The FBI and industry partners have disrupted infrastructure tied to NetNut and the Popa residential proxy botnet, according to KrebsOnSecurity reporting and a companion Google Threat Intelligence Group update. This is not just another botnet takedown. It is a reminder that compromised home devices, smart TVs, streaming boxes, and bundled proxy SDKs are now part of the access infrastructure used by cybercrime and espionage operators.
For small businesses and government contractors, residential proxy abuse matters because it makes malicious traffic look ordinary. Password spraying, account takeover attempts, scraping, fraud, and reconnaissance can arrive from consumer ISP addresses instead of obvious data-center infrastructure. That complicates blocking, detection, and attribution.
What happened
KrebsOnSecurity reported that the FBI worked with industry partners to seize hundreds of domains associated with NetNut and Popa. Google said its coordinated actions disabled Google accounts and services used for command-and-control, shared infrastructure intelligence with law enforcement and platform providers, and triggered protections against applications known to bundle NetNut-related SDKs.
Google estimates the NetNut network was at least two million devices in size. It also reported observing 316 distinct threat clusters using suspected NetNut exit nodes during one week in June 2026, including both cybercriminal and espionage activity. That scale is the core issue: residential proxy networks give attackers a large, rotating pool of trusted-looking IP space.
Why residential proxies are dangerous
A normal proxy service routes traffic through intermediary systems. A malicious residential proxy network routes traffic through real consumer devices and home internet connections, often without meaningful consent from the device owner. That gives attackers several advantages:
- Reputation camouflage: traffic appears to come from consumer ISPs instead of known hosting providers.
- Geo-flexibility: attackers can pick exit nodes close to a target region or customer base.
- Credential attack support: password spraying and account testing become harder to distinguish from normal user activity.
- Fraud and scraping enablement: abuse can be distributed across millions of addresses to avoid rate limits.
- Home network exposure: once a device becomes an exit node, unauthorized traffic is moving through the same environment as other private devices.
Defensive takeaways for SMBs and contractors
Organizations cannot solve the residential proxy ecosystem alone, but they can reduce the value of proxy-based abuse against their own environments.
- Treat consumer ISP traffic as variable trust, not automatic trust. Geo-location and ASN reputation are useful signals, but they are not strong authentication controls.
- Harden identity against low-and-slow attacks. Enforce phishing-resistant MFA where possible, monitor impossible travel, and alert on distributed login failures across many IPs.
- Use behavior-based rate limits. Rate-limit by account, device, session history, and action type — not only by source IP.
- Watch for residential proxy patterns. Look for many source IPs touching the same account set, user agents repeating across unrelated IPs, and authentication attempts that rotate networks but keep similar timing.
- Segment risky consumer IoT at home offices. Remote workers should keep smart TVs, streaming boxes, cameras, and unknown Android devices off the same network segment used for work systems.
- Review VPN and SaaS logs after credential exposure. If passwords or tokens leak, assume attackers may test them through residential proxy infrastructure to avoid obvious blocklists.
Home office risk is business risk
The Popa/NetNut reporting also has a remote-work angle. A compromised streaming box in a home does not automatically compromise a work laptop, but it changes the local network risk picture. If the same home network hosts unmanaged IoT devices, personal systems, and contractor workstations, defenders should assume the boundary is soft.
For organizations handling government data, CUI-adjacent workflows, proposal material, or customer credentials, the practical answer is simple: separate work devices from consumer IoT, keep endpoint protection active, require strong MFA, and avoid treating “coming from a normal residential IP” as proof of legitimacy.
Bulwark Black assessment
The important lesson from the NetNut and Popa disruption is that botnets are not only used for malware payloads or DDoS. They are increasingly part of the access layer that hides credential attacks, scraping, fraud, and espionage workflows. Takedowns help, but Google’s warning is worth taking seriously: operators can resell capacity, shift to competitors, and rebuild through overlapping proxy ecosystems.
Defenders should respond by hardening identity, reducing reliance on IP reputation, and improving detection around distributed authentication behavior. If the attacker can make traffic look like it came from a normal living room, the control plane has to move beyond the source IP.













