FBI and Google Disrupt NetNut Residential-Proxy Network Spanning Two Million Devices
A scale-significant proxy-network takedown — law-enforcement coverage and defender awareness this week.
A coordinated FBI and Google action degrades one of the larger commercial residential-proxy networks — defender-relevant law-enforcement coverage this week.
WASHINGTON, D.C. — The FBI and Google announced on approximately July 3, 2026 a coordinated disruption of NetNut, a commercial residential-proxy network that reporting describes as reportedly spanning approximately two million devices, together with a linked botnet that Krebs on Security refers to as the POPA botnet. Google's threat-intelligence team characterized the operation as having caused significant degradation to NetNut's proxy infrastructure and its available pool of devices, and law-enforcement action accompanied the technical disruption. The announcement is a law-enforcement and platform story rather than a newly disclosed vulnerability, and its relevance for defenders lies in what a residential-proxy network is and why disrupting one matters.
Residential-proxy networks route traffic through large numbers of ordinary home and consumer devices so that the traffic appears to originate from legitimate residential IP addresses. That property is precisely what makes them attractive to a broad range of actors, and it is why the disruption reads as a defender-relevant event even though no patch or indicator list attaches to it. The action is framed as a continuation of Google's earlier residential-proxy analysis — the same threat-intelligence thread The CyberSignal covered in its report on Google's threat-intelligence residential-proxy disruption — and it lands amid a run of 2026 operations targeting the anonymity infrastructure that underpins cybercrime.
What the FBI and Google Announced
According to the announcement and accompanying reporting, the FBI and Google carried out a coordinated effort to disrupt NetNut, described as one of the more prominent commercial residential-proxy networks, and a linked botnet that Krebs on Security calls the POPA botnet. Google's threat-intelligence team said the coordinated actions caused significant degradation to NetNut's proxy network and its business operations, reducing the available pool of devices by a substantial margin. The Register reported the action under the headline "NetNut cracked as Google and FBI target 2 million-device botnet", and Infosecurity Magazine and Krebs on Security independently covered the disruption the same day.
The scale figure attached to the network is reportedly approximately two million devices. The CyberSignal preserves that hedged framing deliberately: the two-million figure is the reported span of the network, not a confirmed count of devices seized or remediated, and the two numbers should not be conflated. Google's own language emphasized degradation of the usable device pool rather than a claim of complete takedown, which is the more accurate way to read a disruption of infrastructure that is distributed across large numbers of consumer devices worldwide.
A residential-proxy network, in defender terms, is a service that sells access to traffic routed through everyday home and consumer devices. Because the exit traffic appears to come from ordinary residential IP addresses, it blends in with normal consumer activity and is difficult to distinguish from legitimate users at the network layer. That is the property that makes such networks valuable to whoever rents them, and it is the property that a disruption is meant to erode. The announcement is therefore best understood as a reduction in the capacity of a widely used anonymization layer rather than as a single-vulnerability fix.
Continuation of Google's Residential-Proxy Threat Analysis
The NetNut disruption is explicitly framed as a continuation of Google's earlier residential-proxy work rather than a standalone event. The CyberSignal covered that earlier analysis in its report on Google's threat-intelligence residential-proxy disruption, and the two pieces belong to the same investigative thread: a sustained effort to map and degrade the commercial proxy infrastructure that sits beneath a large share of anonymized malicious traffic. Reading them together, the through-line is that residential-proxy networks are being treated as strategic infrastructure worth disrupting, not merely as a nuisance to be filtered.
That framing matters because residential-proxy abuse is not tied to a single actor or campaign. Google's reporting has consistently described these networks as shared infrastructure used by many distinct clusters of activity, spanning both financially motivated cybercrime and state-aligned espionage. Disrupting the infrastructure therefore imposes friction across a wide swath of the threat landscape at once, which is a different and often more durable form of impact than taking down any one group's tooling. The continuation framing signals that defenders should expect this to be an ongoing line of effort rather than a one-off.
