What was taken down
On July 2, 2026 Google's Threat Intelligence Group, working with the FBI, Lumen, the Shadowserver Foundation and IRS Criminal Investigation, moved against NetNut, a residential proxy network it also tracks as Popa and estimates at no fewer than 2 million devices worldwide. Google disabled the accounts and services the network used for command and control, shared technical detail on its hidden SDKs with platform providers and researchers, and updated Play Protect to warn users and disable apps carrying the code. The FBI seized hundreds of domains, including netnut.com, which now shows a federal seizure banner. Reporting by Krebs on Security ties the service to Alarum Technologies, a company listed on Nasdaq, whose counsel said it takes the matter seriously and will cooperate fully with law enforcement. It is the second such action this year, after the IPIDEA network in January, and Google says the disruption has already cut the available device pool by millions.
The end of the suspicious IP
A residential proxy network rents out ordinary home internet connections, so an attacker's traffic arrives wearing the address of a family's living room rather than a foreign data center. That is precisely why it sells. In one June week Google counted 316 distinct threat clusters, criminal and espionage alike, using suspected NetNut exit nodes to mask where they came from, to run password spray attacks and, in some cases, to pivot from the proxy software into other devices on the same home network. For a European business this breaks a quiet assumption baked into a decade of security tooling: that risky traffic looks risky. When the login attempt against your accounts comes from a residential address in your own country, geo-blocking and IP reputation lists do not fire. The controls that still work are the ones that never trusted addresses in the first place: multi-factor authentication everywhere, rate limits per account rather than per IP, and alerting on behavior instead of origin.
Your devices are the product
The other half of the story is where those 2 million exits came from: software pre-installed on no-name smart TVs and streaming boxes before purchase, and SDKs hidden inside apps that pay their developers for your unused bandwidth. The owner of the device rarely knows they have become infrastructure, yet it is their address that surfaces in a victim's logs. That makes device procurement a security control, not a consumer preference: certified devices from reputable manufacturers, apps from official stores only, and a hard no to anything offering money for internet sharing. It also reframes the takedown itself. Enforcement is shifting from arresting individual hackers to dismantling the gray infrastructure markets they rent, and this one, researchers note, ran inside a publicly listed company. When crime rides commodity infrastructure, the discipline that protects you is the unglamorous one: know what is on your network, and assume an address proves nothing.
Read next: A Pulled Frontier Model Is Back Online · Your AI Agent Trusts a Poisoned Tool



