The Silent Hijack: How Millions of Streaming Boxes Power a Global Proxy Botnet

For the past four years, an expansive and largely invisible infrastructure known as the Popa botnet has quietly co-opted millions of consumer Android-based TV boxes. These devices, often purchased for their ability to stream subscription video content for a one-time fee, are being weaponized to relay massive volumes of internet traffic. Security researchers have now linked this sprawling network to NetNut, a residential proxy provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].

While traditional botnets are frequently associated with high-profile distributed denial-of-service (DDoS) attacks or destructive data wipes, Popa represents a different, more insidious evolution of cyber-threat. It functions as a persistent communication layer designed to register devices, maintain encrypted tunnels, and provide a global proxy pool for customers who pay for the privilege of routing their traffic through residential IP addresses.

The Genesis and Chronology of the Popa Botnet

The Popa botnet is fundamentally tied to the Vo1d malware campaign, a widespread effort targeting unofficial, often "no-name" Android TV boxes. These devices, available at top-tier e-commerce platforms, are marketed under thousands of brand names. Once plugged into a home network, they function as a Trojan horse, installing software that turns the device into a "residential proxy node."

A Timeline of Discovery

  • 2022–2024: The Popa plugin quietly proliferates across low-cost Android TV streaming devices, establishing a massive footprint without the knowledge of the end-users.
  • July 2025: A significant disruption occurs when Google, HUMAN Security, and Trend Micro dismantle Badbox 2.0, a botnet closely related to Vo1d. Following this crackdown, security researchers observed an immediate pivot: dozens of new command-and-control (C2) domains were registered to sustain the Popa botnet.
  • May 2026: The security firm Qurium discovers that these new C2 domains are being utilized for aggressive, large-scale data scraping operations. The activity, which targeted various organizations, was distributed across more than 1.4 million unique IP addresses to evade detection.
  • June 2026: Following a series of reports from firms like Qurium, Synthient, and Nokia Deepfield, the direct link between Popa and the infrastructure of NetNut/Alarum Technologies is brought to the public eye.

Supporting Data: The Scale of the Hijack

The sheer volume of the Popa network is staggering. According to Chris Formosa, a senior lead information security engineer at Black Lotus Labs (Lumen Technologies), Popa manages between 1.5 million and 2.5 million distinct IP addresses daily.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

"What makes Popa especially dangerous is how widely NetNut is used as a wholesale provider," Formosa noted. "Many smaller proxy services do not build their own infrastructure; they simply resell NetNut proxies. Consequently, Popa IPs appear across a vast ecosystem of services, amplifying the reach and impact of the botnet."

The data provided by Nokia Deepfield offers further insight into the depth of the infection. Researcher Jérôme Meyer reported that monitoring just 26 of at least 359 known relay nodes revealed a staggering 750,000 unique sources interacting with the botnet within a single 24-hour window. Each relay node is estimated to handle between 35,000 and 60,000 simultaneous connections, suggesting that the total footprint of the botnet may be significantly higher than initial estimates.

The Role of Ninjatech and Moishi Kramer

The investigation into the control domains—specifically ninjatech[.]io—led researchers directly to Moishi Kramer, a vice president of R&D at NetNut. LinkedIn profiles and job board listings from F6S identify Kramer as the founder of Ninjatech.

When questioned, Kramer asserted that Ninjatech ceased operations approximately five years ago. He stated that the company sold an SDK called "Popa" intended for legitimate, bandwidth-sharing purposes, emphasizing that the software was designed to run only with explicit user consent. Kramer argued, "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it." He denied any current involvement in or visibility into the infrastructure currently being operated under the Popa moniker.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

However, the proxy-tracking firm Synthient disputes this narrative. In a report released this June, Synthient analysts claimed to have observed outbound traffic from the Popa SDK that is explicitly associated with NetNut. "The research team assesses with high confidence that devices running Popa forward traffic from NetNut clients," the report stated. "This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool."

Official Responses and Corporate Defenses

Alarum Technologies has vehemently rejected the findings. In an official statement, the company characterized the reports as containing "demonstrably inaccurate assertions and flawed deductions."

"The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems," Alarum stated. The company highlighted its commitment to "appropriate notice and consent mechanisms," claiming it conducts rigorous customer due diligence and monitors for potential misuse of its network.

However, this "due diligence" is contested by Spur, a proxy-tracking service. In their own June report, Spur argued that the "verified corporations only" claim is largely a marketing tactic. "An individual can sign up, pay, and route traffic through partner address space, including space belonging to institutions whose users never opted in," Spur wrote. They noted that many downstream resellers, who use NetNut’s infrastructure, perform little to no "Know Your Customer" (KYC) checks, allowing anyone with a burner email and a small amount of cryptocurrency to gain access.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Broader Implications: The AI Scraping Economy

The rise of the Popa botnet is inextricably linked to the burgeoning artificial intelligence industry. Large-scale AI training models require constant, massive ingestion of internet data. Because traditional cloud-hosted IP addresses are frequently blocked by anti-scraping measures like Cloudflare or DataDome, AI firms and data-scraping agencies rely on "residential proxies."

By routing traffic through a consumer’s home TV box, these scrapers appear to websites as legitimate, home-based users, effectively bypassing security filters. This has led to a surge in service disruptions. A survey by the Confederation of Open Access Repositories (COAR) found that over 90% of scholarly repositories face aggressive bot activity, often resulting in performance degradation and service outages.

The Vulnerability of Modern Households

The issue is no longer confined to low-cost streaming boxes. Recent audits by Spur of the LG and Samsung smart TV app stores revealed that roughly 42% of apps on LG’s webOS and over 25% of apps on Samsung’s Tizen OS contain SDKs that turn the television into an always-on proxy node.

The problem lies in the "consent" model. When a user installs a simple game or utility on their smart TV, they are often prompted to agree to a dense, jargon-filled privacy policy. Once the user clicks "accept" via a remote control, they may unwittingly be leasing their home internet connection to unknown third parties.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

"Privacy-policy disclosure is the wrong control surface for a TV," noted Include Security in their research. "It is hard to scroll through a legal document navigated by arrow keys on a remote, and the in-app consent dialog doesn’t convey that a paying customer is about to route their scraping traffic through the user’s home internet."

Security Risks in the Corporate Environment

The danger extends beyond the living room. Infoblox researchers recently warned that residential proxy SDKs are increasingly appearing on devices brought into corporate environments. Their data suggests that 65% of their customer base—including major pharmaceutical, government, and banking entities—had queried known residential proxy domains.

If a corporate employee brings a device with an embedded proxy SDK into the office, that device can act as a bridge, allowing external actors to route traffic through the company’s internal network. This not only creates legal and reputational risk—as the company’s IP address may appear as the source of malicious or illicit traffic—but also opens a potential vector for local network reconnaissance.

As the lines between consumer electronics, data-scraping, and corporate infrastructure continue to blur, experts are calling for more stringent oversight. While platforms like Roku and Amazon have moved to ban proxy-bundling apps, the prevalence of these SDKs in "no-name" Android hardware and legacy smart TV systems remains a systemic security challenge that shows no signs of abating. For the average user, the message is clear: the convenience of a budget streaming box may come at the cost of one’s digital privacy and network security.