July 2 - Alphabet's Google said on Thursday it took measures to undermine a widespread network of internet-connected devices that had been used to conceal and route malicious online activity. The company said its actions targeted the NetNut residential proxy network, which is also referred to as Popa, and were carried out in collaboration with the FBI and industry partners including Lumen.
Google said it disabled accounts and services that were used in malware command-and-control operations tied to NetNut, and that it provided technical intelligence about the group's infrastructure to law enforcement and industry partners to support broader enforcement efforts. The company published these details in a blog post describing the coordinated steps.
Residential proxy networks enable users to route internet traffic through consumer IP addresses, a configuration that can mask the origin of online activity and help bypass security defenses. While such proxy services can be deployed for legitimate reasons, Google noted that these networks are often abused for cybercrime because they obscure the true source of traffic.
"We believe our coordinated actions have caused significant degradation to NetNut’s proxy network and its business operations, reducing the available pool of devices for the proxy operator by millions," Google said in a blog.
The company statement also described the types of proxies NetNut offers: rotating residential, ISP, mobile, and datacenter proxies. The service was founded in 2017 as a subsidiary of Alarum Technologies, a cybersecurity firm in Israel.
Summary of actions taken
- Google disabled accounts and services tied to NetNut-related malware command-and-control operations.
- Technical intelligence on the group's infrastructure was shared with law enforcement and industry partners to support enforcement.
- Google reported a significant reduction in the pool of devices available to the proxy operator - on the order of millions.
Context on residential proxy networks
Residential proxy networks route traffic through consumer IP addresses and can mask the origin of internet requests. That capability makes them useful for legitimate applications but also attractive to criminals seeking to conceal malicious traffic.