For four years, a silent digital architecture has operated in the background of millions of living rooms across the globe. Known as Popa, this sprawling Android-based botnet has quietly turned consumer TV streaming boxes into high-bandwidth relays, facilitating massive advertising fraud, account takeovers, and industrial-scale data scraping.
This week, a collaborative investigation by multiple cybersecurity firms—including Qurium, Synthient, and Black Lotus Labs—has linked the infrastructure of the Popa botnet to NetNut, a commercial "residential proxy" provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].
The findings represent a significant escalation in the debate over the ethics of the "proxy economy," where the line between legitimate software monetization and the weaponization of residential bandwidth has become dangerously blurred.
The Anatomy of the Popa Botnet
Unlike traditional, headline-grabbing botnets that seek to coordinate destructive Distributed Denial-of-Service (DDoS) attacks or encrypt files for ransomware, Popa is designed for stealth and persistence. It functions as a communication layer, registering devices, maintaining long-lived encrypted tunnels, and opening pathways for traffic on demand.
Popa is fundamentally a plugin component of the Vo1d botnet, a large-scale malware campaign targeting inexpensive, "unofficial" Android-based TV boxes. These devices are ubiquitous on major e-commerce platforms, often marketed under thousands of disparate brand names with the promise of "free" access to premium streaming content. In reality, the price of these devices is paid in bandwidth and security vulnerabilities.

By pre-installing software that turns a device into a "residential proxy," the manufacturers enable third parties to route internet traffic through the user’s home network. Because this traffic originates from a residential IP address rather than a data center, it effectively bypasses traditional security filters, allowing for the scraping of sensitive data or the execution of fraudulent transactions while appearing to come from a legitimate home user.
A Chronology of Discovery
The origins of Popa have been a subject of intense investigation for years. The first concrete evidence surfaced in a 2025 report by the Chinese security firm XLAB, which identified several domain names acting as command-and-control (C2) centers for compromised TV boxes.
The 2025 Disruptions
In July 2025, a landmark effort by Google, HUMAN Security, and Trend Micro dismantled Badbox 2.0, a botnet closely associated with the Vo1d ecosystem. During this operation, many of the domains controlling Popa were seized. However, the botnet proved resilient. Immediately following the disruption, operators registered dozens of new domains to maintain their grip on the network.
The May 2026 Breakthrough
The most recent chapter began in May 2026, when the security firm Qurium investigated a series of disruptive data-scraping events targeting their hosted organizations. The attack was distributed across more than 1.4 million unique IP addresses. Qurium’s forensics team traced these connections back to domains such as gmslb[.]net, safernetwork[.]io, and ninjatech[.]io.
Crucially, researchers found that these domains were hard-coded into various pirated streaming applications, including CRICFy, DooFlix, Sprozfy, and Rapid Streamz. The connection to ninjatech[.]io provided the "smoking gun." The domain is historically linked to Moishi Kramer, who serves as the VP of Research and Development at NetNut.

Official Responses and Denials
The link between Ninjatech, NetNut, and the Popa botnet has triggered a defensive response from the parties involved.
Moishi Kramer, in an email to investigators, stated that Ninjatech ceased operations five years ago when it sold a software development kit (SDK) known as Popa. "That code was sold and licensed to third parties including resellers years ago," Kramer wrote. "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it." Kramer explicitly denied any current involvement in or visibility into the infrastructure currently operating under the Popa moniker.
Alarum Technologies, the parent company of NetNut, issued a formal statement categorically rejecting the characterization of their service as a "botnet."
"The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems," the company asserted. Alarum claims to maintain rigorous "Know Your Customer" (KYC) procedures, perform due diligence on clients, and monitor for unauthorized activity.
However, industry experts remain unconvinced. The proxy-tracking firm Spur released a report on June 8 alleging that NetNut’s "verified corporations only" policy is essentially a marketing veneer. "An individual can sign up, pay, and route traffic through partner address space, including space belonging to institutions whose users never opted in," Spur noted.

The AI Scraping Economy: Why Your TV is a Target
The proliferation of these residential proxy nodes is no accident. The modern AI "gold rush" has created a massive demand for web data to train Large Language Models (LLMs). Because major web platforms like Cloudflare and DataDome aggressively block traffic from known data centers, AI firms rely on residential proxies to make their scraping bots look like real human traffic.
"AI companies depend on web-scraped content," says a recent report from Include Security. "The workaround is residential proxies. A scraping job routed through a subscriber’s connection arrives at the target site from an IP that belongs to a paying residential customer."
This activity has broader societal implications. Nonprofit organizations, libraries, and academic institutions have reported severe service disruptions caused by these automated scrapers. A survey by the Confederation of Open Access Repositories (COAR) found that over 90% of respondents were experiencing aggressive bot activity, often leading to slow-downs and outages that impede scholarly research.
The Scope of the Problem
The scale of the Popa/NetNut infrastructure is immense. Chris Formosa, lead information security engineer for Black Lotus Labs, notes that Popa averages between 1.5 million and 2.5 million distinct IP addresses every single day.
"What makes Popa dangerous is just how widely used NetNut is for reselling," Formosa explains. "These Popa IPs appear in tons of different services all over the ecosystem, which makes it one of the most problematic proxy botnets on the market currently."

Nokia Deepfield, which tracks global internet traffic, suggests the numbers could be even higher. Researcher Jérôme Meyer reported that in a sample of just 26 relay nodes, they observed 750,000 unique sources within a 24-hour window, estimating that each node handles tens of thousands of clients simultaneously.
Implications for Corporate and Personal Security
The danger is not limited to cheap TV boxes. Researchers at Infoblox have found that residential proxy SDKs are increasingly embedded in seemingly innocuous apps—PDF viewers, screensavers, and productivity tools—available on standard app stores for LG and Samsung TVs.
Spur’s research indicates that roughly 42% of apps in the LG webOS store contain residential proxy SDKs, while nearly 25% of Samsung Tizen apps do the same. This creates a massive liability for corporate environments. If an employee brings a device infected with a proxy SDK into the office, their corporate network effectively becomes a node in a global proxy network.
"If threat actors were to abuse the residential proxy to attack a third party, the third party’s incident response would identify your network as the source," warned Infoblox researchers Nick Sundvall and David Brunsdon. "Untangling that… costs time, creates legal exposure, and can damage your reputation."
The Call for Action
Security experts are calling on manufacturers and regulators to take a harder line. While companies like Amazon and Roku have moved to ban apps that facilitate third-party proxy services, others have yet to follow suit.

For the average consumer, the lesson is clear: the "free" streaming box or the "convenient" utility app often carries a hidden, long-term cost. Until platform operators enforce stricter controls on the software permitted in their ecosystems, the invisible botnet will continue to leverage the world’s home internet connections to fuel the relentless appetite of the AI and data-scraping industries.

