Over the last four years, a large-scale Android-based botnet known as Popa has been hijacking millions of consumer TV boxes to route Internet traffic tied to ad fraud, account hijacking, and large-scale data harvesting. This week, researchers from several cybersecurity firms have linked the Popa botnet to NetNut, a “residential proxy” service run by the publicly traded Israeli company Alarum Technologies Ltd [NASDAQ: ALAR].
Malicious streaming devices sold online that enroll the user’s home Internet address in a residential proxy service. Image: HUMAN Security.
Popa is an enormous botnet, but by all indications it differs significantly from conventional botnets that recruit infected machines for destructive purposes, such as orchestrating massive distributed denial-of-service attacks. Instead, Popa seems built with one specific goal in mind: creating a persistent communications framework that can register a device, sustain long-running encrypted connections, and open communication tunnels whenever needed.
Analysts say Popa functions as a plugin component tied to the Vo1d botnet, a widespread malware operation aimed at unofficial Android-based TV boxes. These gadgets, sold under thousands of brand names and model numbers and widely available on major e-commerce platforms, all promote the ability to stream hundreds of subscription video services for a single upfront payment.
However, as the FBI and cybersecurity professionals have repeatedly cautioned, these streaming boxes usually bundle or come pre-loaded with software that converts the user’s TV into a “residential proxy” — enabling anyone to channel their Internet traffic through that device for as long as it stays plugged into a power outlet and connected to a home network. Even more alarming, some of these proxy networks do little to prevent malicious users from interacting with and potentially compromising devices on the local network of the unsuspecting owner.
The first hints about Popa’s origins emerged in a 2025 report from the Chinese cybersecurity firm XLAB, which identified at least nine domain names used to register and direct the behavior of compromised devices. In a report published today, the security company Qurium explained how it came across some of those same domains while probing a series of disruptive and costly data scraping incidents targeting the company’s hosted clients in May 2026, where the scraping activity was distributed evenly across more than 1.4 million IP addresses.
Qurium reported finding several dozen domains used to command Popa that were all hosted in sync across multiple IP addresses over time, including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io. Investigating further, Qurium found that gmslb[.]net was referenced in dozens of pirated or modified video streaming apps, such as CRICFy, DooFlix, Sprozfy, RTS Tv, Flixoid, CyberFlix, Rapid Streamz, TvMob, and HD/OceanStreams.
Qurium’s report points out that most of the domains long used to control the Popa botnet were seized or taken down in July 2025, after Google, HUMAN Security, and Trend Micro joined forces to disrupt Badbox 2.0, a botnet closely linked to Vo1d. Qurium noted that right after that takedown, several dozen new domains were registered to act as controllers for the Popa botnet, but one of those control domains was not new: ninjatech[.]io.
Ninjatech is a company founded by Moishi Kramer, whose LinkedIn profile lists him as vice president of research and development at NetNut. His resume credits him with helping NetNut build from the “ground up,” “designing the architecture,” and “scaling NetNut” before the company was acquired by Alarum Technologies. A self-created listing on the startup platform F6S identifies Kramer as the sole owner of the Ninjatech domain (a screenshot of it is shown below).
Image: F6S.com.
Responding by email, Mr. Kramer stated that Ninjatech stopped operating roughly five years ago, when the company sold a software development kit (SDK) called Popa that was intended to use only a small portion of a device’s bandwidth and to run only after the host application obtained user consent.
“That code was sold and licensed to third parties including resellers years ago,” Kramer said. “Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it.”
Kramer said neither he nor NetNut builds, operates, or maintains the infrastructure being described as Popa, nor does he control the Ninjatech domain.
“I didn’t register the June 2025 domains you mention, and I don’t know who did,” he continued. “I have no control over, or visibility into, that infrastructure. I can only tell you it isn’t operated by me or by NetNut.”
However, in a separate Popa research report released today, the proxy-tracking firm Synthient said a recent analysis of the Popa SDK revealed outbound traffic clearly tied to NetNut.
“The research team assesses with high confidence that devices running Popa forward traffic from NetNut clients,” Synthient wrote. “This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool.”
Synthient’s platform receiving outbound traffic from Popa. Image: Synthient.com.
Alarum Technologies, NetNut’s Tel Aviv-based parent company, said the reports by Synthient and Qurium contained “demonstrably inaccurate assertions and flawed deductions rather than verified facts.” Alarum shared a statement saying
They dispute the fundamental description of the SDKs and technologies mentioned in the reports as a “botnet.”
“The SDKs in question are built to enable bandwidth-sharing features and do not turn user devices into systems controlled by malware or otherwise harm the devices they run on,” the statement explains. “NetNut runs a commercial proxy network and has policies, processes, and technical safeguards in place to encourage lawful and responsible use of its services.”
