Google disrupts NetNut proxy network used in malware operations

Google disrupts NetNut proxy network used in malware operations
Google illustration image by Reuters
Short Url
Updated 03 July 2026 13:45
Follow

Google disrupts NetNut proxy network used in malware operations

Google disrupts NetNut proxy network used in malware operations
  • Google, FBI target proxy network tied to Popa botnet malware operations
  • Tech giant cuts millions of devices from NetNut's cybercrime-linked proxy pool

LONDON: Alphabet’s Google said on Thursday it weakened a network of Internet-connected devices being used to conceal ​and route malicious online traffic, acting against the NetNut residential proxy operator and the Popa botnet.
Google took action in partnership with the FBI and Lumen, among others.
The tech giant said it disabled accounts and services used in NetNut-related malware command-and-control operations and shared technical intelligence on the ‌group’s infrastructure ‌with law enforcement and industry ​partners ‌to ⁠support broader enforcement ​efforts.
Residential ⁠proxy networks route Internet traffic through consumer IP addresses, masking its origin and bypassing security defenses, a feature that, while having legitimate uses, is frequently exploited for cybercrime.
“We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its ⁠business operations, reducing the available pool of ‌devices for the ‌proxy operator by millions,” Google said ​in a blog.
NetNut’s parent, ‌Israel-based web data provider Alarum Technologies, was informed ‌of the seizure of some of its domains by the FBI on Thursday, the company told Reuters.
“Alarum takes this matter seriously and will fully cooperate with law ‌enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those ⁠responsible ⁠are held to account.”

NetNut’s infrastructure, which serves a large customer base across the Middle East, has been used by malicious actors operating in and around the region, including in attacks on media organizations.

In May, the network was exploited to carry out a distributed scraping campaign against Arab Reporters for Investigative Journalism (ARIJ), a Jordan-based independent journalism outfit, with digital forensics firm Qurium tracing 1.34 million residential IP addresses to traffic patterns consistent with NetNut’s proxy services.

The campaign targeted ARIJ’s archive of investigative reports across the Arab world and is described as a malicious, automated harvest by actors using residential proxies to conceal their origin, likely in an attempt to undermine or disrupt the dissemination of critical information.

Separately on the day, Bloomberg News reported that the FBI has been been examining potential links between NetNut and Popa for more than a year, citing documents seen and people familiar with the situation.
The investigation was one of several reviewed by officials from multiple federal law enforcement agencies during a Colorado meeting on proxy networks late last year, the report said.
The ​FBI did not ​immediately respond to a Reuters request for comment.

With Reuters