Google, in coordination with the FBI and Lumen, disrupted the NetNut residential proxy network (aka Popa), which is estimated to comprise at least 2 million consumer devices enrolled as proxy exit nodes via malicious SDKs embedded in apps and firmware. The network was used by 316 distinct threat clusters in a single week for masking origin IPs, password spraying, and other malicious activity. Google disabled associated C2 accounts, shared intelligence with partners, and enabled Google Play Protect to warn users about apps containing NetNut SDKs.