The Silent Hijack: How Millions of Streaming Devices Became the Backbone of a Global Botnet

For the past four years, a sprawling, shadow-network of Android-based TV boxes has been operating in millions of living rooms across the globe. Unbeknownst to their owners, these devices—often purchased as cheap, plug-and-play solutions for streaming subscription content—have been surreptitiously enlisted into a sophisticated botnet known as Popa.

Unlike the destructive botnets of the past, which were designed to launch massive distributed denial-of-service (DDoS) attacks or encrypt data for ransom, Popa serves a more insidious, commercial purpose: it transforms ordinary home internet connections into "residential proxies." These proxies are then sold to entities looking to bypass security filters, scrape mass amounts of data, and facilitate account takeovers. This week, a coalition of cybersecurity researchers has linked the infrastructure of this massive operation to NetNut, a residential proxy provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].

The Anatomy of the Popa Botnet

Popa is not a traditional malware strain; it is a highly specialized communication layer. Its primary function is to register a device, establish persistent, encrypted tunnels, and maintain a constant, on-demand connection back to its command-and-control (C2) servers.

The botnet is a key plugin component of the Vo1d malware campaign, which specifically targets unofficial, "no-name" Android TV boxes. These devices, available by the thousands on major e-commerce platforms, promise users access to a vast library of streaming content for a one-time, upfront fee. However, the true cost of these devices is the user’s home network security. Once plugged in, the software—often pre-installed at the factory—turns the device into a relay node, allowing anyone who pays for access to route their internet traffic through the unsuspecting consumer’s IP address.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

A Chronology of Discovery and Disruption

The existence of Popa has been an open secret among security researchers for some time, but mapping its reach has been a Herculean task.

  • 2025: The first concrete indicators of the botnet surfaced in a report by the Chinese security firm XLAB, which identified at least nine core domain names used to manage the hijacked devices.
  • July 2025: A massive, coordinated effort involving Google, HUMAN Security, and Trend Micro led to the seizure and dismantling of several C2 domains associated with Badbox 2.0, a botnet closely related to Vo1d. While this disrupted the network, the operators were quick to adapt.
  • May 2026: Security firm Qurium began investigating a series of aggressive, large-scale data scraping events that impacted several organizations. The activity was distributed across 1.4 million unique IP addresses. Qurium’s investigation uncovered dozens of C2 domains operating in lockstep, including gmslb[.]net, safernetwork[.]io, and ninjatech[.]io.
  • June 2026: Recent reports from Synthient, Qurium, and Nokia Deepfield have collectively painted a definitive picture of the infrastructure, linking it back to NetNut and identifying the sheer scale of the operation—ranging from 1.5 million to potentially several million concurrent nodes.

The "Ninjatech" Connection

The trail of evidence leads directly to Moishi Kramer, whose LinkedIn profile identifies him as the Vice President of R&D at NetNut. The domain ninjatech[.]io, which Qurium flagged as a critical C2 node, is linked to Kramer, who is also credited with architecting NetNut’s infrastructure before its acquisition by Alarum Technologies.

In an email correspondence, Kramer acknowledged founding Ninjatech but claimed the company ceased operations roughly five years ago. He stated that Ninjatech sold a software development kit (SDK) known as "Popa," which was intended to allow for legitimate bandwidth sharing with user consent.

"That code was sold and licensed to third parties including resellers years ago," Kramer wrote. "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it." Kramer explicitly denied any current involvement in or visibility into the infrastructure being used by the Popa botnet today.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Official Responses and Denials

Alarum Technologies, the parent company of NetNut, has vehemently rejected the findings presented by the security community. In a formal statement, the company characterized the reports as containing "demonstrably inaccurate assertions and flawed deductions."

"The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems," the company stated. Alarum emphasized that NetNut maintains rigorous "Know Your Customer" (KYC) policies and monitors for misuse. They assert that their services are designed for lawful, responsible use, such as market research and data collection.

However, researchers at the proxy-tracking firm Spur have challenged these claims. In a June 8 report, Spur argued that NetNut’s "verified corporations only" policy is little more than marketing. "An individual can sign up, pay, and route traffic through partner address space, including space belonging to institutions whose users never opted in," the report stated. Spur suggests that many proxy providers operate with virtually no meaningful oversight, allowing users to buy access to millions of residential IPs with nothing more than a cryptocurrency payment and a burner email address.

The AI Scraping Economy: Why Your Bandwidth Matters

The surge in the Popa botnet’s activity is intrinsically linked to the current boom in Artificial Intelligence. AI developers require vast amounts of fresh data to train Large Language Models (LLMs). Because most major websites employ sophisticated defenses—like DataDome or Cloudflare—to block scrapers coming from data centers, AI firms have turned to residential proxies to mask their activity.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

By routing traffic through a consumer’s home IP, a scraper appears to be an ordinary person browsing the web from a residential provider like Comcast or T-Mobile. This has turned the residential proxy market into a lucrative, if controversial, pillar of the AI economy.

The impact of this scraping is significant. Academic libraries, nonprofit repositories, and government websites are finding their services overwhelmed by "aggressive" bots. According to a survey by the Confederation of Open Access Repositories (COAR), over 90% of respondents reported service disruptions and slowdowns due to these automated tools, which are increasingly difficult to distinguish from legitimate user traffic.

Implications for Corporate and Home Security

The threat posed by residential proxy SDKs extends far beyond cheap streaming boxes. Research from Infoblox indicates that these SDKs are frequently embedded in "productivity" apps, screensavers, and VPNs found on mobile devices and smart TVs alike.

In a startling revelation, Spur’s analysis of app stores found that approximately 42% of apps on LG’s webOS and over 25% on Samsung’s Tizen platform contain residential proxy components. Many of these apps provide little to no transparency about how the user’s internet connection will be utilized.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

For the corporate environment, the danger is acute. When an employee connects a device containing a proxy SDK to a company network, the organization’s IP space is effectively opened to the outside world.

"If threat actors were to abuse the residential proxy to attack a third party, the third party’s incident response would, correctly, identify your residential proxy as the source," warned Infoblox researchers Nick Sundvall and David Brunsdon. "Untangling that… costs time, creates legal exposure, and can damage your reputation."

Conclusion: The Need for Stricter Oversight

The Popa botnet represents a new frontier in the commoditization of home networks. While major streaming platforms like Roku and Amazon have begun barring apps that bundle proxy SDKs, the problem remains pervasive.

As the AI industry continues to demand more data, the incentive to maintain these hidden networks will likely grow. For the average consumer, the lesson is clear: the "free" or "one-time fee" streaming device or utility app comes with a hidden cost—the total loss of control over one’s own network identity. Until regulators, app store operators, and tech companies implement stricter enforcement, the "smart" devices in our homes will continue to function as the silent, unpaid backbone of the global scraping industry.