Google Disrupts NetNut Residential Proxy Network: Law Enforcement Success Against Distributed Infrastructure Abuse
Google's Threat Intelligence Group, working with the FBI and Lumen, significantly degraded the NetNut residential proxy network by reducing its device pool by millions. This coordinated action targets infrastructure used for credential stuffing, ad fraud, and anonymised malicious activity across compromised home devices.
Affected
Google's Threat Intelligence Group announced the degradation of NetNut, a large-scale residential proxy network operating across approximately 2 million compromised home devices. This operation represents a significant coordinated enforcement action involving Google, the FBI, internet backbone provider Lumen, and unnamed partners. The coordinated approach reflects a shift from traditional single-vendor takedowns toward multi-stakeholder disruption targeting distributed abuse infrastructure.
NetNut functions by converting residential internet connections into relay nodes for hire. Customers pay to route traffic through these home devices, gaining perceived legitimacy (residential IP addresses are harder to detect and block than datacenter proxies) whilst obscuring their own identity and activity. The business model is profitable precisely because residential connections are difficult to identify and block at scale, and because compromised devices remain largely unmonitored by their owners. Defenders recognise NetNut through observable patterns: unusual outbound volumes, connection patterns inconsistent with typical residential usage, and coordination with known abuse servers.
The network has been documented facilitating credential stuffing attacks, account takeovers, ad fraud, and various forms of scraping. The anonymisation layer enables attackers to mask their true origin, complicating attribution and making victim response more difficult. By operating at the scale of millions of devices, NetNut provided reliable, distributed infrastructure for campaigns requiring volume and resilience. The infrastructure also likely enabled denial-of-service operations and distributed scanning.
Google's action was technical rather than purely legal: the company worked to identify and revoke NetNut's authentication credentials, block traffic patterns, and collaborated with infrastructure providers to identify and disconnect proxy nodes at the backbone level. This suggests the disruption was not solely achieved through legal process but through simultaneous technical degradation across multiple layers of the internet stack. The involvement of Lumen (a major transit provider) is particularly significant as it implies upstream filtering capabilities.
The implications extend beyond this single network. Residential proxy providers operate in significant numbers, and many operate semi-legitimately, marketing themselves for price comparison, security research, or market intelligence. The distinction between abuse infrastructure and legitimate proxy services remains contested. This action demonstrates that coordinated technical and law enforcement effort can degrade even large distributed networks, but it also raises questions about collateral impact on legitimate users whose devices may have been unknowingly compromised or whose devices hosted proxy code installed through software bundling.
Sources