Alarum stated that NetNut puts “considerable focus on proper notice and consent procedures, performs customer due diligence, watches for possible misuse, and takes actions aimed at detecting and stopping suspicious or unauthorized activity.”
“This approach is backed by internal procedures and policies, including carrying out KYC checks and additional due diligence on NetNut’s customers, as well as using various technical tools designed to help identify and deal with suspected misuse of the network,” their statement added.
However, in a report published on June 8, the proxy tracking service Spur claimed that NetNut does not require corporate verification or meaningful “know your customer” procedures before letting customers buy proxy access.
“A person can register, pay, and route traffic through partner address space, including space belonging to institutions whose users never agreed to participate,” Spur wrote. The “‘verified corporations only’ claim is essentially marketing aimed at bandwidth sellers, not a real restriction on who actually uses the proxies.”
“And NetNut isn’t the only entry point,” Spur added. “Several downstream white-label providers and resellers repackage the same ISP proxy pool under their own brand names. These channels usually perform no KYC whatsoever, applying less oversight than NetNut itself, which at minimum might assign an account manager to prospective users. Anyone who knows where to look can purchase access through a reseller using nothing more than a disposable email address and $5 in cryptocurrency.”
Synthient discovered that while the latest versions of Popa (as of three months ago) have introduced the ability to request user consent before installing proxy components, not all variants or earlier versions of Popa include this feature.
“Among the more than 20 genuine Popa publishers examined, none were seen requesting user consent,” Synthient reported.
HOW WIDESPREAD IS POPA
Chris Formosa serves as senior lead information security engineer at Black Lotus Labs, a division of the Internet backbone provider Lumen Technologies.
“What makes Popa particularly dangerous is just how extensively NetNut is used for reselling and sharing,” Formosa said, noting that many other proxy services simply resell NetNut proxies instead of building their own widespread proxy networks. “As a result, these Popa IPs show up in countless different services across the entire ecosystem, making it one of the most problematic and dangerous proxy botnets available today.”
Formosa said the Popa botnet averages between 1.5 million and 2.5 million unique IP addresses daily, depending on between 250 and 300 Internet addresses that are used to coordinate its operations.
“That’s what makes Popa so dangerous,” Formosa said. “It may not be the largest botnet we’ve encountered, but its presence throughout the industry gives it enormous reach and influence.”
Formosa noted that while this makes Popa one of the bigger botnets currently active, its scale is modest compared to what was once claimed by IPIDEA, a China-based proxy provider that until recently operated a daily pool of nearly 10 million devices sold as proxies to anyone willing to pay. In January 2026, Synthient published research revealing that several new large DDoS botnets had expanded rapidly by tunneling through IPIDEA proxies into the local networks of unsuspecting TV box owners and infecting other Android-based devices behind users’ firewalls.
IPIDEA relies heavily on SDKs used to watch pirated streaming content on a massive number of TV box devices, but the service’s numbers have declined since January, when Google and industry partners took legal action to seize the domain names IPIDEA used to control devices and route proxy traffic through them.
Jérôme Meyer, a security researcher at Nokia Deepfield, said the total number of devices involved in the Popa botnet could be far greater than Lumen’s estimates. Meyer told KrebsOnSecurity that Nokia is tracking 26 of at least 359 known relay nodes for the botnet, and estimates that each relay node manages between 35,000 and 60,000 clients at the same time.
“On the subset of relay nodes I’m monitoring (26 of them), there were 750,000 unique sources in 24 hours,” Meyer wrote in response to questions.
Nokia Deepfield released its own report today on RoboVPN, a VPN app connected to the Vo1d botnet’s Popa plugin that Qurium links to NetNut/Alarum Technologies.
THE CLOSE LINK BETWEEN PROXIES AND DATA SCRAPING
Experts say many of the world’s largest proxy providers have refreshed their public branding to emphasize their role in training AI platforms, suggesting this is a primary application for their residential proxies. This is because AI services typically depend on continuously scraping the Internet for new text, images, and video content that can be used to train large language models (LLMs).
NetNut and other proxy services have rebranded themselves as essential infrastructure for the AI scraping economy. Image: Synthient.com.
“AI companies rely on web-scraped content: for pre-training, for retrieval, for grounding AI agents, for search,” reads a report this month from Include Security that looks at how common proxy SDKs are in smart TV apps. “But the modern web can’t be scraped from a data center. Cloudflare, DataDome, HUMAN, and others throttle or block requests from known cloud IPs. The workaround is residential proxies. A scraping job routed through a Comcast or T-Mobile subscriber’s connection reaches the target site from an IP that belongs to a paying residential customer.”
