Working with the FBI and industry partners, Google has “seriously degraded” a large malicious residential proxy network called NetNut that enabled hackers to hide their activity online to mount cyberattacks.
By connecting to the Internet via home devices such as PCs or smart TVs, NetNut helped to disguise the malicious activity as online traffic from real users so they won’t be blocked by cyber defences.
NetNut is considered one of the largest and most popular residential proxy networks, with an estimated two million devices distributed worldwide, according to the Google Threat Intelligence Group (GTIG) last week.
Together with Lumen, Shadowserver and the FBI in the United States, Google has now disrupted this key infrastructure used by hackers to secretly prepare for an attack.

As part of the recent operation, Google dismantled Google accounts and associated services used by NetNut for malware command-and-control (C2) activity, which the company said violated its user policy.
Google also shared technical intelligence on NetNut software development kits and backend infrastructure with platform providers, law enforcement agencies and research firms to support wider enforcement efforts.
In addition, Google’s Play Protect, security protection that is built into Android, will warn users and disable applications that have NetNut software development kits (SDKs), and protect against future installation attempts.
Google expects that these actions will degrade NetNut’s proxy network and business operations, reducing the available pool of devices for the proxy operator by millions.
The disruption follows Google’s January 2026 action against IPIDEA proxy network, believed to be one of the largest residential proxy networks in the world. According to the company, IPIDEA’s proxy infrastructure is part of a digital ecosystem leveraged by malicious actors.
Residential proxy networks allow customers to route traffic through Internet service provider-owned IP addresses, making malicious activity appear as though it is coming from ordinary home users.
Such networks are built by enrolling code running on home devices on a malicious network as exit nodes.
In some instances, this malware is pre-installed before purchase, or unwittingly downloaded and installed by users.
Google warns that this can create serious risks to device owners, whose home IP addresses can be used by attackers as a launchpad for hacking or other unauthorised activities. Their legitimate traffic can also be flagged as suspicious or blocked by service providers.
In one week in June 2026, Google observed 316 distinct threat clusters using suspected NetNut exit nodes, which included cybercriminal and espionage groups.
Consumers should be wary of applications that offer payment in exchange for unused bandwidth or “sharing your Internet,” as these may be used by malicious proxy networks to expand its network and open security vulnerabilities on the device’s home network, according to Google.
Users are advised to download apps only from official app stores, review permissions for third-party virtual private networks (VPNs) and proxies, and keep Google Play Protect enabled.
They are also encouraged to buy connected devices only from reputable manufacturers and to check that their Android devices are Play Protect-certified.
Despite the latest disruptions, Google expects the residential proxy industry to continue to grow rapidly, with more work required to combat malicious residential proxy networks.
The company encourages mobile platforms, Internet service providers, and other technology platforms to continue sharing intelligence and to take direct action to block malicious C2 infrastructure.
“While point-in-time disruptions are a critical tool to protect our users, continued and coordinated effort is needed to reduce malicious proxy networks in the long run,” the company said in a blogpost.
