On July 2, 2026, Google's Threat Intelligence Group (GTIG) announced it had significantly degraded the NetNut residential proxy network (also known as Popa) in partnership with the FBI and Lumen Technologies, disablin... The operation exposed a network that had hijacked at least 2 million consumer devices globally,...

Create a landscape editorial hero image for this Studio Global article: Search & fact-check with cited sources for What was the coordinated action taken by Google, the FBI, and Lumen Technologies in June 2026 to. Article summary: Here is the fact-checked breakdown of the coordinated action and its findings, drawn from Reuters, Krebs on Security, the Hacker News, PCMag, and other reporting published July 2, 2026.. Topic tags: general, news, general web, user generated, government. Style: premium digital editorial illustration, source-backed research mood, clean composition, high detail, modern web publication hero. Use reference image context only for broad subject, composition, and topical grounding; do not copy the exact image. Avoid: logos, brand marks, copyrighted characters, real person likenesses, fake screenshots, UI text, readable text, watermarks, charts with fake numbers, clickb
On July 2, 2026, Google's Threat Intelligence Group (GTIG) announced it had significantly degraded the NetNut residential proxy network (also known internally as Popa), working in partnership with the FBI and Lumen Technologies, along with other industry partners . The coordinated action struck at one of the largest known botnets conscripting ordinary home electronics into a global cybercrime relay system.
Google took three concrete steps:
Separately, the FBI seized hundreds of domains associated with NetNut and the Popa botnet infrastructure . The FBI also replaced NetNut's homepage with a seizure notice
.
In a single week of observation, Google's Threat Intelligence Group detected 316 distinct threat clusters routing malicious traffic through the NetNut proxy infrastructure . These included:
Google and researchers identified two primary infection methods:
Google warned users to avoid apps that offer payment for unused bandwidth or claim to "share your internet connection for rewards," as these are a common Trojan horse for residential proxy enrollment . Consumers were advised to keep devices updated, avoid cheap unbranded Android TV boxes from unknown vendors, and check which apps have network permissions.
The Popa botnet used malware derived from the Vo1d/Mzmess family, which shares lineage with Mirai botnet variants targeting Android-based IoT devices . The Aisuru botnet, a Mirai/TurboMirai-class IoT botnet, was also observed pivoting from DDoS attacks to residential proxy models during this period, highlighting an industry-wide shift
. The OMG Mirai variant, first documented in 2018, similarly turned IoT devices into proxy servers
.
This action builds directly on Google's January 28, 2026 disruption of the IPIDEA residential proxy network, one of the largest such networks globally at the time . In that operation, Google eliminated domains and accounts used by IPIDEA to route traffic for cybercriminals and state-sponsored attackers
. Google assessed then — and reaffirmed in July — that the broader residential proxy industry remains deeply connected to cybercriminal ecosystems, with top services like NetNut, LunaProxy, 711Proxy, and 922Proxy each operating over 1 million exit nodes
. The NetNut takedown was part of a continuing campaign that also included the March 2026 disruption of SocksEscort
and the June 2026 takedown of the "Outsider" phishing network
.
Alarum Technologies issued a statement on July 2, 2026, saying it would "fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated" .
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
On July 2, 2026, Google's Threat Intelligence Group (GTIG) announced it had significantly degraded the NetNut residential proxy network (also known as Popa) in partnership with the FBI and Lumen Technologies, disablin...
On July 2, 2026, Google's Threat Intelligence Group (GTIG) announced it had significantly degraded the NetNut residential proxy network (also known as Popa) in partnership with the FBI and Lumen Technologies, disablin... The operation exposed a network that had hijacked at least 2 million consumer devices globally, routing traffic for 316 distinct criminal threat clusters in a single week—including advertising fraud, credential stuffi...
The NetNut takedown built directly on Google's January 2026 disruption of the IPIDEA residential proxy network, part of a continuing campaign that Google says has revealed the broader residential proxy industry to be...