For the past four years, a digital shadow has loomed over millions of living rooms worldwide. A sprawling, Android-based botnet known as Popa has quietly commandeered consumer TV streaming boxes, transforming them into relay points for massive, global-scale data scraping, advertising fraud, and unauthorized account access.
This week, a multi-firm investigation—involving researchers from Qurium, Synthient, and Black Lotus Labs—has publicly linked the Popa botnet to NetNut, a prominent "residential proxy" provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. While Alarum denies these characterizations, the findings paint a troubling picture of how the booming demand for artificial intelligence training data is turning household consumer devices into unwitting tools for corporate data extraction.
The Mechanics of the Popa Botnet
Unlike the destructive botnets of the past—which typically coordinate distributed denial-of-service (DDoS) attacks to crash websites—Popa operates with a more surgical, persistent purpose. It is designed as a communications layer, registering compromised devices into an encrypted, on-demand tunnel network.
Popa is widely considered a plugin component of the Vo1d botnet, a malicious campaign specifically targeting unofficial, "no-name" Android TV boxes. These devices, often marketed on popular e-commerce platforms with the promise of "lifetime access" to premium streaming content for a one-time fee, arrive pre-loaded with malicious software. Once plugged into a wall outlet and connected to a home network, the device effectively becomes a "residential proxy." This allows third parties to route their Internet traffic through the user’s home IP address, masking their activities behind the cloak of a legitimate residential subscriber.
The danger extends beyond simple bandwidth theft. Because these proxies operate from inside a user’s home network, malicious actors can use them to probe local devices, potentially compromising other computers, security cameras, and smart-home appliances residing behind the same firewall.
Chronology of a Global Investigation
The trail of breadcrumbs leading to Popa’s infrastructure has been meticulously documented over the last two years:
- 2025 (The Early Discovery): Chinese security firm XLAB first identified the Popa infrastructure, flagging nine core domain names used to command and control the compromised TV boxes.
- July 2025 (The Badbox Disruption): A coalition led by Google, HUMAN Security, and Trend Micro dismantled "Badbox 2.0," a botnet closely related to Vo1d. While many Popa-related domains were seized during this operation, the botnet proved resilient.
- May 2026 (The Qurium Breakthrough): Security firm Qurium began investigating a wave of high-cost data scraping events that hit their hosted organizations. They discovered the activity was distributed across 1.4 million unique IP addresses. By tracing the traffic, they found that several new command-and-control domains had emerged, including
ninjatech.io. - June 2026 (The Link to NetNut): Recent reports from Synthient and Nokia Deepfield have solidified the connection. Synthient’s analysis of the Popa SDK revealed clear, direct outbound traffic flowing into the NetNut proxy network, confirming the symbiotic relationship between the botnet and the commercial proxy provider.
The Ninjatech Connection
A critical turning point in the investigation was the discovery of the domain ninjatech.io. Records link the domain to Moishi Kramer, who currently serves as the Vice President of Research and Development at NetNut.
Kramer’s professional history is well-documented; his LinkedIn profile explicitly credits him with building the NetNut architecture from the "ground up." However, when confronted with these findings, Kramer maintained that Ninjatech ceased operations five years ago. He claimed the company sold its software development kit (SDK)—the very code now identified as Popa—to third-party resellers.
"Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it," Kramer stated in an email, denying any current involvement in the operation of the botnet or the maintenance of the infrastructure.
The AI Scraping Economy: A Symbiotic Threat
The rise of Popa is not an accident of history; it is a direct result of the modern "AI gold rush." Major AI corporations and startups are engaged in an unprecedented race to scrape the entire Internet for text, images, and video to train their Large Language Models (LLMs).
As Include Security noted in a recent report, the modern web has become increasingly difficult to scrape from traditional data centers. Security firms like Cloudflare and DataDome routinely block traffic originating from known cloud-based IP addresses. To bypass these defenses, scrapers rely on residential proxies. By routing requests through an unsuspecting person’s home internet, the traffic appears to be the legitimate activity of a real consumer, making it nearly impossible to block without collateral damage.
This practice has triggered over 70 copyright infringement lawsuits, as organizations—from scholarly journals to nonprofit libraries—struggle to keep their services online. The Directory of Open Access Journals (DOAJ) has reported that their repositories are under constant assault by aggressive bots, leading to regular service degradation and outages.
The Scope: Smart TVs and Beyond
The problem is far larger than cheap, "no-name" streaming boxes. Research by the proxy-tracking firm Spur indicates that the issue has permeated the app stores of major, reputable smart TV manufacturers.
Spur found that approximately 42% of apps available on LG’s webOS and over 25% of apps on Samsung’s Tizen operating system include SDKs that convert the television into an always-on residential proxy node. Even if a user ignores the "pirate" streaming boxes, their premium living-room television may be silently participating in global data scraping 24 hours a day.
The Corporate Risk
The threat is not limited to home users. Infoblox recently found that 65% of its corporate clients were querying residential proxy-related domains, often because employees had brought infected personal devices—or used apps containing these SDKs—into the workplace.
"If threat actors abuse the residential proxy to attack a third party, that third party’s incident response will correctly identify your company’s IP as the source," warned Infoblox researchers Nick Sundvall and David Brunsdon. The legal and reputational exposure for a company suddenly appearing as a source of malicious traffic is immense.
Official Responses and Industry Pushback
Alarum Technologies, the parent company of NetNut, has vehemently rejected the findings. In a formal statement, they characterized the reports as containing "demonstrably inaccurate assertions and flawed deductions."
"The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems," the company stated. They insist they employ rigorous "Know Your Customer" (KYC) procedures and technological measures to mitigate unauthorized activity.
However, security firm Spur directly contradicted this claim, arguing that the "verified corporations only" marketing language is a façade. According to Spur, "Anyone who knows where to look can buy access through a reseller with nothing more than a burner email address and $5 in crypto."
Implications: A Call for Policy Reform
The Popa/NetNut saga highlights a critical regulatory gap. While companies like Amazon and Roku have taken steps to ban apps that facilitate proxy services, others remain largely passive, leaving their users exposed to silent exploitation.
Chris Formosa, senior lead information security engineer for Black Lotus Labs, summarizes the danger: "Popa is spread all over the industry, making its power very amplified." With between 1.5 million and 2.5 million distinct IP addresses involved daily, the botnet has become a foundational component of the modern, unregulated scraping economy.
As the lines between legitimate AI data collection and malicious botnet activity continue to blur, security experts are calling for urgent intervention. Without stricter oversight of how SDKs are embedded in consumer software and mandatory transparency regarding "bandwidth sharing," the average user—and the corporate network—will remain a quiet, involuntary contributor to the next generation of artificial intelligence, one scraped webpage at a time.
