One of the criminal internet’s most valuable pieces of infrastructure just lost millions of its exit nodes. Google’s Threat Intelligence Group, working with the FBI, IRS Criminal Investigation, and Lumen Technologies, has disrupted NetNut — also tracked as Popa — a residential proxy network that quietly turned more than 2 million home devices worldwide into rented relays for cybercriminal and espionage traffic. On July 2, federal agencies seized domains linked to the operation, replacing its storefront with a seizure notice.

The devices weren’t servers in a datacenter. They were smart TVs, streaming boxes, and other consumer hardware sitting in living rooms — their owners almost certainly unaware that their home IP address was being sold by the hour to people running phishing campaigns, credential stuffing, and state-aligned intrusions.

Why Residential Proxies Are Criminal Gold

To understand why Google committed takedown resources to a proxy network, you have to understand what residential proxies solve for an attacker. Modern defenses lean heavily on IP reputation: traffic from a datacenter in a distant country gets challenged or blocked; traffic from a Comcast subscriber in Ohio sails through. Fraud systems, login-anomaly detection, geo-fencing — all of it assumes a home IP address probably belongs to a real person doing real-person things.

Residential proxy networks break that assumption at industrial scale. NetNut sold access to real household IP addresses, letting buyers route malicious traffic through actual homes so that credential stuffing looks like customers logging in, scraping looks like browsing, and espionage C2 traffic looks like someone streaming television. The victim’s own neighbors become the attacker’s camouflage.

The catch — and the crime — is where those IP addresses came from. Networks at this scale are not built from volunteers reading terms of service. They are assembled from malware-infected and covertly enrolled devices, with smart TVs and Android streaming boxes a favorite substrate: always on, rarely patched, never monitored, and attached to exactly the kind of pristine residential IP that buyers pay premium rates for.

The Takedown

Google’s Threat Intelligence Group says the joint action cut millions of devices out of the pool available to the proxy operator and caused “significant degradation” to both the network and its business. The FBI and IRS-CI’s domain seizures decapitated the commercial side — the storefront where access was marketed and sold — while Lumen, which operates backbone infrastructure, worked the network side of the disruption.

The inclusion of IRS Criminal Investigation is worth pausing on. IRS-CI shows up when investigators are following money, not just packets. Proxy networks are businesses, with payment processing, subscription tiers, and revenue — and treating them as financial-crime targets opens tools that pure network takedowns lack.

This is becoming a rhythm. In recent months we’ve covered Germany’s BKA dismantling the Aisuru and Kimwolf botnets, the AryStinger campaign that converted 4,300 legacy routers into a proxy network, and Canada’s CSIS obtaining its first-ever warrant to clean botnet-infected devices. Law enforcement and platform operators have collectively decided that proxy and botnet infrastructure — the layer that makes every other crime harder to attribute — is where disruption buys the most leverage.

Who Was Hiding Behind It

Google’s reporting indicates NetNut’s residential IPs laundered traffic for a spectrum of abuse: credential stuffing and account takeover, ad fraud, scraping, phishing infrastructure, and — most seriously — espionage groups using household IPs to make their intrusions blend into normal traffic. That last category is why this matters beyond fraud economics. When a state-aligned actor’s C2 check-in comes from a suburban smart TV, network defenders lose one of their few reliable signals.

The disruption doesn’t end the market. Residential proxy demand is enormous, competitors exist, and seized domains have a way of reincarnating under new names. But rebuilding a 2-million-device footprint is neither fast nor free, and every rebuild burns money, infrastructure, and operational security.

What This Means for You

For consumers: your streaming box is a computer, and it can be conscripted. Buy streaming hardware from reputable vendors — cheap off-brand Android boxes have repeatedly shipped with malware preinstalled — keep firmware updated, and if your internet slows or your ISP flags unusual activity, take it seriously.

For defenders: IP reputation is a weakening signal, and takedowns like this only thin the herd temporarily. Detection that leans on device fingerprinting, behavioral analysis, and session anomalies will survive the residential-proxy era; allowlists built on “residential = trustworthy” will not.

Sources