For the past four years, a sprawling, shadow-like infrastructure known as Popa has operated beneath the radar of mainstream cybersecurity, turning millions of consumer Android TV boxes into involuntary relay stations for malicious internet traffic. While the name may not carry the notoriety of high-profile ransomware gangs, its reach is vast. Security researchers have now linked this massive botnet to NetNut, a residential proxy provider operated by the publicly traded Israeli firm Alarum Technologies Ltd (NASDAQ: ALAR).
The Popa network does not engage in traditional destructive acts like large-scale distributed denial-of-service (DDoS) attacks. Instead, it serves a more insidious purpose: it functions as a persistent, encrypted communication layer capable of registering devices, maintaining long-lived tunnels, and routing traffic on demand. This infrastructure has become a primary engine for advertising fraud, massive data-scraping operations, and sophisticated account takeovers.
The Genesis of Popa and the Vo1d Connection
Popa is not an isolated phenomenon; it is a critical plugin component associated with the Vo1d botnet, a large-scale malware campaign specifically targeting unofficial, budget-friendly Android TV boxes. These devices, sold under thousands of obscure brand names across major e-commerce platforms, are marketed with the alluring promise of streaming hundreds of premium subscription video services for a single, one-time fee.
However, security experts and the FBI have long warned that these devices are frequently "poisoned" at the factory level. They come pre-installed with software that effectively turns the living room TV into a residential proxy node. Once plugged into a wall outlet and connected to a home network, the device becomes a conduit for external traffic, allowing third parties to route their data through the unsuspecting user’s IP address.
The first definitive clues regarding Popa’s origins surfaced in a 2025 report from the Chinese security firm XLAB, which identified at least nine domain names used to command and control the compromised hardware. In a comprehensive analysis released this week, the security firm Qurium traced these domains to disruptive data-scraping events. Qurium discovered that scraping activity targeting its clients was distributed evenly across more than 1.4 million unique residential IP addresses, all controlled by the Popa infrastructure.
Chronology of a Digital Infection
The evolution of the Popa botnet is a masterclass in persistence. In July 2025, a coalition including Google, HUMAN Security, and Trend Micro successfully dismantled Badbox 2.0, a botnet closely linked to Vo1d. Many of the original Popa control domains were seized or rendered inert during this operation.
However, the botnet proved remarkably resilient. Immediately following the disruption, operators registered several dozen new control domains to maintain continuity. One of these domains, ninjatech[.]io, was not new. It had been part of the infrastructure for years.
Ninjatech was founded by Moishi Kramer, whose professional credentials identify him as the Vice President of Research and Development at NetNut. According to his professional history, Kramer played a foundational role in designing the architecture and scaling NetNut before its acquisition by Alarum Technologies. F6S, a platform for startups, previously listed Kramer as the sole owner of the Ninjatech domain.
Despite this evidence, Kramer maintains that Ninjatech ceased operations approximately five years ago, after selling a software development kit (SDK) known as Popa to third-party resellers. Kramer contends that once the code was licensed, the original developer lost all control over how others might rebrand or deploy it. "I don’t know who registered the June 2025 domains," Kramer stated in an email, denying any ongoing control over the infrastructure or its connection to NetNut.
Supporting Data: The Evidence of Malicious Traffic
The denial from the architect of the infrastructure stands in direct opposition to findings from the proxy-tracking firm Synthient. Their analysis of the Popa SDK revealed clear, persistent outbound traffic patterns directly associated with NetNut’s network.
"The research team assesses with high confidence that devices running Popa forward traffic from NetNut clients," Synthient noted in its report. "This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool."
The sheer scale of the operation is staggering. Chris Formosa, a senior lead information security engineer at Black Lotus Labs (a division of Lumen Technologies), characterizes Popa as one of the most dangerous proxy botnets currently active. "It averages between 1.5 million to 2.5 million distinct IP addresses each day," Formosa noted. While these numbers are significant, they are only part of the story. Jérôme Meyer of Nokia Deepfield suggests that the total population could be even higher, estimating that individual relay nodes in the botnet handle between 35,000 and 60,000 concurrent client connections.
Official Responses and Corporate Defenses
In response to the accusations, Alarum Technologies issued a firm rebuttal, dismissing the reports from Synthient and Qurium as containing "demonstrably inaccurate assertions and flawed deductions." The company explicitly rejected the label of "botnet," framing their services as legitimate bandwidth-sharing technology.
"The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems," the company stated. Alarum insists they maintain rigorous "Know Your Customer" (KYC) procedures and technological measures to prevent misuse.
However, independent industry analysts remain skeptical. Spur, a service specializing in proxy tracking, recently asserted that NetNut’s verification claims are largely performative. Their research indicates that users can sign up and purchase proxy access with little more than a burner email address and a cryptocurrency payment, effectively bypassing any meaningful corporate oversight. Furthermore, the market is saturated with "white label" resellers who repackage NetNut’s pool with even less scrutiny, allowing the infrastructure to be exploited by virtually anyone.
Implications: The AI Scraping Economy
Why go to the trouble of maintaining a multi-million-device botnet? The answer lies in the explosive growth of the artificial intelligence (AI) sector. Modern AI models require vast quantities of data for training, but the "modern web" has become increasingly hostile to automated scrapers. Major platforms—such as Cloudflare, DataDome, and various social networks—routinely throttle or block traffic originating from known data centers.
Residential proxies are the "golden key" to bypassing these defenses. By routing a scraping job through a home TV box in a suburban living room, the traffic appears to originate from a legitimate, residential ISP subscriber. This allows AI firms and data brokers to harvest text, images, and videos without triggering security blocks.
This practice has sparked significant controversy. The Confederation of Open Access Repositories (COAR) has reported that aggressive scraping bots—often routed through residential proxies—are causing service disruptions for scholarly archives, libraries, and universities. Over 90% of institutions surveyed by COAR reported facing these service-degrading bots on a weekly basis.
The Corporate and Home Risk
The danger extends well beyond privacy concerns for individual consumers. Infoblox researchers have warned that residential proxy SDKs are frequently embedded in "productivity" apps, screensavers, and VPNs, which are subsequently installed on employee devices. When these devices enter the corporate network, they create a massive security vulnerability.
"If threat actors abuse the residential proxy to attack a third party, that third party’s incident response will correctly identify your company’s network as the source of the attack," warned Infoblox’s Nick Sundvall and David Brunsdon. "Untangling that… costs time, creates legal exposure, and can damage your reputation."
The pervasiveness is profound. Infoblox discovered that 65% of its customer base—spanning pharmaceuticals, food and beverage, and even government and banking sectors—had active queries related to residential proxy domains.
Conclusion: A Regulatory Reckoning?
The case of the Popa botnet underscores a critical failure in the current digital ecosystem: the lack of meaningful consent for hardware-level software. As Sean Simmons of Spur noted, most users have no mental model for what it means to "sell" their home IP address. On a smart TV, where consent is often buried in a labyrinthine setup process navigated by a remote control, that gap is even wider.
While companies like Amazon, Roku, and others have begun to prohibit proxy-facilitating SDKs, the prevalence of these services in LG and Samsung app stores remains alarmingly high. Until manufacturers and regulators treat residential proxy SDKs with the same scrutiny as traditional malware, the living room television will remain one of the most powerful—and unwitting—tools in the global data-scraping machine.
