Over 1.5 million Android TV boxes are enslaved in the Popa botnet, and the proxy traffic flows straight to NetNut, a residential proxy provider owned by publicly-traded Alarum Technologies (NASDAQ: ALAR). That number comes from Lumen's Black Lotus Labs, which tracks 250 to 300 command-and-control IPs coordinating between 1.5 and 2.5 million distinct addresses each day. Nokia Deepfield puts the client count even higher, estimating up to 60,000 devices per relay node across 359 known relays.
The Popa SDK and the NetNut Connection Popa isn't a traditional DDoS botnet. It's a persistent communication layer that registers devices, maintains encrypted tunnels, and routes traffic on demand. Synthient's analysis confirms that outbound traffic from the Popa SDK lands squarely inside NetNut's proxy pool. "This proves without a shadow of a doubt that Popa actively continues to be used by NetNut as part of their proxy pool," Synthient wrote. The SDK was originally developed by Ninjatech, a company founded by Moishi Kramer, who now serves as VP of R&D at NetNut. Kramer told KrebsOnSecurity that Ninjatech sold the code years ago and that neither he nor NetNut maintain the current infrastructure. Alarum's official statement called the reports "demonstrably inaccurate" and rejected the term botnet. But Spur's report from June 8 undercuts that defense. Spur found that NetNut does not enforce meaningful KYC. Anyone can sign up with a burner email and $5 in crypto through resellers. "The 'verified corporations only' claim is simply marketing for bandwidth sellers," Spur wrote. Several downstream white-labelers repackage the same proxy pool with zero scrutiny.
Why This Botnet Is Dangerous Popa's danger lies in its distribution. Lumen's Chris Formosa: "These Popa IPs appear in tons of different services all over the ecosystem, which makes it one of the most problematic and dangerous proxy botnets on the market." The network powers advertising fraud, account takeovers, and mass data scraping. Even more alarming, some variants of Popa can tunnel into the local network of the TV box owner, putting every device behind that router at risk. Qurium's report traces the control domains, including ninjatech io, which was re-registered in June 2025 after a takedown of Badbox 2.0. That domain is directly linked to Kramer's former company. Nokia Deepfield's report on RoboVPN, a Popa-adjacent app, further corroborates the NetNut connection.
The AI Scraping Engine Hiding in Your Living Room AI companies are the biggest customers of residential proxy services. Scraping the web from datacenter IPs gets blocked by Cloudflare, DataDome, and HUMAN. Residential IPs from Comcast or T-Mobile subscribers bypass those defenses. NetNut has rebranded itself as critical infrastructure for AI training. That dependency is fueling over 70 copyright lawsuits and causing persistent outages at non-profit repositories, with 90% of COAR survey respondents reporting aggressive scraping bots multiple times per week. Infoblox found that 65% of its customer base queries residential proxy domains, with a 25% increase in 2025 to over 500 billion monthly queries. Government, banking, and pharmaceutical customers are all exposed. Malicious actors can use residential proxies to launch attacks that appear to originate from legitimate residential IPs, complicating incident response.
Consent: Nonexistent Synthient analyzed over 20 Popa publishers and none asked for user consent before installing the proxy component. Newer builds do prompt for permission, but the prompt is easily lost in a TV setup flow navigated by remote control. Spur found that 42% of apps on LG's webOS and 25% on Samsung's Tizen bundle residential proxy SDKs. These apps are games, utilities, and streaming apps that turn every smart TV into a paid proxy node without the owner's understanding. Amazon and Roku have banned such SDKs. LG and Samsung have not. The gap between what users think they've agreed to and what actually runs on their network is the real vulnerability here. Expect more takedowns and likely regulatory action as the proxy-AI scraping machine finally attracts the scrutiny it deserves.
Source: 'Popa' Botnet Linked to Publicly-Traded Israeli Firm
Domain: krebsonsecurity.com
Comments load interactively on the live page.