For security teams, the practical value of following this thread is calibration. Understanding that a named proxy network has been degraded helps teams reason about the anonymization layer their adversaries rely on, and it reinforces that residential IP space cannot be treated as inherently trustworthy. The disruption hands defenders no indicator list, but it updates the picture of the shared abuse infrastructure — and how much of it has just been made less reliable.
Sector-Advisory Implications for Residential-Proxy Abuse
For defenders across sectors, the durable lesson is not about NetNut specifically but about the category of abuse it represents. Residential-proxy traffic is engineered to defeat the assumption that traffic from a home broadband address is benign, and that assumption is baked into many detection and access-control decisions. Krebs on Security, in its report headlined "FBI Seizes NetNut Proxy Platform, Popa Botnet", underscored how these services are marketed and monetized, and why the traffic they produce is so hard to separate from ordinary consumer activity.
The advisory implication is that IP reputation alone is a weak control against this class of traffic. Because exit nodes are genuine residential addresses, blocklists lag and false positives against real customers are a constant risk. Defenders who rely on geolocation or residential-versus-datacenter heuristics as a primary signal should treat those signals as necessary but insufficient. The more resilient posture combines behavioral analysis — velocity, session anomalies, and account-level patterns — with strong authentication, so that a login arriving from a plausible residential IP still has to clear controls that a proxied attacker cannot easily satisfy.
A disruption like this one narrows the available supply of such proxies, which is a real and welcome effect, but it does not eliminate the category. Residential-proxy capacity has repeatedly regenerated after enforcement actions, and the economics that drive it — a market for anonymized, residential-looking traffic — remain intact. Security teams should therefore treat the NetNut degradation as a temporary reduction in adversary capability rather than a permanent removal of the threat, and keep proxy-aware defenses in place regardless of any single network's status.
International Coordination and the Broader Takedown Trend
The NetNut action fits a broader 2026 pattern of coordinated operations aimed at the anonymity and monetization infrastructure behind cybercrime. It follows on the heels of the Dutch Politie and NCSC takedown of the Asocks residential-proxy network, which reached roughly 17 million devices, and it sits alongside enforcement actions such as Europol's first takedown of a VPN service used to shield cybercrime. Together these operations describe a sustained campaign against the layers that let attackers hide the origin of their traffic.
That trend extends to the demand side and the supply chain of cybercrime as well. Recent operations include Europol's Operation PowerOFF action against roughly 75,000 DDoS-for-hire users and the second phase of Operation Endgame, which took down some 300 servers and 20 operators of the ransomware supply chain. The NetNut disruption is another entry in that ledger, targeting the anonymization layer rather than a specific malware family or crew.
On the question of who coordinated with whom, The CyberSignal is deliberately conservative. The precise roster of international partners involved in the NetNut disruption is not confirmed at disclosure, and this piece does not assert a list. What is clear from the coverage is that the action combined a platform-side technical disruption led by Google's threat-intelligence team with law-enforcement involvement from the FBI. The pattern of platform-plus-law-enforcement coordination is itself the notable structural feature, and it is consistent with how the year's other large infrastructure disruptions have been assembled.
Scope and Impact
The confirmed scope of the NetNut disruption is bounded by what the announcement and same-day reporting actually stated. Google's threat-intelligence team described significant degradation of NetNut's proxy network and a substantial reduction in its usable device pool; The Register, Infosecurity Magazine, and Krebs on Security corroborated the core action, including the involvement of the FBI and the association with a linked botnet that Krebs refers to as POPA. The network is reportedly approximately two million devices in span. These are the load-bearing facts.
The impact for defenders is indirect but meaningful. A degraded residential-proxy network means fewer reliable exit nodes for actors who were routing traffic through it to disguise password-spray attempts, account-takeover activity, and other operations behind residential IP space. That reduction raises the cost and lowers the reliability of a specific anonymization option. It does not, however, produce a list of hosts to block or a patch to apply; the benefit accrues at the ecosystem level as a shared piece of abuse infrastructure is made less dependable.
