The Invisible Infrastructure: Inside the ‘Popa’ Botnet and the Global Residential Proxy Economy
For the past four years, a clandestine digital infrastructure has operated in the background of millions of living rooms worldwide. Known as Popa, this sprawling Android-based botnet has quietly turned consumer streaming devices into a massive, global relay network. While traditional botnets are typically associated with disruptive cyberattacks, such as massive Distributed Denial-of-Service (DDoS) campaigns, Popa functions with a more subtle, persistent purpose: it creates an encrypted communication tunnel that allows third parties to route Internet traffic through unsuspecting home networks.
New investigations by cybersecurity firms—including Qurium, Synthient, and Black Lotus Labs—have linked the Popa botnet to NetNut, a commercial "residential proxy" provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. This revelation has ignited a firestorm regarding the ethics of the modern "proxy economy," where user bandwidth is harvested to fuel the voracious data-scraping needs of the Artificial Intelligence industry.
The Architecture of Popa
Popa is not a traditional malware payload designed to encrypt files for ransom or steal banking credentials. Instead, it acts as a silent, persistent communication layer. Security experts describe it as a plugin component often bundled with the Vo1d botnet, a campaign specifically targeting unofficial Android-based TV boxes.
These streaming devices—sold under thousands of disparate brand names at major e-commerce outlets—are marketed as affordable, one-time-fee solutions for accessing subscription-based video content. However, the price of this "free" access is the user’s home network security. Once connected, the device enrolls the user’s IP address into a residential proxy service. This allows external customers to route their traffic through the device, effectively masking their digital identity behind the legitimate residential IP of the victim.

Experts warn that this setup is inherently dangerous. Because the proxy connection remains active as long as the device is plugged in, it can allow malicious actors to probe or compromise other devices on the same local network, including laptops, smart home controllers, and sensitive work-related hardware.
A Chronology of Discovery and Disruption
The digital breadcrumbs leading to the exposure of Popa began in 2025, when the Chinese security firm XLAB first identified a series of suspicious domain names used to register and direct compromised devices.
In May 2026, the security firm Qurium stumbled upon these same domains while investigating a series of aggressive data-scraping events that targeted its hosted organizations. The scraping was remarkably distributed, originating from over 1.4 million unique IP addresses. Qurium’s analysis revealed that these controllers, such as gmslb[.]net and ninjatech[.]io, were hardcoded into dozens of popular—yet illicit—streaming apps like DooFlix, CyberFlix, and Rapid Streamz.
The "Badbox" Connection
The history of Popa is inextricably linked to Badbox 2.0, a larger botnet campaign dismantled in July 2025 by a coalition involving Google, HUMAN Security, and Trend Micro. Following the seizure of many primary control domains, the operators behind Popa proved resilient. They immediately pivoted to new infrastructure. Notably, ninjatech[.]io remained active, serving as a critical hub.

The domain is tied to Moishi Kramer, whose LinkedIn profile identifies him as the Vice President of R&D at NetNut. Kramer is credited with architecting the scaling of NetNut before its acquisition by Alarum Technologies. While Kramer has publicly stated that Ninjatech ceased operations five years ago and that the Popa SDK was sold to third parties, security researchers remain skeptical, citing persistent evidence of NetNut traffic flowing through these nodes.
Supporting Data: The Scale of the Proxy Network
The sheer scale of the Popa botnet is staggering. Chris Formosa, a senior lead information security engineer at Black Lotus Labs (Lumen Technologies), notes that Popa typically maintains between 1.5 million and 2.5 million active IP addresses daily.
"What makes Popa dangerous is just how widely used NetNut is for reselling," Formosa explained. "Because other proxy services simply white-label NetNut’s network rather than building their own, the Popa footprint is amplified across the entire internet ecosystem. It is one of the most problematic proxy botnets currently active."
Nokia Deepfield, another security leader, has gone further in its estimations. Researcher Jérôme Meyer suggests that the total population of the botnet may be even higher than initial estimates. By monitoring a subset of relay nodes, Nokia observed that each node handles between 35,000 and 60,000 simultaneous clients, with over 750,000 unique sources appearing within a single 24-hour window.

Official Responses and Corporate Defense
In response to the mounting allegations, Alarum Technologies issued a formal statement rejecting the characterization of their technology as a "botnet."
"The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems," the company stated. Alarum emphasized that NetNut maintains rigorous "Know Your Customer" (KYC) procedures and technological measures to ensure lawful usage. They maintain that the reports from firms like Synthient and Qurium rely on "demonstrably inaccurate assertions."
However, this defense is contradicted by independent analysts. Spur, a proxy-tracking service, released a report on June 8, 2026, claiming that the "verified corporations only" marketing is largely a facade. According to Spur, individuals can purchase access to these residential proxy pools using nothing more than a burner email address and a small amount of cryptocurrency, bypassing any meaningful verification.
The Implications: The AI Scraping Economy
The rise of the Popa botnet coincides with the rapid expansion of the AI industry. Modern AI models require vast datasets to "train" their systems—a process known as web-scraping. Because major cloud providers and websites routinely block traffic from known data centers, AI firms have turned to residential proxies to make their scraping traffic appear as though it is coming from a genuine home subscriber.

This has led to a symbiotic relationship between illicit streaming app developers and the AI industry. The scraping activity is so aggressive that it has begun to impact the stability of the internet itself. Nonprofit organizations, academic repositories, and libraries report frequent service disruptions as their bandwidth is consumed by "scraping bots" masked as residential users.
The "Smart" Home Vulnerability
The problem extends beyond cheap, no-name streaming boxes. Spur’s analysis of the LG and Samsung app stores found that approximately 3,000 apps on each platform contain SDKs that turn televisions into residential proxy nodes. In many cases, these apps are simple games or utility tools.
Crucially, "consent" in this context is often illusory. Navigating a complex legal disclosure on a television screen using a remote control is a poor mechanism for user transparency. Once a user clicks "accept" during a rapid setup flow, the device continues to monetize the home internet connection indefinitely, often without the user ever realizing their IP address is being sold as a commodity to third-party scrapers.
Conclusion: A Call for Industry Responsibility
The normalization of residential proxy SDKs poses a severe risk to corporate and personal network integrity. Infoblox researchers warn that when these devices are brought into corporate environments, they grant external actors a back-door into secure internal networks. "If a threat actor abuses the proxy to attack a third party, your organization will be identified as the source," researchers Nick Sundvall and David Brunsdon wrote. "Untangling that… costs time, creates legal exposure, and damages your reputation."

As the lines between legitimate monetization and malicious botnet activity continue to blur, the burden of proof falls on device manufacturers and app store operators. While companies like Amazon and Roku have begun to prohibit proxy-enabling SDKs, others remain lenient. Until platform operators mandate stricter transparency and absolute control over bandwidth usage, the "smart" devices in our homes will continue to function as silent, unwilling participants in the global scraping economy.
