NetNut takedown: Don’t be an accidental aider and abetter of cybercrime
Paul Ducklin
07/09/2026
Share this article:
Quid pro quo
You’ve probably heard the saying quid pro quo, which is Latin that loosely translates as “give a bit and get a bit” (literally, one thing for some other thing).
Sometimes, the phrase is used in the same way as “fair exchange is no robbery,” and refers to the sort of interaction that isn’t a straight sale-and-purchase arrangement.
A simple example might be that you fix a leaky tap for a friend because you’ve got the right skills and tools, and they help to to unravel the mess your laptop got into after the latest Windows update – the quid is plumbing, and the quo is system administration.
But the same words can also be used to imply a dubious relationship, where one side sneakily rips off the other, or a situation where both parties know they’re behaving dishonestly.
The recent NetNut proxy network takedown by the FBI is an example of the dangers posed by a quid pro quo that encompasses both negative meanings of the term.
Residential proxies
In IT jargon, a proxy, loosely speaking, is a program that acts as a sort-of intermediate network relay for traffic between two computers on the internet.
For example, instead of browser X connecting directly to a website running on server Y, X might connect to proxy server P instead.
X tells P which web pages it wants; P connects to Y and retrieves them; then P proxies, or relays, the replies back to X.
Proxied connections increase the complexity of any network interaction, replacing a single interchange of network traffic (X⇆Y) with two separate connections (X⇆P and P⇆Y), plus the processing performed by P itself to shuffle data between the two connections in each direction.
Nevertheless, there are useful reasons why you might take this approach, including that:
Requiring everyone inside your company to browse the internet via an intermediate proxy server, often called a web filter or a web firewall, means that you can control where they go. You can block them from going to sites you don’t like, such as those hosting possibly libelous fake news stories and conspiracy theories; stop them landing on sites that the law expects you to shield them from, such as porn and gambling; or keep them safe from sites that you don’t trust, such as servers known to be associated with cybercriminals.
Putting your traffic through a proxy means that the sites you visit won’t know where you are in real life. They’ll track your network location back to the proxy, which could be in another city, or even another country. Without the co-operation of the service running the proxy, they won’t be able to trace you directly backwards from the proxy, which can improve your privacy.
Residential proxies, as the name suggests, are proxy programs that typically run inside household networks, allowing other people to connect to your network and from there to share your network bandwidth, showing up as if they were present at your property and going online from there.
Despite the adjective residential, there’s no technical reason why so-called residential proxy software is limited to home networks connected to consumer ISPs. However, this sort of software often targets home users and household devices, and shows up mostly in residences rather than business premises, hence its name.
Surely that’s just malware?
The obvious question at this point is, “Surely all residential proxy programs can be immediately classified as malware?”
After all, who would willingly install software at home to share their own internet connection – one that they pay for, and that is probably monitored for rogue activity by their ISP – with unknown outsiders?
Wouldn’t that just be opening yourself up to suspicion of, or even prosecution for, other people’s online crimes?
The answer is more complex than you might think.
For example, some ISPs deliberately include a legitimate “residential proxy” feature in the routers they send you when you sign up.
The idea is that if you opt in (or don’t opt out, depending on local laws and IT customs), your router gets split into two Wi-Fi access points.
One access point is unique to you, where you control the network name, the settings, and the password; the other has a countrywide or worldwide name set by the ISP, and is managed from your router directly by the ISP.
In theory, when you’re on the road – even in another country, where you might otherwise have to pay high mobile roaming charges – you can connect to someone else’s home network if you’re in range, using your ISP account and password, and “borrow” bandwidth from that user temporarily.
The quid is you get free internet access wherever other customers can be found; the quo is that you return the favor if those other customers are ever in your part of the world.
To prevent (or at least to reduce the risk of) abuse, your ISP will typically limit the amount of bandwidth that each household network will “lend out” at any time; will do its best to keep unauthorized users off your router; and will monitor your shared access point traffic separately, so that you won’t be held responsible if a visitor commits crimes while online from your network.
An unwholesome side
But there’s a less wholesome side to some residential proxy services.
Some proxy systems quite deliberately pitch themselves as allowing their users to choose other people’s households as the apparent source of their traffic, not always for ethical or legal purposes.
For example, by allowing people outside your country to pretend to be in your home so they can watch TV content they can’t usually get, the quid pro quo is that you get to do the same by pretending to be in their homes when it suits you.
Dubious residential proxy services also pitch themselves as “business research” tools that allow customers to scrape data they would otherwise find hard to acquire; to trigger ad clicks from many different cities (for “research” reasons, of course, not to commit ad fraud); to remain anonymous (for “privacy” reasons, of course, not for cybercrime attacks); and more.
Rather than relying on individuals to download and activate their residential proxy software, which probably wouldn’t result in many installs, some of these services aggressively target software developers in app ecosystems such as Android phones, tablets, and smart TVs.
The developers get paid for building the proxy provider’s “ad toolkits” right into their products, and may be soothed into thinking they’re signing a legitimate contract to participate in a cut of the ad revenue that funds many of today’s apps and online services.
The residential proxy provider, however, is participating in its own way, thanks to the proxy code that’s packaged in with the “ad toolkit.”
That’s what the FBI claims a service operating under the name NetNut was doing, with the result that it grabbed control of NetNut’s official domains in a legally-authorized attempt to disrupt the service.
A year ago, the NetNut website promoted its “residential proxy” service as follows:
Today, visiting the site will show this screen instead:
Understanding the risks
As Google notes in an article detailing its own involvement in, and reason for, this takedown:
[Google] estimates the size of the NetNut network to be at least 2 million devices, distributed across the world. Public reporting by KrebsOnSecurity and others, confirmed by Google, illustrates that NetNut populates its botnet by distributing SDKs [software development kits] for devices commonly found in homes, such as smart TVs and streaming boxes. [․․․]
Home devices become part of proxy networks either because they are pre-installed with malware before purchase or because users unknowingly download applications containing hidden proxy code. This creates serious risks for unsuspecting device owners, as their home IP addresses can be used by attackers as a launchpad for hacking and other unauthorized activities. Consequently, users can have their legitimate traffic flagged as suspicious, or blocked by their service providers. [․․․]
Furthermore, when a consumer device becomes an exit node, unauthorized network traffic passes through it. This means bad actors can access other private devices on the same home network, effectively exposing them to Internet threats.
What to do?
Beware of services or apps that offer money in return for sharing your bandwidth by installing special software. Even if the software doesn’t steal data from your network or monitor your own activity, you could effectively be aiding and abetting illegal use of your network, in a way that is indistinguishable from you doing it yourself.
Don’t be lured by services where the quid pro quo is the dubious but appealing proposition of watching TV shows that would normally be blocked. Even if you don’t live your life by the maxim that two wrongs don’t make a right, you’ll need to trust the other party not to use your network to commit much more serious online crimes. Those crimes could include click-fraud, malware distribution, and password guessing attacks, all with the immediate finger of guilt pointing straight back to you.
If you’re a developer, be diligent before agreeing to bundle someone else’s library code in your app. What sounds like an innocent way to generate revenue from a “free” app may turn out to put other people in harm’s way, and to get your own apps banned or flagged as malware.
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
More About Duck
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Paul Ducklin
07/09/2026
Share this article:
Table of contents:
The world doesn’t need another traditional MSSP or MDR or XDR.
We start with identity and end with transparency — protecting where attacks begin and keeping you informed, with as much visibility as you want. No black boxes, just clear, expert-driven security.
I am interested in SolCyber Foundational Coverage™
I am interested in a Free Demo
14506
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy