The Silent Hijack: How Millions of Streaming Boxes Power a Global Proxy Botnet

For the past four years, a sprawling, sophisticated Android-based botnet known as "Popa" has operated in the shadows of the consumer electronics market. By silently commandeering millions of internet-connected television boxes, this network has facilitated massive advertising fraud, large-scale account takeovers, and aggressive data-scraping campaigns. This week, a consortium of cybersecurity researchers concluded that the Popa botnet is intrinsically linked to NetNut, a residential proxy provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].

Unlike the stereotypical botnets of the past—which were designed for destructive, headline-grabbing distributed denial-of-service (DDoS) attacks—Popa is engineered for longevity and utility. It functions as a persistent, invisible communications layer, capable of registering devices, maintaining encrypted, long-lived connections, and opening tunnels into home networks on demand.

The Anatomy of the Popa Botnet

Popa is identified by security experts as a plugin component associated with the "Vo1d" botnet, a large-scale malware campaign targeting unofficial Android-based TV boxes. These devices, sold under thousands of obscure brand names on major global e-commerce platforms, promise users access to a plethora of subscription video services for a one-time fee.

However, as the FBI and industry experts have repeatedly warned, these devices frequently arrive pre-installed with malicious software. This software turns a user’s television into a "residential proxy node." Once connected to a wall socket and a local Wi-Fi network, the device becomes a gateway, allowing third parties to route their internet traffic through the unsuspecting consumer’s IP address. This effectively masks the source of the traffic, making it appear as if malicious or scrap-heavy activity is originating from a legitimate, residential household.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

A Chronology of Discovery

The first significant cracks in the facade of the Popa operation appeared in 2025, when researchers at the Chinese security firm XLAB identified nine suspicious domains being used to command and control compromised devices.

In a report released in June 2026, the security firm Qurium provided further clarity. While investigating disruptive, high-volume data scraping events that targeted their hosted organizations, Qurium traced the traffic back to 1.4 million unique internet addresses. Their investigation revealed that dozens of command-and-control domains were operating in lockstep. Among these were gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io.

The discovery of gmslb[.]net proved particularly damning; the domain was found referenced in the code of numerous pirated or modified streaming applications, including popular services like CRICFy, DooFlix, Sprozfy, and Rapid Streamz.

The trail led directly to Moishi Kramer, the vice president of research and development at NetNut. Kramer’s professional profile credits him with building NetNut’s architecture from the "ground up." Furthermore, business records on the F6S platform identify Kramer as the sole owner of the ninjatech[.]io domain—a domain that became a primary controller for the Popa botnet immediately following the partial dismantling of the "Badbox 2.0" botnet by Google and its partners in July 2025.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Data-Driven Insights and Prevalence

The scale of the Popa network is staggering. Chris Formosa, a senior lead information security engineer at Black Lotus Labs (a division of Lumen Technologies), notes that the danger of Popa lies in its ubiquity.

"Popa averages between 1.5 million to 2.5 million distinct IP addresses each day, relying on hundreds of internet addresses to direct its activities," Formosa explains. "It may not be the largest botnet we have ever seen, but its integration across the ecosystem makes it one of the most problematic. These Popa IPs appear in services all over the internet, amplifying their power."

Jérôme Meyer, a security researcher at Nokia Deepfield, suggests the actual reach may be even higher. By monitoring a subset of 26 relay nodes, Meyer observed that each handled between 35,000 and 60,000 clients simultaneously, totaling 750,000 unique sources over a 24-hour period. Nokia’s research also highlighted "RoboVPN," an application tied to the Popa plugin that further facilitates this unauthorized traffic.

Official Responses and Denials

In response to these findings, Moishi Kramer issued a statement via email, asserting that Ninjatech ceased operations approximately five years ago. He claimed that the company sold a software development kit (SDK) called "Popa," which was designed for legitimate, bandwidth-sharing purposes with user consent.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

"That code was sold and licensed to third parties years ago," Kramer stated. "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it. I didn’t register the June 2025 domains, and I don’t have visibility into that infrastructure."

Alarum Technologies, the parent company of NetNut, echoed these sentiments, labeling the reports by Synthient and Qurium as containing "demonstrably inaccurate assertions and flawed deductions." In a formal statement, the company rejected the "botnet" characterization, arguing that their SDKs facilitate legitimate bandwidth sharing. "NetNut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use," the company insisted, citing "know your customer" (KYC) protocols.

However, independent research from the proxy-tracking firm Spur contradicts these claims. Spur’s analysis suggests that the "verified corporations only" marketing is largely a facade, allowing anyone with a burner email and cryptocurrency to purchase access to residential proxy pools—including those that have never opted into the service.

The AI Scraping Economy

The rise of the Popa botnet is inextricably linked to the boom in Artificial Intelligence. AI companies require massive datasets to train Large Language Models (LLMs), but modern websites employ sophisticated defenses—such as those from Cloudflare or DataDome—to block traffic from known datacenter IP addresses.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

By using residential proxies, AI scrapers bypass these blocks, making their traffic appear as if it is coming from a regular person’s living room. This practice has become so aggressive that it is causing service outages for universities, libraries, and nonprofit organizations. As noted by the Directory of Open Access Journals (DOAJ), the "investor-fueled AI startup craze" has incentivized the deployment of thousands of scraping tools, often at the expense of public scholarly infrastructure.

Implications for the Future of Security

The threat is not limited to "no-name" streaming boxes. Research from Spur indicates that nearly 42% of apps on LG’s webOS and over 25% on Samsung’s Tizen operating system contain residential proxy SDKs. Often, these are simple games or utilities.

For the average consumer, the "opt-in" process is obfuscated behind complex, remote-navigated legal documents that few read. For the enterprise, the risk is even greater. Infoblox reports that 65% of its customer base—including pharmaceutical, food, banking, and government entities—have queried residential proxy domains within their corporate networks.

"If threat actors abuse a residential proxy to attack a third party, your organization’s IP will be identified as the source," warned Infoblox researchers Nick Sundvall and David Brunsdon. "Untangling that legal and reputational mess is a massive burden."

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

As regulatory bodies and manufacturers like Roku and Amazon begin to take a harder stance against these proxy SDKs, the burden of security falls increasingly on the user. In an era where every device is a potential node in a global surveillance and scraping network, the "smart" home is increasingly proving to be a security liability. Until manufacturers mandate stricter app store policies and consumers develop a better understanding of their network exposure, the Popa botnet—and those like it—will continue to thrive on the bandwidth of the unsuspecting.