The Hidden Hijack: Inside the Popa Botnet and the Global Residential Proxy Economy

For the past four years, a sprawling, sophisticated Android-based botnet known as Popa has silently turned millions of consumer TV streaming boxes into unwitting conduits for illicit internet traffic. While the botnet avoids the destructive, high-visibility tactics of traditional malware—such as massive Distributed Denial-of-Service (DDoS) attacks—its true purpose is perhaps more pervasive: it acts as a persistent, encrypted communication layer capable of scraping mass data, facilitating account takeovers, and powering advertising fraud.

New research released this week by multiple cybersecurity firms has linked the Popa botnet directly to NetNut, a prominent “residential proxy” provider operated by the publicly traded Israeli firm Alarum Technologies Ltd (NASDAQ: ALAR). This discovery highlights a growing crisis in the digital age: the weaponization of household internet connections to fuel the insatiable hunger of the artificial intelligence (AI) data-scraping industry.

The Anatomy of the Popa Botnet

Popa is not a conventional botnet. Instead of enlisting devices for brute-force attacks, it is architected to maintain a long-lived, encrypted communication tunnel. This allows the botnet operator to register a device, maintain a persistent connection, and open communication tunnels on demand.

Experts identify Popa as a critical plugin component associated with the Vo1d botnet—a large-scale malware campaign targeting inexpensive, "no-name" Android-based TV boxes. These devices, which can be found on top e-commerce platforms, are marketed as low-cost solutions to stream thousands of subscription services for a one-time fee. Beneath the user interface, however, these boxes are pre-installed with software that effectively turns the owner’s home network into a residential proxy node. This node remains active as long as the device is plugged in, allowing third parties to route malicious or high-volume traffic through the unsuspecting user’s home IP address.

A Chronology of Discovery and Disruption

The trail leading to Popa began in 2025, when researchers at the Chinese security firm XLAB identified nine domain names used to manage compromised devices. However, the true scale of the operation only became clear in May 2026, when the security firm Qurium investigated a series of disruptive data-scraping events.

Qurium discovered that the scraping activity was being distributed evenly across 1.4 million unique internet addresses. By tracking these connections, researchers identified dozens of control domains—including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io—all hosted in lockstep. Many of these domains were embedded within pirated or modified streaming applications such as CRICFy, DooFlix, Sprozfy, and CyberFlix.

A significant turning point occurred in July 2025, when a coalition led by Google, HUMAN Security, and Trend Micro dismantled Badbox 2.0, a botnet closely related to Vo1d. While many of the original control domains were seized, the botnet proved resilient. Within weeks, dozens of new control domains were registered, including the familiar ninjatech[.]io.

Research further indicates that ninjatech[.]io was founded by Moishi Kramer, who currently serves as the vice president of R&D at NetNut. His professional profile, including an archived listing on the job board F6S, credits him with designing the architecture and scaling the infrastructure for NetNut before its acquisition by Alarum Technologies.

Supporting Data: The Scale of the Intrusion

The sheer volume of traffic flowing through the Popa/NetNut ecosystem is staggering. Chris Formosa, a senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, estimates that the Popa botnet averages between 1.5 million and 2.5 million distinct IP addresses daily.

"What makes Popa dangerous is just how widely used NetNut is for reselling," Formosa explained. "Because other proxy services often resell NetNut infrastructure rather than building their own, these Popa-linked IP addresses appear in disparate services across the entire ecosystem. Its power is amplified by its ubiquity."

Jérôme Meyer, a researcher at Nokia Deepfield, suggests the true population of the botnet may be even higher. By monitoring a subset of relay nodes, Meyer observed that each node handles between 35,000 and 60,000 clients simultaneously. In a 24-hour period, he tracked 750,000 unique sources from just 26 relay nodes.

Official Responses and Corporate Denials

In response to these findings, Moishi Kramer issued a statement claiming that Ninjatech ceased operations five years ago after selling a software development kit (SDK) known as Popa. "That code was sold and licensed to third parties years ago," Kramer stated. "Once software is distributed that way, the original developer has no control over how others modify, rebrand, or deploy it." He further denied any current involvement in or visibility into the infrastructure currently identified as Popa.

Alarum Technologies also challenged the research, labeling the reports by Synthient and Qurium as containing "demonstrably inaccurate assertions and flawed deductions." The company stated that their SDKs are designed for "bandwidth-sharing functionality" and do not constitute a botnet. "NetNut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use," the company said, citing their "Know Your Customer" (KYC) procedures.

However, the proxy-tracking firm Spur directly contradicted these claims. In a June 2026 report, Spur alleged that NetNut does not require meaningful corporate verification, allowing individuals to purchase access to residential IP space with as little as $5 in cryptocurrency and a burner email address. "The ‘verified corporations only’ claim is simply marketing for bandwidth sellers," Spur noted.

The AI Scraping Economy: A Symbiotic Threat

The rise of the Popa botnet is inextricably linked to the boom in AI development. Training Large Language Models (LLMs) requires massive datasets, often scraped from the open web. Because major websites employ security measures—such as those from Cloudflare or DataDome—to block traffic from known datacenter IPs, AI companies and scrapers have turned to residential proxies to mimic legitimate human traffic.

This creates a perverse incentive structure: the same companies building the "brains" of the future are often reliant on traffic routed through hijacked smart TVs in living rooms across the world. The impact is severe. Nonprofit organizations, libraries, and universities have reported consistent service disruptions as their infrastructure is overwhelmed by aggressive, automated scrapers hiding behind residential proxies.

Implications for Corporate and Home Security

The threat is not confined to inexpensive TV boxes. Research by Infoblox reveals that residential proxy SDKs are frequently embedded in mobile apps, including PDF viewers, screensavers, and VPNs. These apps are often downloaded onto devices that employees then bring into corporate environments.

Infoblox found that 65% of its customer base—including pharmaceutical, food and beverage, government, and banking institutions—was querying residential proxy-related domains. When an employee’s device acts as a proxy node, their corporate network effectively becomes a tunnel for external traffic. If a malicious actor uses that tunnel to attack a third party, the organization’s own IP address is flagged as the source of the attack, leading to significant legal and reputational damage.

"Privacy-policy disclosure is the wrong control surface for a TV," noted Include Security in a recent report. "It is hard to scroll through a legal document navigated by arrow keys on a remote, and the in-app consent dialog doesn’t convey that a paying customer is about to route their scraping traffic through the user’s home internet."

As the line between consumer convenience and cyber-risk continues to blur, security experts are calling for tighter regulation. While companies like Amazon and Roku have begun to prohibit proxy SDKs on their platforms, the vast landscape of Android-based hardware remains largely ungoverned. Until device manufacturers, platform operators, and proxy providers are held accountable for the "always-on" nature of these residential nodes, millions of households will continue to unknowingly subsidize the global data-scraping economy.