Last week, Google's Threat Intelligence Group announced the disruption of NetNut, a residential proxy network operating across approximately 2 million compromised or enrolled home devices. Working with the FBI, Lumen, and others, Google significantly degraded the network's operational capacity. The incident illustrates a persistent tension in hosting and infrastructure: the gap between legitimate proxy use and large-scale traffic laundering.
What NetNut Was and How It Operated
NetNut, also tracked under the identifier Popa, functioned as a distributed relay network. Home devices—routers, computers, mobile devices—were enrolled (sometimes without clear consent or with terms buried in service agreements) into a pool available for rent. Customers paid to route their traffic through these residential IPs, gaining the appearance of authentic user connections originating from real homes rather than datacenters.
The appeal to users is straightforward: residential IPs bypass many anti-bot and anti-fraud systems that flag datacenter addresses. E-commerce sites, social platforms, and ad networks maintain IP reputation databases specifically to block obvious proxies. A connection from a home in suburban Ohio carries less suspicion than one from a known hosting provider.
The infrastructure underpinning such networks is relatively simple: a control server, lightweight client software installed on enrolled devices, and a proxy gateway. Bandwidth costs are low because the network operator bears no egress charges—those fall on the home broadband customers. Maintenance is minimal. Scaling becomes a problem of enrolment and retention, not hardware or transit capacity.
The Abuse Problem
Large residential proxy networks inevitably become attack infrastructure. Bad actors use them to scrape websites, automate account takeovers, distribute spam, evade geographic restrictions, perform click fraud, and distribute malware. A single network of millions of devices offers enough diversity and distributed firepower to defeat many detection strategies.
Google's statement emphasised that NetNut was used for fraud, credential stuffing, and coordinated inauthentic behaviour. The network's scale—millions of endpoints—gave attackers reach that single-origin attacks cannot match. From a security operations perspective, blocking a known proxy provider is achievable; blocking millions of residential IPs is nearly impossible without harming legitimate users.
This is the core problem that prompted coordinated action. Traditional takedown methods—court orders, hosting provider cooperation, domain sinkhole—work poorly against decentralised residential proxy infrastructure because there is no single point of control and the endpoints are consumer devices, not rented servers.
How Google Disrupted the Network
Google did not simply shut down NetNut's websites or payment processors. Instead, the company's technical intervention focused on the devices themselves. Google's Threat Intelligence Group reduced the network's pool of usable devices by millions, likely through a combination of:
- Detecting and removing malicious client software from Android and Chrome devices
- Working with ISPs to identify and isolate proxy traffic patterns
- Disabling enrolled accounts and invalidating authentication tokens
- Disrupting the command-and-control infrastructure that coordinated the network
This approach is more surgical than a blanket takedown would be. Rather than attempting to block all traffic from residential IPs (which would harm legitimate users), Google targeted the network's operational integrity—making it difficult for NetNut to enrol new devices, authenticate existing ones, and route traffic reliably.
Infrastructure and Policy Implications
The NetNut disruption raises several questions for hosting and infrastructure operators. First, the line between legitimate proxy services and abusive relay networks is contractual and behavioural, not technical. A proxy network operated by a reputable company with transparent user consent and terms of service is technically similar to one that enrolls devices without explicit knowledge. Law enforcement and platform security teams increasingly treat scale and intent as the distinction.
Second, coordinated disruptions of this scale require cooperation between major platforms, law enforcement, and transit providers. Single companies cannot unilaterally defeat large distributed networks. This trend will likely continue, with infrastructure operators expected to participate in takedown efforts—either by detecting and reporting abuse, or by contributing technical resources to disrupt command infrastructure.
Finally, residential proxy markets face legitimate compliance pressure. Operators must now demonstrate clear user consent, audit traffic for known abuse patterns, and cooperate with investigations. The business model of maximising device enrolment and permitting any paying customer is no longer viable.
For infrastructure engineers and operators, the lesson is clear: networks built on enrolled consumer devices occupy a legally and reputationally fragile position. The technical capability to route traffic through millions of endpoints is not, by itself, sufficient to build a sustainable business. Consent, transparency, and active abuse prevention are becoming operational requirements, not optional.

