
Google Degrades NetNut 2M-Device Proxy Network Tied to Alarum's Public Operations
Google degraded the NetNut residential proxy service spanning at least 2 million home devices, linking it to publicly traded Alarum Technologies. The operation reveals how proxy botnets blend commercial offerings with malware distribution and persist through reseller structures. Lasting impact requires simultaneous pressure across interconnected providers rather than isolated takedowns.
Google's action targeted NetNut, also called Popa, which routes attacker traffic through compromised home routers and IoT devices to mask origins. In June, 316 threat clusters used its nodes for credential stuffing and espionage. The network overlaps with Mirai and Badbox 2.0 infrastructure, giving exit nodes direct internal network access once traffic is accepted. Synthient and Qurium traced live traffic from NetNut's commercial gateway to devices enrolled in Popa, confirming the shared pool. None of 20 examined apps displayed consent prompts. Alarum Technologies, the NASDAQ-listed owner, denies botnet involvement but operates a reseller program that rebrands the same nodes under independent labels. This fits the pattern seen after the January IPIDEA takedown: operators lease capacity from rivals to rebuild. NetNut's design, with pre-installed firmware on cheap hardware, makes full eradication unlikely without simultaneous pressure on multiple providers and the supply chain of affected devices. Future operations will require coordinated hits on reseller networks and firmware vendors rather than single-provider disruptions. Consumer devices enrolled without visible consent remain the persistent weak point.
GTIG: NetNut resellers will shift at least 25% of lost capacity to rival pools within 60 days.
Sources (2)
- [1]Primary Source(https://blog.google/threat-analysis-group/netnut-disruption-2026/)
- [2]Supporting Source(https://synthient.com/netnut-popa-analysis)