It is equally important to be precise about what the impact is not. The disruption is not a claim that two million devices were seized or cleaned, nor that the network has been permanently eliminated. Consumer devices enrolled in such networks remain in homes worldwide, and the market pressure that created NetNut persists. The most accurate reading is a significant but partial degradation of one prominent network within a category that has shown the capacity to regenerate.
Open Questions
Several material details are unresolved at the time of disclosure. The announcement does not, in the reporting available, confirm an exact count of devices seized or remediated as distinct from the reportedly two-million span of the network; those are different figures and should not be merged. The CyberSignal preserves the approximate framing accordingly and will not substitute a precise seizure number that has not been stated.
The identities of the operators behind NetNut are not asserted here. Reporting has referenced commercial ties in the broader residential-proxy market, but The CyberSignal does not name operators or attribute the network to specific individuals or entities absent confirmation. Likewise, the full roster of coordinating international partners is not confirmed at disclosure, and the total value of any asset seizures — domains, servers, or funds — is not established in the coverage reviewed. These remain open items that may be clarified as court documents or follow-on statements emerge.
The reporting at this stage rests on the FBI and Google announcement and its same-day coverage by The Register, Infosecurity Magazine, and Krebs on Security. That posture is normal for a freshly announced disruption and is not a reason to doubt the core facts, but it does mean the specifics — exact devices affected, named operators, the partner roster, and any total seizures — may be refined as the action is documented further.
The CyberSignal Analysis
The reported facts above are the FBI and Google's; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.
Signal 01 — Residential IP Space Is Not a Trust Signal
The most durable lesson of the NetNut disruption is one that predates it: an address that looks residential is not, by itself, evidence of a legitimate user. Residential-proxy networks exist precisely to manufacture that appearance, routing malicious traffic through genuine home devices so it clears filters that treat consumer broadband as benign. Our reading is that any control leaning on residential-versus-datacenter classification as a primary signal is building on sand, because the whole point of these networks is to erase that distinction.
The actionable interpretation is to demote IP reputation to a supporting role and lean on behavior and authentication instead. A login from a plausible home IP should still have to clear velocity checks, session-anomaly detection, and strong authentication that a proxied attacker cannot easily satisfy. The NetNut degradation reduces the supply of one such proxy network, but the defensive posture it argues for is the one that holds regardless of which network is up: assume residential space can be hostile.
Signal 02 — Disrupting Shared Infrastructure Beats Chasing Actors
What makes this action strategically interesting is that it targets infrastructure used by many actors at once rather than any single crew. Google's own framing describes residential-proxy networks as shared services rented across a wide range of criminal and espionage clusters. Our assessment is that degrading that shared layer imposes friction broadly — a different and often more durable form of impact than dismantling one group's tooling, because it does not depend on attributing or arresting any specific operator.
For defenders and policymakers, the forward-looking read is that infrastructure-level disruption is becoming a preferred lever precisely because it scales. The same logic connects NetNut to the year's other takedowns of proxies, VPNs, and DDoS-for-hire platforms: hit the common utility, and the cost rises for everyone renting it. The watch item is durability — whether the degraded capacity stays down or regenerates, which is the question that determines how much lasting value the disruption delivers.
Signal 03 — Preserve the Hedged Numbers; Capacity Regenerates
The reporting says reportedly approximately two million devices, and Google says significant degradation, not eradication. Those hedges are the story, not filler. Our view is that the gap between the span of a network and the count of devices actually seized or cleaned is exactly where overclaiming happens, and defenders are better served by holding the distinction than by rounding it into a cleaner headline. A network can be badly degraded while millions of enrolled consumer devices remain live in homes worldwide.
The practical consequence is to treat the disruption as a temporary reduction in adversary capability rather than a permanent removal of the threat. Residential-proxy capacity has regenerated after prior enforcement actions because the market that demands it is intact. We would keep proxy-aware defenses fully in place, on the assumption that supply will be rebuilt — and that the next network will look just as residential as the last.