July 7, 2026

The Ghost in Your Living Room: How the "Popa" Botnet Turns Smart TVs Into Silent Proxy Proxies for Global AI Scraping

the-ghost-in-your-living-room-how-the-popa-botnet-turns-smart-tvs-into-silent-proxy-proxies-for-global-ai-scraping

the-ghost-in-your-living-room-how-the-popa-botnet-turns-smart-tvs-into-silent-proxy-proxies-for-global-ai-scraping

For the past four years, a sprawling, sophisticated Android-based botnet known as Popa has quietly co-opted millions of consumer TV boxes. Rather than launching high-profile distributed denial-of-service (DDoS) attacks or deploying ransomware, this digital phantom serves a more insidious purpose: it transforms everyday household streaming devices into relay nodes for a massive, global residential proxy network.

Recent investigations by a coalition of security firms, including Qurium, Synthient, and Black Lotus Labs, have established a direct link between the Popa infrastructure and NetNut, a commercial "residential proxy" provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. This revelation exposes the dark underbelly of the booming AI-scraping economy, where the "brains" of modern artificial intelligence are often trained on data harvested through the hijacked internet connections of unsuspecting consumers.


The Mechanics of Popa: A Persistent Communications Layer

Unlike traditional botnets that seek to paralyze targets, Popa is designed for endurance and stealth. Security researchers describe it as a specialized plugin component often bundled with the Vo1d botnet, a large-scale malware campaign targeting inexpensive, "no-name" Android TV boxes. These devices, which are readily available on major e-commerce platforms, are marketed as low-cost solutions for streaming subscription content for a one-time fee.

However, the "convenience" of these boxes comes at a hidden price. Once plugged into a wall socket and connected to a home network, the Popa plugin activates a persistent communications layer. This layer registers the device with a central command-and-control (C2) server, maintains long-lived encrypted connections, and opens communication tunnels on demand. In essence, the user’s home IP address becomes a "residential proxy"—a gateway that allows third-party clients to route their internet traffic through the device, effectively masking the true source of that traffic.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Chronology of a Digital Infection

The origins of Popa can be traced back to a 2025 report by the Chinese security firm XLAB, which identified several domain names used to orchestrate the movement of compromised devices. The trail went cold for many as the industry focused on other threats, but in May 2026, the security firm Qurium stumbled upon the same infrastructure while investigating a wave of aggressive data-scraping events.

The Rise and "Rebirth" of Control Domains

Qurium discovered that the scraping activity—which affected over 1.4 million IP addresses—was coordinated through a network of domains, including gmslb[.]net, safernetwork[.]io, and ninjatech[.]io. These domains were found embedded within various pirated streaming applications, such as DooFlix, RTS Tv, and Flixoid.

A critical turning point occurred in July 2025, when a coalition including Google, HUMAN Security, and Trend Micro dismantled Badbox 2.0, a botnet closely related to Vo1d. While many of the original control domains were seized, Popa operators simply rotated their infrastructure. Among the "new" domains identified by researchers was ninjatech[.]io.

Public records, including a LinkedIn profile and an F6S company listing, link ninjatech[.]io to Moishi Kramer, who serves as the Vice President of Research and Development at NetNut. This connection provides the strongest evidence yet of a direct pipeline between the malware-infected streaming boxes and the commercial proxy services offered by Alarum Technologies.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Supporting Data: The Scale of the Proxy Economy

The sheer scale of the Popa botnet is staggering. Chris Formosa, a senior lead information security engineer at Black Lotus Labs, estimates that Popa averages between 1.5 million and 2.5 million distinct IP addresses daily, managed by a fleet of 250 to 300 control nodes.

Depth of Penetration

The threat is not limited to cheap streaming boxes. Jérôme Meyer of Nokia Deepfield suggests that the actual population of infected devices may be significantly higher than initial estimates. By monitoring just 26 of 359 identified relay nodes, Meyer observed 750,000 unique sources in a single 24-hour window, with each node handling tens of thousands of concurrent connections.

Furthermore, the proxy-tracking service Spur recently analyzed the official app stores for LG (webOS) and Samsung (Tizen) smart TVs. Their findings were alarming: approximately 42% of apps on LG’s platform and 25% on Samsung’s included SDKs that could turn the television into an always-on residential proxy node.


Official Responses and Denials

The allegations have sparked a heated debate regarding corporate accountability in the proxy market.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

The Stance of Alarum Technologies

In a formal statement, Alarum Technologies/NetNut dismissed the findings as "demonstrably inaccurate assertions and flawed deductions." The company maintains that its SDKs are designed for "bandwidth-sharing functionality" and do not constitute a "botnet." They insist that their services are built upon "appropriate notice and consent mechanisms" and that they perform rigorous "Know Your Customer" (KYC) due diligence to prevent misuse.

The Rebuttal from Security Researchers

Security firms remain unconvinced. Synthient, in their independent analysis, noted that outbound traffic from Popa-infected devices clearly leads to NetNut’s infrastructure. They concluded that devices running Popa are unequivocally used by NetNut clients.

Moreover, Spur challenges the validity of proxy providers’ KYC claims. Their report argues that the "verified corporations only" marketing is a thin veil, noting that anyone with a burner email and a small amount of cryptocurrency can purchase access to the proxy pool. Synthient’s research further notes that while newer versions of the Popa SDK may include a consent prompt, none of the 20+ "genuine" publishers analyzed actually displayed one to the end user.


Implications: The AI-Scraping Economy

The symbiosis between residential proxies and the AI industry is the driving force behind this phenomenon. AI models require massive amounts of data to train, and major web platforms—such as Google, Meta, and others—have implemented strict rate-limiting and blocking mechanisms to prevent unauthorized scraping from datacenter IP addresses.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

By using residential proxies, scrapers bypass these defenses. When a request originates from a residential IP (like a home TV box), it is perceived as legitimate traffic from a standard subscriber, making it nearly impossible to block without impacting real users.

The Human Cost

This has led to significant service disruptions for universities, libraries, and non-profits. The Confederation of Open Access Repositories (COAR) reported that over 90% of institutions are facing aggressive bot traffic, leading to site slowdowns and outages.

Beyond the technical impact, the legal exposure is immense. If a threat actor uses a residential proxy to conduct a cyberattack, the IP address points directly to the consumer’s home. Infoblox researchers Nick Sundvall and David Brunsdon warn that even corporate environments are increasingly compromised by these SDKs, potentially exposing businesses to legal liability if their networks are used as a launchpad for illicit activities.


Conclusion: A Call for Better Governance

The Popa/NetNut controversy highlights a critical failure in the current internet ecosystem: the commodification of the "last mile" of home connectivity. As long as smart TV manufacturers, app developers, and proxy providers prioritize monetization over privacy and security, the "ghost" in the living room will remain.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Industry experts are now calling for a shift in policy. Some platforms, such as Amazon and Roku, have already taken steps to ban apps that bundle residential proxy SDKs. For consumers, the message is clear: if an app on your smart TV offers "free" premium content or questionable utility, it may be paying for its existence by selling your bandwidth—and your digital reputation—to the highest bidder in the AI-scraping market. Without tighter oversight from regulators and more responsible design from device manufacturers, the home internet connection will continue to be a silent, exploited asset in the race for AI dominance.