July 18, 2026

The Silent Hijack: How Millions of Consumer TV Boxes Became Weapons in the Global AI Scraping Economy

the-silent-hijack-how-millions-of-consumer-tv-boxes-became-weapons-in-the-global-ai-scraping-economy

the-silent-hijack-how-millions-of-consumer-tv-boxes-became-weapons-in-the-global-ai-scraping-economy

For the past four years, a sprawling, sophisticated Android-based botnet known as Popa has silently commandeered millions of consumer TV streaming boxes. Rather than engaging in the headline-grabbing destruction of distributed denial-of-service (DDoS) attacks, Popa operates with a singular, lucrative objective: creating a persistent, global communications layer that facilitates large-scale data scraping, advertising fraud, and illicit account takeovers.

New research released this week by multiple cybersecurity firms has linked the operation of this massive botnet to NetNut, a residential proxy provider operated by the publicly traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. The discovery exposes a dark symbiotic relationship between the unregulated world of budget streaming hardware and the insatiable data requirements of the artificial intelligence industry.

The Architecture of a Silent Botnet

Popa is not a traditional malware strain designed to crash servers or encrypt user files for ransom. Instead, it functions as a highly efficient plugin component associated with the Vo1d botnet—a widespread campaign targeting unauthorized, "no-name" Android TV boxes. These devices, which are sold by the thousands across major e-commerce platforms, are marketed to consumers as a "one-time fee" solution for accessing premium subscription video content for free.

While the primary lure is cost-effective entertainment, the hidden cost is the user’s digital autonomy. Security experts, including those from the FBI, have repeatedly warned that these devices often arrive pre-loaded with software that turns the hardware into a "residential proxy." Once connected to a home network and plugged into a wall outlet, the device becomes a relay node, allowing anyone—from legitimate data aggregators to malicious threat actors—to route internet traffic through the unsuspecting owner’s IP address.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

By using these residential IPs, bad actors can bypass security filters, circumvent geo-blocking, and mask their identities, making their malicious traffic appear as if it originates from a standard, trusted household connection.

A Chronology of Discovery

The origins of Popa remained largely obscured until 2025, when the Chinese security firm XLAB identified a cluster of domain names orchestrating the activity of compromised devices. The trail went cold for many observers until May 2026, when the security firm Qurium began investigating a series of massive, disruptive data-scraping events.

Qurium discovered that the scraping activity was not localized; it was distributed with surgical precision across more than 1.4 million distinct internet addresses. Their investigation revealed that these addresses were being controlled by several dozen domains, including gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io.

A significant turning point occurred in July 2025, when a coalition led by Google, HUMAN Security, and Trend Micro successfully disrupted Badbox 2.0, a botnet closely linked to the Vo1d campaign. Many expected the Popa infrastructure to collapse alongside it. However, investigators soon found that new control domains were rapidly registered to replace the seized ones. Notably, the domain ninjatech[.]io—a remnant of the original infrastructure—remained operational.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

The trail led directly to Moishi Kramer, whose professional profile identifies him as a key figure in the development of NetNut. While Mr. Kramer has publicly distanced himself from the current operation of these domains, the persistence of the infrastructure suggests a level of continuity that contradicts claims of abandoned software.

Supporting Data: The Scale of the Proxy Pool

The sheer magnitude of the Popa botnet is staggering. Chris Formosa, senior lead information security engineer at Black Lotus Labs (Lumen Technologies), notes that Popa maintains an average of 1.5 million to 2.5 million distinct IP addresses every single day.

"What makes Popa particularly dangerous is the ubiquity of NetNut’s ecosystem," Formosa explained. "Because other proxy services often white-label or resell NetNut’s infrastructure, these Popa-infected IPs appear across the entire internet landscape. It is one of the most problematic and amplified proxy botnets currently in existence."

Independent validation from Nokia Deepfield supports this assessment. Researcher Jérôme Meyer reported that by monitoring just a small subset of relay nodes—26 out of at least 359 known nodes—they observed 750,000 unique sources within a single 24-hour period. Each of these nodes was handling between 35,000 and 60,000 clients simultaneously, suggesting that the total footprint of the botnet may be significantly larger than initial estimates.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Official Responses and Denials

The allegations have prompted a swift, albeit defensive, response from the stakeholders involved.

In an email communication, Moishi Kramer stated that the Ninjatech firm ceased operations five years ago after selling a software development kit (SDK) known as "Popa." According to Kramer, the SDK was intended to use a minimal amount of bandwidth only with explicit user consent. "Once that software was licensed to third-party resellers, the original developer lost all control over how it was rebranded or deployed," Kramer claimed, denying any current involvement in or visibility into the infrastructure.

Alarum Technologies, the parent company of NetNut, issued a formal statement dismissing the reports from Synthient and Qurium as containing "demonstrably inaccurate assertions and flawed deductions." The company explicitly rejected the "botnet" label, characterizing their services as a legitimate commercial proxy network.

"The SDKs at issue are designed to facilitate bandwidth-sharing functionality and do not transform user devices into malware-controlled systems," the company stated. Alarum further emphasized that they employ "know your customer" (KYC) procedures and technological measures to mitigate misuse. However, researchers at the proxy-tracking service Spur have challenged this, asserting that these claims are merely "marketing for bandwidth sellers" and that access to the proxy pool can often be purchased with little more than a burner email address and cryptocurrency.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

The AI Scraping Economy: A New Reality

The rise of the Popa botnet is inextricably linked to the rapid expansion of the AI sector. Modern large language models (LLMs) and generative AI platforms require vast quantities of scraped data for training and development. Traditional data centers are easily blocked by web-scraping protections implemented by major websites, leading AI developers to turn to residential proxy networks.

By routing scraping traffic through residential IP addresses, AI firms can bypass anti-bot mechanisms like DataDome or Cloudflare. This has effectively turned millions of household TV boxes into the "brains" of the AI training economy.

The consequences for the broader internet are profound. Research from the Confederation of Open Access Repositories (COAR) indicates that aggressive scraping bots are causing widespread service disruptions for libraries, universities, and nonprofit repositories. Over 90% of survey respondents reported that such bots frequently lead to site slowdowns or complete outages, highlighting the "open excess" of the current AI gold rush.

Implications for Corporate and Home Security

The threat is not confined to budget TV boxes. As Infoblox recently reported, residential proxy SDKs are being embedded into a wide array of seemingly benign applications, including VPNs, screensavers, and productivity tools, and are now appearing on major platforms like Samsung’s Tizen and LG’s webOS.

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Spur’s analysis of these app stores found that approximately 42% of apps on LG’s webOS and over 25% of apps on Samsung’s Tizen contain proxy components. This creates a significant security risk for corporate environments. When employees connect their personal devices—or bring home-office equipment—to corporate networks, they may inadvertently open a back door into the company’s internal IP space.

"If threat actors abuse a residential proxy to attack a third party, that third party’s incident response will correctly identify your network as the source," warned Infoblox researchers Nick Sundvall and David Brunsdon. "The legal exposure and reputational damage caused by such an event are immense."

The lack of meaningful, informed consent remains the central issue. As security researchers point out, a simple legal disclosure navigated by a television remote is not sufficient for a user to understand that they are selling their home internet bandwidth to unknown third parties. As the digital landscape continues to evolve, the case of the Popa botnet serves as a sobering reminder that in the age of AI, the most vulnerable nodes in the network are often sitting right in the living room.