The Google FBI NetNut takedown targeted a large residential proxy network reportedly built on more than two million compromised Android devices, including smart TVs and streaming boxes. The infrastructure was allegedly used by hundreds of threat clusters to conceal the origin of password spray attacks and other malicious activity. While the operation disrupted a significant portion of the network, it also underscores a growing enterprise challenge: attackers increasingly rely on legitimate residential IP addresses to evade traditional detection. Organizations should strengthen identity security with multi-factor authentication (MFA), managed-device compliance, and endpoint visibility.
Google and the FBI Disrupt a Major Residential Proxy Network
The Google FBI NetNut takedown marks a significant effort to disrupt a residential proxy network that had reportedly become a key piece of infrastructure for modern identity attacks. Google, in coordination with the FBI and industry partners, targeted NetNut, also tracked as Popa, a residential proxy network allegedly powered by more than two million compromised Android devices.
Many of the affected devices reportedly included smart TVs, streaming boxes, and other Android-based hardware that became proxy nodes after users installed trojanized applications or malware associated with Badbox 2.0. Instead of relying on servers hosted in cloud environments, the network routed traffic through real consumer internet connections, making malicious activity appear more legitimate.
Google reported observing 316 distinct threat clusters using NetNut during a single week in June 2026. The infrastructure was reportedly used to disguise attacker locations during password spray attacks and attempts to access victim environments.
As part of the coordinated operation, Google disabled Google accounts and services reportedly used for command-and-control, shared technical intelligence on NetNut SDKs and backend C2 infrastructure, disabled known applications through Google Play Protect, warned affected users, and shared intelligence with law enforcement and industry partners.
While the operation significantly degraded NetNut’s infrastructure, it also underscores a broader security trend: residential proxy networks have become an increasingly common tool for threat actors seeking to obscure the origin of malicious authentication activity and other cyberattacks.
Why Residential Proxy Networks Matter for Enterprise Security
Unlike traditional proxy services hosted in cloud providers or data centers, residential proxy networks route traffic through real consumer devices connected to home internet services.
This presents a challenge for enterprise defenders because authentication requests originating from residential IP addresses often appear more legitimate than traffic from known hosting providers.
Threat actors commonly use residential proxy infrastructure to support activities such as:
Password spray attacks
Attempts to access victim environments using disguised residential traffic.
The public reporting on NetNut confirms that password spray activity was observed using the network. However, it does not publicly confirm whether those attempts resulted in successful account compromise or data theft.
For security teams, this distinction is important. The proxy network itself is not the attack. It is infrastructure that helps attackers conceal where their traffic originates, making malicious authentication attempts more difficult to distinguish from legitimate user activity.
What the Google-FBI Takedown Means for Enterprise Defenders
In this case, coordinated action between Google, law enforcement, and industry partners appears to have significantly degraded NetNut’s proxy network.
However, takedowns rarely eliminate the broader threat.
Residential proxy ecosystems are highly distributed, and infrastructure may be rebuilt or replaced using newly compromised devices or alternative proxy services. This means organizations cannot rely solely on infrastructure disruptions to reduce risk.
Instead, enterprises should assume that attackers will continue attempting to disguise authentication traffic using residential IP addresses and focus on strengthening defensive controls that remain effective regardless of where login requests originate.
Rather than relying exclusively on IP reputation, organizations should adopt a layered identity security strategy that includes:
Strong password policies and passwordless authentication where appropriate
Device compliance validation before granting access
Monitoring authentication activity for unusual patterns
Investigating endpoint behavior when suspicious access attempts occur
These measures can help reduce the effectiveness of password spray campaigns even when attackers leverage seemingly legitimate residential infrastructure.
XDR and Zero Trust: Securing Endpoints Together
Learn how combining XDR with Zero Trust strengthens endpoint security through continuous visibility.
How Enterprises Can Reduce Proxy-Assisted Identity Risk
The NetNut disruption reinforces that identity security and endpoint security should work together rather than operate independently.
Organizations can strengthen their security posture by:
Enforcing Managed Device Compliance
Ensuring only compliant, managed devices can access corporate resources helps reduce risks associated with unmanaged or outdated endpoints.
Keeping Endpoints Up to Date
Regular operating system updates and timely patch management reduce the attack surface that malware may exploit.
Strengthening Authentication Controls
Combining MFA with role-based access controls and least-privilege principles can reduce the risk of password spray attempts leading to unauthorized access.
Investigating Suspicious Endpoint Activity
When unusual authentication events occur, endpoint investigations can provide additional context by revealing endpoint events, running processes, or query-based endpoint data on managed devices.
Maintaining Visibility Across the Endpoint Fleet
Comprehensive endpoint management allows IT teams to identify non-compliant devices and enforce security policies across managed endpoints.
How Hexnode Can Help
While no endpoint management platform can prevent attackers from operating external residential proxy networks, Hexnode can help organizations strengthen the controls that reduce enterprise risk.
These capabilities help organizations maintain a managed and compliant endpoint fleet.
Hexnode IdP
Hexnode IdP supports identity security by enabling organizations to:
Enforce multi-factor authentication
Implement role-based access control (RBAC)
Federate with enterprise identity providers such as Microsoft Entra ID and Google Workspace.
Apply basic conditional access using device compliance information from Hexnode UEM
When paired with supported identity and conditional access integrations, these capabilities can help organizations enforce access policies based on user identity and device compliance.
Featured resource
Why XDR Is Stronger With UEM
Learn how integrating UEM with XDR enhances endpoint visibility, investigation, and response for a stronger security posture.
If suspicious endpoint activity is identified following authentication events, Hexnode XDR can support investigations through:
Endpoint-focused detection
Endpoint events
Query-based investigations
Response actions including device isolation, process termination, and file quarantine.
These capabilities can help security teams investigate endpoint activity and take supported response actions on managed endpoints.
Conclusion
The Google and FBI disruption of NetNut represents more than the takedown of a single residential proxy network. It highlights how identity attacks increasingly rely on trusted-looking infrastructure rather than obviously malicious servers.
As attackers continue to disguise password spray activity behind residential IP addresses, enterprises should move beyond traditional IP-based detection. Strengthening authentication controls, validating device compliance, and maintaining visibility into endpoint activity provide a more resilient defense against proxy-assisted identity attacks.
While infrastructure takedowns can disrupt malicious operations, long-term resilience depends on layered security controls that make enterprise environments harder to compromise regardless of where attack traffic originates.
Take Control of Your Enterprise Security
Explore how Hexnode helps IT and security teams manage endpoints from a single platform.
I write at the intersection of technology, process, and people, focusing on explaining complex products with clarity. I break down tools, systems, and workflows without any noise, jargon, or the hype.