know either.

How are they responding to today's news? Silence says a lot. Providers with clean infrastructure have no reason to avoid this conversation.

We're happy to answer all of these questions for anyone evaluating FlashProxy. When your infrastructure is built the right way, transparency isn't a risk.

netnutnetnut proxywhat happened to netnutnetnut down