For four years, a silent digital architecture has operated in the background of millions of living rooms worldwide. Known as Popa, this sprawling Android-based botnet has turned mundane, low-cost streaming TV boxes into clandestine relay stations for the global internet’s most aggressive data-scraping operations. While traditional botnets are often associated with loud, disruptive DDoS attacks, Popa represents a more insidious shift: the commodification of residential bandwidth for the profit-driven AI industry.
New research released this week by multiple cybersecurity firms has linked the Popa botnet to NetNut, a prominent "residential proxy" provider owned by the NASDAQ-listed Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. This discovery exposes the dark underbelly of the modern AI boom, where the "brains" behind advanced large language models (LLMs) are frequently built on the backs of unsuspecting consumers whose home internet connections are being repurposed without their explicit or informed consent.
The Anatomy of the Popa Botnet
Popa is not a conventional malware threat designed to encrypt files or steal banking credentials. Instead, it is a highly efficient, persistent communications layer. Once installed, it registers the host device—usually a cheap, "no-name" Android TV box purchased via major e-commerce platforms—and maintains a long-lived, encrypted tunnel. This allows the botnet operators to route vast amounts of internet traffic through the user’s home network on demand.
The botnet is a key component of the Vo1d malware campaign, which targets unofficial Android streaming devices. These boxes are often marketed as "jailbroken" or "all-in-one" entertainment solutions, promising access to subscription video services for a one-time fee. In reality, they are trojan horses. Once plugged into a wall outlet and connected to a home Wi-Fi network, these devices begin relaying traffic for NetNut’s clients, effectively masking the true origin of web-scraping activities behind the legitimate IP addresses of residential households.
A Chronology of Discovery and Disruption
The origins of the Popa network have been gradually unmasked by a series of investigative reports over the last two years:
- 2025: The Chinese security firm XLAB identified nine critical domains used to coordinate the activities of compromised Android devices.
- July 2025: A massive collaborative effort between Google, HUMAN Security, and Trend Micro successfully dismantled the Badbox 2.0 botnet—a close relative of Vo1d. While many controllers were seized, the botnet proved resilient; within days, new domains emerged to take their place.
- May 2026: The security firm Qurium launched an investigation into mysterious, high-volume data scraping events. They discovered that the scraping traffic was distributed evenly across 1.4 million unique IP addresses. Qurium traced these activities back to the same domains previously associated with Popa, noting that while many old domains were dead, newer ones—specifically ninjatech[.]io—had stepped in to fill the void.
- June 2026: The proxy-tracking service Synthient released a comprehensive report confirming that the Popa software development kit (SDK) contained clear markers linking its outbound traffic directly to NetNut infrastructure.
Supporting Data: The Scale of the Intrusion
The sheer scale of the Popa botnet is staggering. Chris Formosa, a senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, estimates that the botnet maintains between 1.5 million and 2.5 million distinct, active IP addresses daily.
"What makes Popa especially dangerous is how widely integrated it is," Formosa explained. "Because other proxy services often white-label or resell NetNut’s infrastructure, the Popa footprint is amplified across the entire internet ecosystem. It is arguably one of the most problematic proxy botnets currently active."
Nokia Deepfield, another key player in threat intelligence, suggests that the total number of devices could be even higher. Researcher Jérôme Meyer reported that monitoring just 26 of the 359 known relay nodes revealed 750,000 unique sources over a 24-hour period. With each relay node capable of handling up to 60,000 concurrent connections, the capacity for mass data harvesting is virtually unparalleled.
The Corporate Stance and Official Responses
The links to NetNut and its parent company, Alarum Technologies, have triggered a sharp response from the firm. In a statement, Alarum characterized the research by Synthient and Qurium as "demonstrably inaccurate" and "flawed."
"The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems," Alarum stated. The company maintains that they employ rigorous "Know Your Customer" (KYC) procedures and technological safeguards to ensure their network is used for "lawful and responsible" purposes.
However, independent security researchers challenge these assertions. Spur, a proxy-tracking firm, recently published an audit claiming that NetNut’s "verified corporation" policy is largely marketing rhetoric. Their analysis suggests that anyone with a burner email address and $5 in cryptocurrency can gain access to the same residential proxy pools used by corporate entities.
Moishi Kramer, the founder of the Ninjatech domain and a VP of R&D at NetNut, stated that Ninjatech ceased operations five years ago after selling the Popa SDK to third parties. He claims to have no control over the current deployment or the registration of recent control domains.
The "AI Scraping" Economy: Why Your TV is a Target
Why would a proxy provider want access to millions of smart TVs? The answer lies in the explosive growth of Artificial Intelligence. Modern AI models require petabytes of training data—text, images, and video—which must be scraped from the web. However, major websites have become adept at blocking traffic coming from cloud-based data centers (e.g., AWS, Azure).
By routing scraping traffic through residential IP addresses, AI companies can bypass these blocks. The target website "sees" the traffic as coming from a standard home subscriber, not a massive automated server.
Include Security, a firm that recently analyzed the prevalence of these SDKs, noted in their June 2026 report: "The modern web isn’t scrapeable from a datacenter. The workaround is residential proxies. A scraping job routed through a consumer’s connection arrives at the target site from an IP that belongs to a paying residential customer."
Implications: The Risks to Consumers and Corporations
The implications of this silent botnet reach far beyond slow streaming speeds or minor privacy concerns.
1. Privacy and Security Risks
When a device becomes a residential proxy node, the user’s home network is effectively opened to the public internet. Malicious actors using the proxy network can perform unauthorized activities, such as credential stuffing or attacking other devices on the user’s local area network (LAN), using the homeowner’s own IP address as a shield.
2. Corporate Exposure
The threat is not limited to cheap streaming boxes. Infoblox discovered that 65% of their corporate customers—including pharmaceutical, food, government, and banking organizations—have devices on their internal networks querying residential proxy domains. When an employee connects a work device to a network that has been "proxy-enabled" via an app, they may inadvertently grant external attackers a foothold into sensitive corporate environments.
"If threat actors abuse the residential proxy to attack a third party, the third party’s incident response will correctly identify your residential proxy as the source," warned Infoblox researchers Nick Sundvall and David Brunsdon. "Untangling that, by proving you were the conduit and not the threat actor, creates immense legal and reputational exposure."
3. The Failure of Consent
Perhaps the most alarming aspect is the normalization of "consent" via complex End User License Agreements (EULAs). Apps on LG and Samsung smart TVs have been found to include proxy SDKs in their code. Spur’s research found that over 42% of apps on LG’s webOS and 25% on Samsung’s Tizen include these components.
Privacy experts argue that it is functionally impossible for a user to provide informed consent for a background proxy service while navigating a TV app with a remote control. The "opt-in" is often hidden in the fine print of a legal document, and once activated, it remains active long after the user has forgotten the initial installation.
Conclusion: A Call for Regulation
As the AI industry continues to fuel demand for mass-scale scraping, the incentive to co-opt residential bandwidth will only increase. While some platforms like Roku and Amazon have taken proactive steps to ban proxy SDKs, the broader ecosystem remains largely unregulated.
For the average consumer, the message is clear: the "smart" features on modern devices are increasingly being designed to monetize the user’s infrastructure. Whether it is a $30 streaming box or a high-end smart TV, the underlying reality is that the home network has become the next frontier in the global data-scraping war—and until manufacturers and regulators intervene, the user is the one paying the bill.
