News

Google Disrupts NetNut Residential Proxy Network in Collaboration with FBI

Google and the FBI have disrupted NetNut, a massive residential proxy network, reducing its pool of usable devices by millions.

Google, working with the FBI and other partners, has significantly degraded the NetNut proxy network, which turns home devices into rented relays for malicious traffic. The operation reduced the network's usable devices by millions, highlighting the ongoing challenge of combating such botnets.

Google Disrupts NetNut Residential Proxy Network in Collaboration with FBI

Google, in collaboration with the FBI, Lumen, and other partners, has significantly degraded NetNut, one of the largest residential proxy networks. The operation, led by Google's Threat Intelligence Group (GTIG), reduced the network's pool of usable devices by millions, marking a major blow to a network known for routing malicious traffic through unsuspecting home devices.

What Is NetNut?

NetNut, also known as Popa, is a sprawling network that operates by turning home devices—such as smart TVs and streaming boxes—into rented relays for other people's traffic. With an estimated 2 million devices under its control, NetNut allows attackers to route their traffic through residential internet connections, making it appear as ordinary home browsing rather than suspicious datacenter traffic.

How It Works

Residential proxy networks like NetNut sell access to real home internet addresses, enabling attackers to mask their true location. This is achieved by installing code on home devices, either through pre-installed software on cheap hardware or via free apps that secretly bundle the proxy software. Once operational, these devices become 'exit nodes,' allowing external traffic to flow through them.

Google warns that such exit nodes not only facilitate malicious activities but also expose home networks to further attacks. In June, GTIG identified 316 distinct threat clusters using NetNut exit nodes, including cybercriminal and espionage groups conducting password-guessing attacks.

The Company Behind NetNut

Unlike most proxy botnets, NetNut is linked to a publicly traded company. Researchers have tied NetNut to Alarum Technologies (NASDAQ: ALAR), an Israeli firm that owns the proxy provider. Alarum has rejected the 'botnet' label, claiming its software is used for consented bandwidth-sharing. However, researchers found no evidence of user consent in over 20 apps tested.

Challenges in Takedown

Disrupting NetNut is complicated by its reseller program, which allows other companies to sell access to its network under different brand names. Google describes the operation as a 'degradation' rather than a complete takedown, noting that such networks often prove resilient by shifting capacity to rival providers.

What Consumers Should Do

Consumers are advised to avoid apps that offer payment for 'unused bandwidth' or 'internet sharing,' as these are common tactics used by proxy networks to grow. Additional recommendations include:

  • Sticking to official app stores and scrutinizing app permissions.
  • Keeping built-in protections like Google Play Protect enabled.
  • Purchasing streaming devices and smart TVs from reputable manufacturers.

Alarum's Response

Alarum Technologies has responded to the takedown, stating it will cooperate with law enforcement to investigate any misuse of its infrastructure. The company acknowledged the FBI's seizure of some of its domains and pledged to hold those responsible accountable.

Conclusion

While the disruption of NetNut is a significant victory, Google and its partners recognize the ongoing challenge of combating such networks. The demand for residential proxies remains high, and defenders must stay vigilant as traffic from disrupted networks often resurfaces under new brands.