The Silent Hijack: How Millions of Consumer TV Boxes Became a Global Proxy Botnet

For the past four years, a sprawling, shadow infrastructure known as the Popa botnet has quietly turned millions of consumer Android-based TV boxes into unwitting conduits for illicit internet traffic. While traditional botnets are often associated with high-profile distributed denial-of-service (DDoS) attacks or ransomware, Popa represents a more insidious evolution in cybercrime: the weaponization of the residential internet connection.

New research released this week by a coalition of cybersecurity firms, including Qurium and Synthient, has drawn a direct line between the Popa botnet and NetNut, a commercial "residential proxy" provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. This discovery has ignited a firestorm regarding the ethics of the proxy economy and the security of the devices currently sitting in millions of living rooms.

The Architecture of Popa

Unlike the chaotic, destructive botnets of the past, Popa is designed for stealth and persistence. It acts as a specialized communications layer, registering devices, maintaining long-lived encrypted tunnels, and opening pathways for third-party traffic on demand.

Experts identify Popa as a plugin component of the Vo1d botnet, a large-scale malware campaign targeting inexpensive, "no-name" Android TV boxes. These devices are ubiquitously available on major global e-commerce platforms, marketed as affordable gateways to unlimited streaming content. However, the cost of this "all-in-one" streaming experience is often the user’s home network security. Once connected, these devices essentially become residential proxies—intermediaries that allow external actors to route traffic through the owner’s IP address, masking their true origin and bypassing geo-blocks and security filters.

Chronology of a Digital Infection

The trail of breadcrumbs leading to the exposure of Popa began in 2025, when the Chinese security firm XLAB first identified nine suspicious domains used to coordinate these compromised devices.

In May 2026, the security firm Qurium encountered these same domains while investigating a series of aggressive data-scraping campaigns. Qurium’s researchers observed that scraping traffic was being distributed with surgical precision across 1.4 million unique IP addresses. By tracing the infrastructure, they identified several dozen control domains, including gmslb[.]net, safernetwork[.]io, and ninjatech[.]io.

The discovery of ninjatech[.]io proved pivotal. Historical records link this domain to Moishi Kramer, who currently serves as the Vice President of Research and Development at NetNut. LinkedIn and industry job boards explicitly credit Kramer with the foundational architecture and scaling of NetNut, which was later acquired by Alarum Technologies.

Following the industry-wide takedown of the Badbox 2.0 botnet—a close relative of Vo1d—in July 2025, many of the original Popa control domains were seized. However, new infrastructure emerged almost immediately. Qurium’s investigation confirms that these new controllers were linked to the same underlying network architecture, suggesting that the botnet did not vanish; it simply re-platformed.

Supporting Data: The Scale of the Proxy Economy

The sheer scale of the Popa network is staggering. Chris Formosa, a senior lead information security engineer at Black Lotus Labs (Lumen Technologies), notes that Popa sustains between 1.5 million and 2.5 million active IP addresses daily.

"What makes Popa dangerous is the amplification effect," Formosa explained. "Because NetNut is widely used by other proxy resellers, these Popa-compromised IPs appear in countless services across the ecosystem. It is a highly integrated, problematic piece of infrastructure."

Nokia Deepfield, which has been tracking the botnet’s relay nodes, estimates that the true population of compromised devices may be significantly higher than initial estimates. In a recent analysis, they observed 26 out of 359 known relay nodes handling between 35,000 and 60,000 concurrent clients each, pointing toward a massive, global operation.

Official Responses and Denials

The connection to NetNut and Alarum Technologies has been met with firm denials from the companies involved. Moishi Kramer, in a statement provided via email, maintained that Ninjatech ceased operations years ago after selling a Software Development Kit (SDK) meant for legitimate, bandwidth-sharing purposes.

"That code was sold and licensed to third parties years ago," Kramer stated. "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it. I didn’t register the June 2025 domains, and I have no control over that infrastructure."

Alarum Technologies echoed these sentiments in a formal statement, labeling the reports from Synthient and Qurium as "demonstrably inaccurate." They emphasized that NetNut operates as a commercial, lawful proxy network and employs rigorous "Know Your Customer" (KYC) procedures.

However, this claim is contested by the proxy-tracking service Spur. In a June 2026 report, Spur argued that these KYC measures are often superficial. "The ‘verified corporations only’ claim is simply marketing," the report stated. "Anyone who knows where to look can buy access through a reseller with nothing more than a burner email address and $5 in crypto."

The AI Scraping Connection

The primary utility for these residential proxies in 2026 is the voracious appetite of the AI industry. As Large Language Models (LLMs) require massive datasets for training, companies have turned to web scraping to gather text, images, and video.

However, the modern web is heavily guarded by bot-detection services like Cloudflare and DataDome. These services routinely block datacenter IP addresses. To circumvent these blocks, scrapers use residential proxies to make their requests appear as if they are coming from legitimate home users.

This has turned the household TV box into a high-value asset for AI companies. Include Security recently noted that the modern web is no longer "scrapeable" from a datacenter, forcing a reliance on residential connections. This creates a parasitic relationship where nonprofit organizations, academic repositories, and libraries find their services overwhelmed by "aggressive bots" attempting to scrape content for AI model training.

Wider Implications: The "Smart" Home as a Security Liability

The issue is not limited to cheap, unofficial TV boxes. Investigations by Spur into the LG and Samsung app stores reveal that approximately 42% of apps on LG’s webOS and 25% of apps on Samsung’s Tizen OS contain SDKs that turn the television into an always-on residential proxy node.

The security implications for the average household—and the enterprise—are profound.

1. Legal Exposure: If a device on a home network is used for illegal activity, the homeowner’s IP address is flagged as the source, leading to potential legal complications.
2. Corporate Risk: The threat is particularly acute in enterprise environments. Infoblox researchers found that 65% of their customer base was querying residential proxy domains. When an employee brings a compromised device—or even just a mobile phone with a "productivity" app—into the office, they effectively create a back-door into the corporate network.
3. Loss of Privacy: The "consent" model for these apps is notoriously flawed. Navigating complex legal disclosures with a TV remote is an exercise in futility, and many users remain unaware that their bandwidth is being monetized by third parties.

Conclusion: A Call for Regulation

The Popa botnet is a symptom of a larger, systemic failure in the way IoT devices are governed and how proxy services are permitted to operate. While some platforms like Amazon and Roku have taken steps to ban apps that bundle residential proxy SDKs, the problem remains widespread.

For network defenders and policymakers, the message is clear: the residential proxy economy is no longer a fringe issue. It is a critical security risk that blurs the line between legitimate traffic and malicious activity, turning the very infrastructure of the modern home into a tool for global data scraping and cybercrime. Until device manufacturers and regulators enforce stricter controls on app store content and SDK distribution, the "smart" devices in our homes will continue to serve as silent participants in a massive, unconsenting digital workforce.