NetNut takedown: how residential proxy botnets turn home devices into exit nodes
Google's Threat Intelligence Group, working with the FBI and Lumen's Black Lotus Labs, disrupted NetNut, a residential proxy network Google says spanned roughly two million home devices. Read past the takedown headline and there is a durable bug class worth understanding: how ordinary devices get enrolled as rented exit nodes, and what that means for the traffic you see leaving a network.
What a residential proxy network is
A residential proxy service sells access to real consumer IP addresses. A customer sends a request to the provider, the provider relays it through a home device somewhere, and the destination sees traffic that looks like an ordinary broadband subscriber rather than a datacenter. That residential IP reputation is the product. It is what lets the buyer scrape, credential-stuff, or run espionage traffic without tripping the coarse filters that block cloud ranges.
NetNut, also tracked as Popa, is not exotic in shape. What made it notable is scale and packaging: Google assessed with high confidence that many seemingly separate proxy brands were reselling the same underlying pool through a white-label reseller program. One pool, many storefronts.
How a device gets enrolled
The exit node is the interesting part, because it is usually someone who never agreed to relay strangers' traffic. Enrollment happens along a few well-worn paths:
- Bundled proxy SDKs. A free app ships a proxyware library that quietly opens the device as an exit node in exchange for the developer getting paid. The user installed a flashlight or a VPN, not a relay.
- Repackaged apps. A legitimate app is repackaged with hidden proxy code and pushed through unofficial stores or sideloading.
- Preloaded firmware. Some cheap smart TVs and streaming boxes arrive with the relay code already on them, planted before sale. The buyer never had a clean baseline to protect.
- Commodity malware. An infostealer or loader adds a proxy module as one more monetization stage after it lands.
Once enrolled, the device polls a control channel, receives a request to fetch, opens an outbound connection to the target, and streams the response back. To the home network it looks like the box is just talking to the internet, which is exactly the camouflage.
The device is not exploited during each request. It was conscripted once, and now it forwards traffic that looks perfectly normal leaving a home connection. the reason these networks are hard to see from the victim side
Why the traffic is worth laundering
In a single week Google says it tracked 316 distinct threat clusters routing through suspected NetNut exit nodes, including espionage groups and password-spraying operations. The value is defensive evasion: spread a password spray across thousands of residential IPs and per-IP rate limits and geovelocity checks stop firing. The same laundering hides scraping, ad fraud, and account-takeover attempts inside traffic that a defender is reluctant to block wholesale, because real customers sit behind those same ISP ranges.
How the disruption worked
The takedown did not seize every device. Google degraded the network by disabling the accounts that operators used for command-and-control, cutting millions of compromised devices out of the usable pool at once. That is a recurring pattern in these operations: you do not need to clean two million endpoints if you can sever the coordination layer that makes them a fleet. The trade-off is that a resilient operator can rebuild control channels, so disruption buys time and raises cost rather than ending the problem.
Detecting and containing proxyware in a lab
You cannot reproduce a criminal network responsibly, but you can model the exit-node behavior on an isolated segment and practice spotting it. Stand up a device on a mirrored or gateway-logged VLAN and watch its egress.
# flag a device fanning out to many destinations it should never contact # run on the gateway, not the suspect device tcpdump -ni eth0 "src host 10.13.37.20 and tcp[tcpflags] & tcp-syn != 0" \ | awk '{print $5}' # count distinct dst per minute # a normal smart TV talks to a handful of CDNs and one telemetry host. # an exit node opens outbound CONNECTs to unrelated targets on 80/443, # plus steady beacons to a control host on an odd port.
The tells are behavioral, not signature-based: a consumer appliance that suddenly initiates connections to a wide, changing set of unrelated destinations, keeps a low-and-slow beacon to one host, or generates DNS lookups that do not match its advertised function. Containment for a real home network is blunt but effective: isolate untrusted IoT on its own VLAN with no lateral access, default-deny outbound except known-good destinations, and treat any device that will not accept a firmware reset as disposable rather than trusted.
The transferable lesson matches other bug classes we cover: the compromise is a one-time enrollment, and everything after it is designed to look ordinary. If you only hunt for the moment of exploitation you will miss the fleet. Watch what leaves.
Sources
- The Hacker News. "Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices." Read the report
- Google Cloud. "Google's Continued Disruption of Malicious Residential Proxy Networks." Read the GTIG writeup
- Cybernews. "Google cripples NetNut, the 2 million-device botnet powering hackers and spies." Read the coverage