This relentless content scraping has led to more than 70 copyright infringement lawsuits against major tech companies that have acknowledged large-scale data scraping as a key source of the “intelligence” behind their commercial AI products. Ironically, much of that scraping is being facilitated by proxy services that are closely tied to unofficial Android TV boxes and related SDKs whose stated purpose is streaming pirated content.
The scraping activity has grown so intense that it frequently overwhelms the targeted websites, making them inaccessible to legitimate visitors. In many documented cases, nonprofit organizations, libraries, and universities have reported constantly struggling to keep their services running in the face of unrelenting data-scraping operations hiding behind residential proxy services.
A survey carried out last year by the Confederation of Open Access Repositories (COAR) found that while some contentMost web-scraping bots are relatively harmless, but a growing number are so aggressive that they are increasingly disrupting services in digital repositories and other scholarly communication platforms. Over 90 percent of survey participants reported that their repositories face aggressive bot activity—typically more than once a week—often resulting in performance slowdowns or complete service outages.
“Automated web scraping isn’t new—it’s been the backbone of search engines like Google for over three decades,” noted **Brendan O’Connell**, platform manager at the **Directory of Open Access Journals** (DOAJ), a free, community-maintained index of peer-reviewed academic journals. “But today’s investor-driven AI boom has spawned thousands of well-funded startups building and deploying their own scraping tools to train AI models, joining established players like OpenAI and Google.”
## DON’T TOUCH THAT DIAL!
Across the U.S., local communities are resisting the rapid expansion of new data centers built primarily to boost AI capabilities. Yet security experts warn that most people remain unaware: using an unauthorized Android TV box likely means their “smart TV” is consuming substantial monthly bandwidth to help train cutting-edge AI models.
Even homes without such questionable devices aren’t safe—simply downloading one of thousands of apps available on **Samsung** or **LG** smart TVs can turn a household television into a residential proxy node. According to Spur, recent analysis of the LG and Samsung app stores revealed roughly 3,000 apps each. Many are basic games or utilities whose fine print discloses that the user’s internet connection may be used for data downloads—with an option to opt out at any time.
Spur found that **more than 42% of apps on LG’s webOS platform include SDKs that silently convert the TV into a persistent residential proxy node**. Over a quarter of apps designed for Samsung’s **Tizen** OS contain similar proxy functionality.
Image: Spur.us.
Security professionals question whether TV apps with proxy SDKs can truly obtain informed consent—especially since any household member, including children, can unknowingly enroll the family TV into a proxy network just by installing a simple app.
“Privacy policies are the wrong way to manage consent on a TV,” wrote Include Security. “Scrolling through legal text with a remote control is impractical, and in-app prompts fail to communicate that a paying customer is about to route third-party scraping traffic through their home internet.”
Sean Simmons, Spur’s head of research, told KrebsOnSecurity that most people lack a clear understanding of what it means to sell access to their residential IP address—regardless of the device involved.
“On a TV, that knowledge gap is even wider,” Simmons explained. “A one-time prompt navigated via remote can vanish into the setup process, while the app continues monetizing the connection long after users forget what they agreed to.”
Simmons urged LG and Samsung to follow the example of other TV platforms that have taken a firm stance against residential proxy providers. He pointed to **Amazon’s** policies banning apps that enable third-party proxy services, and noted that **Roku** now prohibits developers from using proxy SDKs and has removed apps that included them.
Piracy-related apps pushing proxy SDKs onto users without consent. Image: Synthient.
Of course, apps that turn devices into residential proxies aren’t limited to smart TVs or obscure streaming boxes. As highlighted by security firm **Infoblox**, mobile app developers can integrate SDKs from residential proxy networks into their apps to generate revenue—earning a small fee per installation.
The consequence, Infoblox reported, is that devices are often enrolled without the owner’s knowledge, typically through free apps like VPNs, streaming services, screensavers, or everyday “productivity” tools such as PDF viewers and break reminders.
Alarmingly, these proxy connections frequently originate from employee devices brought into corporate environments. In a recent blog post, Infoblox revealed that **65% of its customer base had queried one or more residential proxy-related domains**.
“We observed consistent growth throughout 2025, with a 25% year-over-year increase—surpassing 500 billion queries per month,” Infoblox stated. “Over 90% of our pharmaceutical and food & beverage clients have contacted residential proxy indicators. Even more troubling: over 60% of government and banking customers have done the same.”
Infoblox researchers **Nick Sundvall** and **David Brunsdon** cautioned that residential proxies in corporate settings effectively grant external access to an organization’s IP address space.
“If attackers exploit a residential proxy to target a third party, the victim’s incident response team will rightly identify your proxy as the source,” they warned. “Proving you were merely the conduit—not the attacker—takes time, creates legal risk, and can harm your reputation. The alarming prevalence of these services in enterprise environments demands attention from both network defenders and policymakers, who must assess how residential proxies may be undermining their security posture.”
