For the past four years, a sprawling, shadow-like infrastructure known as "Popa" has quietly co-opted millions of consumer Android-based TV boxes. Rather than launching the headline-grabbing distributed denial-of-service (DDoS) attacks typically associated with botnets, Popa operates with a more subtle, persistent objective: transforming living-room streaming devices into a global relay network for commercial residential proxies.
This week, a coalition of cybersecurity researchers has formally linked the Popa botnet to NetNut, a residential proxy provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. The revelation highlights a growing, uncomfortable symbiosis between the "gray market" of cheap streaming hardware and the burgeoning, multi-billion-dollar economy of AI data scraping.
The Anatomy of a Persistent Proxy Network
Popa is not a traditional piece of malware designed to destroy or encrypt data. Instead, it serves as a highly resilient communications layer. Once installed, it maintains encrypted, long-lived tunnels that allow third parties to route their Internet traffic through the victim’s residential IP address.
For the end user, the device functions as expected—streaming video content for a one-time fee. Beneath the hood, however, the device is acting as a "residential proxy." This means that when a third party—such as a data-scraping firm or an anonymous actor—purchases access to the NetNut network, their traffic appears to originate from the user’s home network.
Because these requests come from legitimate residential ISP addresses (Comcast, T-Mobile, AT&T, etc.), they are rarely blocked by the security filters that target cloud-based data centers. This makes the hijacked TV boxes highly valuable real estate for those looking to bypass anti-bot protections.

A Chronology of Discovery and Disruption
The existence of Popa was first brought to light in a 2025 report by the Chinese security firm XLAB, which identified nine core domain names used to orchestrate the botnet. The investigation gained momentum in May 2026, when the security firm Qurium traced disruptive and high-volume data-scraping events back to these same domains.
Qurium’s investigation revealed that Popa is a plugin component of the broader "Vo1d" botnet, a campaign targeting unofficial, unbranded Android TV boxes sold widely on global e-commerce platforms.
The timeline of the botnet is marked by a cycle of disruption and adaptation:
- July 2025: A massive joint operation involving Google, HUMAN Security, and Trend Micro successfully seized the domains controlling "Badbox 2.0," a sibling to the Vo1d campaign.
- Post-July 2025: Researchers observed that while many original Popa domains were dismantled, operators rapidly registered new ones to ensure the continuity of the proxy relay service.
- June 2026: New reports from Qurium, Synthient, and Nokia Deepfield collectively identified the continued activity of these domains, linking them directly to the infrastructure and personnel associated with NetNut.
A critical turning point in the investigation was the identification of the domain ninjatech[.]io as a long-standing control node. Public records and professional networking data link this domain to Moishi Kramer, who currently serves as the Vice President of R&D at NetNut.
Supporting Data: The Scale of the Operation
The reach of Popa is staggering. According to Chris Formosa, a senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, the botnet maintains a consistent footprint of between 1.5 million and 2.5 million distinct IP addresses every day.

"What makes Popa especially dangerous is how widely used NetNut is as a wholesale provider," Formosa explained. "Many other proxy services don’t build their own networks; they simply resell NetNut proxies. Consequently, these hijacked IPs appear across a vast ecosystem of different services, amplifying the reach of the botnet significantly."
Other researchers provide even higher estimates. Jérôme Meyer of Nokia Deepfield noted that by monitoring a subset of just 26 relay nodes, his team observed 750,000 unique sources over a 24-hour period. With at least 359 known relay nodes in the Popa ecosystem, the actual number of participating devices likely dwarfs initial estimates.
The "Consent" Dilemma and Corporate Responses
The primary defense offered by those managing proxy networks is the claim of "consent." NetNut and its parent company, Alarum Technologies, vehemently deny that their infrastructure constitutes a "botnet."
In an official statement, Alarum characterized the research as containing "demonstrably inaccurate assertions and flawed deductions." The company maintains that its SDKs facilitate "bandwidth-sharing functionality" and that they employ strict "Know Your Customer" (KYC) protocols to prevent misuse.
However, independent research casts doubt on the efficacy of these safeguards. The proxy-tracking firm Spur reported that NetNut does not require meaningful corporate verification, noting that "the ‘verified corporations only’ claim is simply marketing… anyone who knows where to look can buy access through a reseller with nothing more than a burner email address and $5 in crypto."

Furthermore, while newer builds of the Popa SDK ostensibly include consent prompts, Synthient’s analysis of over 20 active "Popa publishers" found that none of them were observed actually requesting or receiving user consent before enabling proxy traffic.
Implications: The AI Scraping Economy
The rise of the Popa botnet is inextricably linked to the frantic demand for training data by Artificial Intelligence firms. Modern AI models require vast datasets, and as major platforms like Cloudflare and DataDome have hardened their defenses against datacenter-based bots, the demand for residential proxies has skyrocketed.
"The modern web isn’t scrapeable from a datacenter," noted a report from Include Security. "The workaround is residential proxies. A scraping job routed through a subscriber’s connection arrives at the target site from an IP that belongs to a paying residential customer."
This has created a problematic cycle. Nonprofit organizations, academic repositories, and independent websites are being overwhelmed by "aggressive bots" that degrade service for legitimate users. A survey by the Confederation of Open Access Repositories (COAR) found that 90% of respondents faced service disruptions from scraping bots at least once a week.
A Wider Problem: Beyond the TV Box
The threat is not confined to inexpensive, "no-name" streaming boxes. Research from Spur indicates that approximately 42% of apps in the LG webOS app store and 25% of apps in the Samsung Tizen store include residential proxy SDKs.

This is a design flaw in the "smart" ecosystem. Privacy disclosures are often buried in dense legal text that is difficult to navigate with a television remote. Once an app is installed, the device remains an always-on gateway for third-party traffic until the app is deleted—if the user ever realizes it is there at all.
The corporate risk is equally grave. Infoblox discovered that 65% of its customer base—including pharmaceutical, food, banking, and government entities—was querying residential proxy-related domains. When an employee brings a compromised smart device into the workplace, they inadvertently open a door for threat actors to route attacks through the corporate network.
"If threat actors abuse the residential proxy to attack a third party, that third party’s incident response will identify your residential proxy as the source," warned Infoblox researchers Nick Sundvall and David Brunsdon. "Untangling that, by proving you were the conduit and not the threat actor, creates significant legal and reputational exposure."
Conclusion: The Path Forward
As the line between "bandwidth sharing" and "malicious botnet" continues to blur, the burden of security is increasingly shifting toward platform providers. While companies like Roku and Amazon have taken steps to prohibit proxy SDKs, others remain permissive.
For the average consumer, the message from security experts is clear: treat smart devices with the same skepticism applied to a PC. If a device is offering a "free" service, or if it is an unbranded import, it may be paying for its existence by selling your network connection to the highest bidder in the AI-scraping economy. In an era where data is the new oil, your home internet connection has become the pipeline—and you may not be the one holding the valve.
