For the past four years, an expansive and clandestine Android-based botnet known as Popa has quietly co-opted millions of consumer TV streaming boxes. Rather than launching the headline-grabbing, destructive DDoS attacks typical of legacy botnets, Popa serves a more profitable, industrial-scale purpose: it transforms everyday living room hardware into a massive, distributed "residential proxy" network.
New investigations from several leading cybersecurity firms have now established a direct link between the Popa botnet and NetNut, a commercial residential proxy provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. This revelation has ignited a firestorm regarding the ethics of the multi-billion-dollar AI-scraping economy, the integrity of hardware supply chains, and the unwitting role of the average consumer in fueling massive data-harvesting operations.
The Mechanics of the Popa Botnet
Popa is not designed for destruction; it is designed for utility. It functions as a persistent communications layer that registers devices, maintains long-lived encrypted tunnels, and opens backdoors on demand. Experts identify Popa as a critical plugin component of the Vo1d botnet—a sophisticated malware campaign targeting "unofficial" Android-based TV boxes.
These streaming devices, sold under thousands of obscure brand names across major e-commerce platforms, are marketed as "all-in-one" entertainment solutions, promising access to premium subscription video services for a one-time, low-cost fee. However, the convenience comes at a hidden price. As federal authorities and security researchers have warned, these boxes frequently arrive pre-installed with malicious software that effectively turns the user’s home network into a public relay. Once plugged in, the device’s internet connection becomes a "residential proxy," allowing anyone—from legitimate AI companies to malicious cybercriminals—to route traffic through the home, bypassing the geolocation and security filters typically applied to data-center IP addresses.

Chronology of Discovery: From XLAB to Qurium
The trail of the Popa botnet began to surface in a 2025 report by Chinese security firm XLAB, which identified at least nine domain names used to command and control (C2) these compromised devices. The investigation took a significant turn in May 2026, when the security firm Qurium observed a series of massive, disruptive data-scraping events targeting their hosted organizations.
Qurium’s analysis revealed that the scraping activity was not localized but was distributed evenly across more than 1.4 million unique residential IP addresses. By mapping the infrastructure, Qurium discovered several dozen control domains, including gmslb[.]net, safernetwork[.]io, and ninjatech[.]io, all operating in lockstep. Further investigation tied these domains to a variety of pirated or modified streaming applications, such as CRICFy, DooFlix, Sprozfy, and RTS Tv.
The timeline grew increasingly complex following the July 2025 disruption of Badbox 2.0—a massive botnet operation taken down by a coalition including Google, HUMAN Security, and Trend Micro. Despite the seizure of many original Popa domains during this operation, the botnet proved resilient. Within days, new control domains appeared, including ninjatech[.]io, a domain historically linked to Moishi Kramer, a key executive at NetNut.
The Nexus: Ninjatech, NetNut, and Alarum Technologies
The connection between the botnet and legitimate corporate infrastructure centers on Moishi Kramer. According to his LinkedIn profile, Kramer served as the VP of Research and Development at NetNut, having designed the architecture and scaled the company before its acquisition by Alarum Technologies. Public records on the startup job board F6S further identify Kramer as the sole owner of the ninjatech[.]io domain.

When confronted with these findings, Kramer maintained that Ninjatech ceased operations five years ago after selling a software development kit (SDK) known as Popa. "That code was sold and licensed to third parties including resellers years ago," Kramer stated. "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it." He explicitly denied any current involvement in or visibility into the infrastructure currently labeled as the Popa botnet.
However, the proxy-tracking firm Synthient disputes this narrative. In a comprehensive report released this week, Synthient researchers documented outbound traffic from Popa-infected devices leading directly to NetNut’s network. "The research team assesses with high confidence that devices running Popa forward traffic from NetNut clients," Synthient noted. "This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool."
Official Responses and Industry Disagreements
Alarum Technologies has vehemently rejected the reports, calling them "demonstrably inaccurate assertions and flawed deductions." In an official statement, the company argued that their technology is designed for legitimate bandwidth-sharing and does not transform devices into malware-controlled systems.
"NetNut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use of our services," Alarum stated, highlighting their "Know Your Customer" (KYC) protocols.

These claims, however, are met with skepticism by industry peers. Spur, a proxy-tracking service, published findings on June 8 alleging that NetNut’s KYC process is effectively a marketing veneer. Spur’s research suggests that anyone can purchase access to residential proxy pools using nothing more than a burner email and cryptocurrency, circumventing the need for corporate verification. "The ‘verified corporations only’ claim is simply marketing for bandwidth sellers," Spur noted.
The AI Scraping Economy: The Modern Driver
The demand for residential proxies has reached an all-time high due to the artificial intelligence boom. AI developers require vast amounts of data to train Large Language Models (LLMs), but modern web security infrastructure—such as Cloudflare and DataDome—routinely blocks requests from known data-center IPs.
Residential proxies solve this problem by making a scraper’s traffic appear to originate from a legitimate home network. As noted by Include Security, the modern web has become increasingly difficult to scrape from a server farm, leading firms to lean heavily on these distributed networks.
This has created a symbiotic relationship: piracy-focused streaming apps provide the "infrastructure" (the botnet nodes), and AI companies provide the "demand" (the need for high-volume, masked scraping). The result is a cycle of digital abuse where nonprofits, academic institutions, and libraries are suffering from service outages caused by relentless, bot-driven data collection.

Implications: The Corporate and Personal Security Risk
The threat posed by Popa extends far beyond the average living room. Chris Formosa of Black Lotus Labs (a division of Lumen Technologies) warns that because NetNut proxies are resold across the ecosystem, these malicious IPs appear in virtually every corner of the internet. "It may not be the largest botnet we have seen, but it is spread all over the industry, making its power very amplified," Formosa said.
The risk to corporate environments is particularly acute. Infoblox reports that 65% of its customer base—including banks, government agencies, and pharmaceutical companies—are currently querying residential proxy-related domains. This occurs because employees often bring their own devices (BYOD) or use mobile apps containing these SDKs into the workplace.
If a threat actor utilizes a residential proxy to attack a third party, the victim’s security team will trace the attack back to the employee’s device or the organization’s network. "Untangling that, by proving that you were the conduit and not the threat actor, costs time, creates legal exposure, and can damage your reputation," Infoblox researchers warned.
The "Consent" Illusion
A significant concern remains the lack of meaningful consent. Research from Spur into the LG and Samsung app stores found that nearly 42% of apps on LG’s webOS and over 25% of apps on Samsung’s Tizen operating system contain SDKs capable of turning the TV into an always-on proxy node. While some developers include a small disclaimer in their privacy policies, it is rarely presented to the user in a way that suggests their home connection is being sold.

As the industry grapples with this, platforms like Amazon and Roku have begun to take action, barring developers from using proxy SDKs. Experts argue that until the major TV manufacturers and operating system developers enforce strict prohibitions against these "monetization" SDKs, the living room will remain a primary, and often silent, contributor to the global botnet economy. For now, the most effective defense remains a cautionary one: avoid "no-name" streaming hardware and remain vigilant about the permissions granted to apps on smart home devices.

