July 12, 2026

The Living Room Botnet: How Millions of Streaming Devices Became the Backbone of a Global Proxy Empire

the-living-room-botnet-how-millions-of-streaming-devices-became-the-backbone-of-a-global-proxy-empire

the-living-room-botnet-how-millions-of-streaming-devices-became-the-backbone-of-a-global-proxy-empire

For the past four years, a sprawling, shadow-like Android-based botnet known as Popa has quietly commandeered millions of consumer TV boxes. These devices, often purchased as inexpensive, "all-in-one" streaming solutions, have been repurposed into a global relay network for advertising fraud, massive data-scraping operations, and surreptitious account takeovers.

This week, a multi-firm investigation by cybersecurity researchers has formally linked the Popa botnet to NetNut, a prominent “residential proxy” provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. The findings expose a disturbing new reality in the digital age: the hardware in your living room may be serving as an unwitting soldier in a multi-billion-dollar war for internet data.

The Mechanics of the Popa Botnet

Unlike traditional botnets—which typically enlist compromised systems for destructive ends like massive Distributed Denial-of-Service (DDoS) attacks—Popa is designed for stealth and utility. It functions as a persistent, low-profile communications layer. Its primary goal is not to crash servers, but to facilitate a long-lived, encrypted tunnel that allows third parties to route their internet traffic through a consumer’s home network.

Experts describe Popa as a specialized plugin component of the Vo1d botnet, a large-scale malware campaign targeting unofficial Android-based TV boxes. These devices, marketed under thousands of transient brand names and readily available on top e-commerce platforms, promise users access to "free" streaming content for a one-time fee. In reality, the "price" is the user’s home bandwidth and security. By plugging these boxes into a wall socket and connecting them to a local network, users inadvertently turn their homes into "residential proxies," allowing external actors to mask their true IP addresses behind the identities of unsuspecting households.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

A Chronology of Discovery

The first significant breadcrumbs regarding Popa’s origins were unearthed in a 2025 report by the Chinese security firm XLAB, which identified at least nine domains used to register and direct the activities of the compromised hardware.

The investigation gained significant momentum in May 2026, when the security firm Qurium encountered the same domains while investigating a series of aggressive data-scraping events. Qurium observed that the traffic was being distributed with surgical precision across more than 1.4 million distinct internet addresses. Their forensic analysis revealed several dozen control domains, including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io.

The discovery of ninjatech[.]io provided a critical link. Public records and professional profiles identify the domain as being associated with Moishi Kramer, currently the vice president of research and development at NetNut. Kramer’s professional history credits him with designing the architecture and scaling the NetNut network from the ground up prior to its acquisition by Alarum Technologies.

While many of the original Popa domains were seized in July 2025 during a coordinated effort by Google, HUMAN Security, and Trend Micro to dismantle the "Badbox 2.0" botnet, the network proved resilient. Almost immediately following the takedown, new domains were registered, ensuring that the relay service continued without interruption.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

The Symbiosis of Proxies and the AI Scraping Economy

The rise of Popa coincides with a massive, investor-fueled expansion in the Artificial Intelligence sector. AI companies depend heavily on web-scraped content for pre-training large language models (LLMs). However, modern web defenses—such as those deployed by Cloudflare, DataDome, and HUMAN Security—are highly effective at blocking requests originating from datacenter IP addresses.

To bypass these filters, scraping firms turn to residential proxies. By routing requests through a residential connection (like a home fiber or cable line), the scraping traffic appears to be a legitimate, local user. This demand has turned the "residential proxy" industry into critical, albeit controversial, infrastructure for the AI economy.

The consequences for the public are significant. Non-profit organizations, academic repositories, and libraries report being overwhelmed by aggressive bot traffic that slows down services and, in some cases, causes complete outages. A survey by the Confederation of Open Access Repositories (COAR) found that over 90% of repositories are battling aggressive bots on a weekly basis, highlighting the tension between open-access information and the voracious data appetites of AI startups.

Official Responses and Denials

In response to these findings, Moishi Kramer issued a statement claiming that Ninjatech ceased operations approximately five years ago. He asserted that the company sold a software development kit (SDK) called "Popa" intended for legitimate, consented bandwidth sharing. "Once software is distributed that way, the original developer has no control over how others later modify, rebrand, or deploy it," Kramer stated, denying any current involvement in or visibility into the infrastructure being used today.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Alarum Technologies, the parent company of NetNut, echoed these sentiments, labeling the reports from Synthient and Qurium as containing "demonstrably inaccurate assertions." In an official statement, the firm rejected the "botnet" characterization, arguing that their SDKs are designed to facilitate commercial, lawful bandwidth sharing.

"NetNut operates a commercial proxy network and maintains policies, procedures, and technological measures designed to promote lawful and responsible use of its services," the statement read. Alarum maintains that it performs "Know Your Customer" (KYC) checks and employs internal monitoring to mitigate misuse.

However, these claims are disputed by industry analysts. In a report released on June 8, the proxy-tracking service Spur argued that NetNut’s "verified corporations only" claim is largely a marketing tactic. According to Spur, individuals can often sign up, pay with cryptocurrency, and gain access to proxy pools with little to no meaningful vetting, effectively bypassing the safeguards that the company claims to enforce.

The Pervasive Nature of the Threat

The scale of the Popa botnet is staggering. Chris Formosa, a senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, notes that Popa averages between 1.5 million and 2.5 million distinct IP addresses daily.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

"What makes Popa dangerous is just how widely used NetNut is for reselling," Formosa explained. "Because these IPs appear in so many different services across the ecosystem, the power of this botnet is highly amplified."

Other experts suggest the true scale may be even larger. Jérôme Meyer of Nokia Deepfield reported that his team is monitoring a subset of relay nodes that handle between 35,000 and 60,000 clients simultaneously. Nokia’s research suggests that the total population of devices participating in the Popa botnet may be significantly higher than initial estimates.

Implications for Corporate and Home Security

The threat is not confined to obscure streaming boxes. Modern smart TVs from major manufacturers like LG and Samsung have also been implicated. Research by Spur revealed that approximately 42% of apps available on LG’s webOS and over 25% of apps for Samsung’s Tizen OS contain SDKs that can turn a television into an always-on residential proxy node.

The implications for the corporate sector are particularly dire. Infoblox, a network security firm, found that 65% of its customer base—including pharmaceutical companies, banks, and government agencies—were querying residential proxy-related domains. When employees bring infected mobile devices or laptops into a corporate environment, they inadvertently provide external actors with a "backdoor" into the organization’s network.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

If an attacker uses a company’s IP space to commit fraud or illegal activity, the organization becomes the primary suspect in any resulting investigation. As Infoblox researchers Nick Sundvall and David Brunsdon warned, "Untangling that, by proving that you were the conduit and not the threat actor, costs time, creates legal exposure, and can damage your reputation."

Conclusion: The Need for Vigilance

The Popa botnet serves as a stark reminder that in an increasingly connected world, every device is a potential point of entry. While platforms like Amazon and Roku have taken steps to ban apps that facilitate proxy services, the problem remains systemic.

As long as there is a lucrative market for residential IP addresses to feed the AI and data-scraping industries, the incentive for developers to hide proxy SDKs in free apps will persist. For the average consumer, the lesson is clear: if an app or a "deal" on a streaming device seems too good to be true, it likely comes at the expense of your digital privacy and the security of your home network.