July 7, 2026

The Hidden Conduit: How Millions of TV Boxes Fuel a Global Data-Scraping Machine

the-hidden-conduit-how-millions-of-tv-boxes-fuel-a-global-data-scraping-machine

the-hidden-conduit-how-millions-of-tv-boxes-fuel-a-global-data-scraping-machine

For the past four years, a sprawling, persistent Android-based botnet known as "Popa" has quietly co-opted millions of consumer streaming devices. These devices, often purchased as inexpensive, "no-name" TV boxes, serve as more than just entertainment centers; they function as relay nodes for a vast, covert infrastructure used for advertising fraud, account takeovers, and massive data-scraping campaigns.

This week, an investigation involving multiple leading cybersecurity firms has traced the origins of the Popa botnet to NetNut, a residential proxy provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. The discovery sheds light on a dark corner of the digital economy, where the line between legitimate bandwidth monetization and malicious botnet activity has become dangerously blurred.

The Anatomy of the Popa Botnet

Unlike the high-profile, destructive botnets of the past—which often harnessed compromised systems to launch massive distributed denial-of-service (DDoS) attacks against government or corporate infrastructure—Popa is designed for stealth and longevity. It operates as a persistent communication layer, designed to register devices, maintain encrypted long-lived connections, and open communication tunnels on demand.

Popa is a plugin component associated with the Vo1d botnet, a large-scale malware campaign targeting unofficial Android-based streaming boxes. These devices are marketed under thousands of brand names and are widely available on major e-commerce platforms. While they are sold with the promise of "all-you-can-stream" access to subscription services for a one-time fee, they arrive pre-loaded with software that effectively turns the user’s home network into a residential proxy node.

A "residential proxy" allows third parties to route their internet traffic through a home IP address. To a target website, this traffic appears to originate from a legitimate, residential broadband subscriber rather than a data center. While this technology has legitimate uses, the Popa botnet exploits it to bypass security filters and perform massive, automated data scraping.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Chronology of Discovery and Attribution

The investigation into Popa began in earnest in 2025, when researchers at the Chinese security firm XLAB identified nine domain names used to manage compromised devices. These domains were later scrutinized by Qurium, a security firm investigating a series of disruptive, high-cost data-scraping events in May 2026.

Qurium’s forensic analysis revealed that the scraping activity was distributed across 1.4 million unique IP addresses. By mapping the control infrastructure, Qurium identified several dozen domains—including gmslb[.]net, safernetwork[.]io, and ninjatech[.]io—that were embedded within popular pirated streaming apps like CRICFy, DooFlix, and CyberFlix.

In July 2025, a coalition involving Google, HUMAN Security, and Trend Micro dismantled Badbox 2.0, a botnet closely linked to Vo1d. While many of the original Popa control domains were seized during this operation, the botnet proved resilient. Within days, new control infrastructure emerged, including the previously identified ninjatech[.]io.

The connection to NetNut became clear through the ownership of this domain. Moishi Kramer, whose professional history identifies him as the VP of R&D at NetNut, is listed as the sole owner of Ninjatech. Kramer’s LinkedIn profile explicitly credits him with designing the architecture and scaling the NetNut platform before its acquisition by Alarum Technologies.

Data-Driven Insights: The Scale of the Threat

The reach of the Popa botnet is staggering. Chris Formosa, a senior lead information security engineer at Black Lotus Labs (Lumen Technologies), notes that Popa averages between 1.5 million and 2.5 million distinct IP addresses daily.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

"What makes Popa dangerous is how widely used NetNut is for reselling," Formosa explains. "These IPs appear in countless services across the ecosystem. It may not be the largest botnet in existence, but its integration into the proxy market amplifies its power significantly."

Nokia Deepfield, another key researcher in this space, suggests the scale may be even larger. By monitoring a subset of relay nodes, Nokia estimates that each node handles between 35,000 and 60,000 simultaneous clients, suggesting that the total pool of compromised devices could dwarf current estimates.

The AI-Scraping Economy

The surge in interest for residential proxies is not coincidental; it is driven by the rapid growth of the Artificial Intelligence (AI) industry. AI firms require massive datasets to train Large Language Models (LLMs), and they rely on constant, aggressive web scraping to gather text, images, and video.

"The modern web is not scrapeable from a datacenter," notes a report by Include Security. "Platforms like Cloudflare and DataDome block or throttle traffic from known cloud IPs. The workaround is residential proxies."

This has created a perverse symbiosis: AI companies, seeking to build the future of intelligence, are increasingly reliant on proxy networks that are, in turn, fueled by malware-ridden streaming boxes in unsuspecting living rooms. This activity has led to over 70 copyright infringement lawsuits and constant service disruptions for universities, nonprofit organizations, and research repositories that cannot keep up with the volume of automated requests.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Official Responses and Denials

When presented with these findings, Moishi Kramer stated that Ninjatech ceased operations approximately five years ago, after selling a software development kit (SDK) known as "Popa."

"That code was sold and licensed to third parties years ago," Kramer said in an email. "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it. I have no control over, or visibility into, that infrastructure. It is not operated by me or by NetNut."

Alarum Technologies, the parent company of NetNut, rejected the findings as "demonstrably inaccurate." Their official statement argued that the SDKs are designed for legitimate bandwidth-sharing and do not constitute a botnet.

"NetNut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use," the company stated, emphasizing their commitment to "Know Your Customer" (KYC) procedures.

However, independent research from Spur casts doubt on these claims. Spur’s analysis indicates that many proxy providers—including those using NetNut’s infrastructure—lack meaningful verification. "The ‘verified corporations only’ claim is simply marketing," Spur wrote. "Anyone who knows where to look can buy access through a reseller with nothing more than a burner email address and $5 in crypto."

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Implications for Corporate and Personal Security

The risks associated with the Popa botnet extend far beyond the privacy of the average consumer. The problem has permeated the corporate world. Infoblox reported that 65% of its customer base—including pharmaceutical, food and beverage, banking, and government organizations—was querying residential proxy-related domains.

When an employee brings a device infected with a proxy SDK into a secure corporate environment, the device can effectively "punch a hole" in the company’s firewall. If that device is used by a threat actor to attack a third party, the company’s own IP space becomes the primary suspect in the subsequent incident response.

"Untangling that, by proving that you were the conduit and not the threat actor, costs time, creates legal exposure, and can damage your reputation," warn Infoblox researchers Nick Sundvall and David Brunsdon.

The Future of Residential Proxy Regulation

The prevalence of proxy SDKs is not limited to cheap TV boxes. Spur found that 42% of apps in the LG webOS app store and 25% of apps in the Samsung Tizen store contained residential proxy components.

Privacy experts argue that "consent" in these cases is a fiction. Navigating a complex legal document with a TV remote is not a viable way to inform a user that their home internet connection is being auctioned off to the highest bidder.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

While companies like Amazon and Roku have begun to ban apps that facilitate third-party proxy services, the broader industry remains largely unregulated. As the AI scraping economy continues to demand more residential bandwidth, the incentive to co-opt devices—from smart TVs to mobile phones—will only grow.

For the average user, the advice from security professionals is clear: be wary of "free" streaming apps and utility software, particularly on non-standard devices. For organizations, the mandate is equally pressing: network defenders must treat residential proxy traffic not as a nuisance, but as a systemic security threat that requires active monitoring, strict policy enforcement, and, where possible, outright blocking at the perimeter.