For the previous 4 years, a sprawling Android-based botnet known as Popa<\/strong> has compelled tens of millions of shopper TV bins to relay Web visitors linked to promoting fraud, account takeovers, and mass data-scraping efforts. This week, researchers from a number of safety corporations concluded that the Popa botnet is linked to NetNut<\/strong>, a \u201cresidential proxy\u201d supplier operated by the publicly-traded Israeli agency Alarum Applied sciences Ltd <\/strong>[NASDAQ: ALAR].<\/p>\n Malicious streaming gadgets bought on-line that enroll the consumer\u2019s residence Web tackle in a residential proxy service. Picture: HUMAN Safety.<\/p>\n<\/div>\n Popa is an enormous botnet, however by all accounts it’s not like conventional botnets that enlist compromised techniques in harmful actions, reminiscent of coordinating big distributed denial-of-service assaults. Quite, Popa seems designed with a singular objective: Implementing a persistent communications layer able to registering a tool, sustaining long-lived encrypted connections, and opening communication tunnels on demand.<\/p>\n Specialists say Popa is a plugin part related to the Vo1d<\/strong> botnet, a large-scale malware marketing campaign concentrating on unofficial Android-based TV bins. These gadgets, that are marketed beneath hundreds of brand name names and mannequin numbers and broadly obtainable for buy at prime e-commerce locations, all promote the power to stream tons of of subscription video companies for an up entrance one-time payment.<\/p>\n However because the FBI and safety trade specialists have warned repeatedly, these streaming bins usually bundle or come pre-installed with software program<\/a> that turns the consumer\u2019s TV right into a \u201cresidential proxy<\/a>\u201d \u2014 permitting anybody to route their Web visitors via that system for so long as it stays plugged right into a wall socket and linked to an area community. Extra regarding, a few of these proxy networks do little to cease malicious clients from speaking with and even compromising techniques on the native community of the unsuspecting system proprietor.<\/p>\n The primary clues about Popa\u2019s origins got here in a 2025 report<\/a> from the Chinese language safety firm XLAB<\/strong>, which flagged at the least 9 domains that had been used to register and direct the actions of compromised gadgets. In a report<\/a> launched right this moment, the safety agency Qurium<\/strong> described the way it came upon a few of those self same domains whereas investigating a collection of disruptive and costly knowledge scraping occasions concentrating on the corporate\u2019s hosted organizations in Could 2026, through which the scraping exercise was scattered evenly throughout greater than 1.4 million Web addresses.<\/p>\n Qurium stated it discovered a number of dozen domains used to manage Popa that had been all hosted in lockstep throughout a number of Web addresses over time, together with gmslb[.]internet<\/strong>, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io<\/strong>. Digging deeper, Qurium found gmslb[.]internet was referenced in dozens of pirated or modded video content material streaming apps, reminiscent of CRICFy<\/strong>, DooFlix<\/strong>, Sprozfy<\/strong>, RTS Television<\/strong>, Flixoid<\/strong>, CyberFlix<\/strong>, Speedy Streamz<\/strong>, TvMob<\/strong> and HD\/OceanStreams<\/strong>.<\/p>\n Qurium\u2019s report notes that a lot of the domains lengthy used to manage the Popa botnet had been seized or dismantled in July 2025<\/a>, after Google<\/strong>, HUMAN Safety<\/strong> and Pattern Micro<\/strong> teamed as much as disrupt Badbox 2.0<\/strong>, a botnet that’s carefully related to Vo1d. Qurium stated that instantly after that disruption, a number of dozen new domains had been registered to function controllers for the Popa botnet, however that a kind of management domains was not new: ninjatech[.]io<\/strong>.<\/p>\n Ninjatech is an organization based by Moishi Kramer<\/strong>, whose LinkedIn profile<\/a> says he’s vp of analysis and improvement at NetNut. That resume credit Kramer for serving to NetNut to construct from the \u201cfloor up,\u201d \u201cdesigning the structure,\u201d and \u201cscaling the NetNut\u201d earlier than the corporate was acquired by Alarum Applied sciences. A self-created itemizing on the job board F6S<\/strong> references Kramer<\/a> as the only real proprietor of the Ninjatech area (a display seize of it’s pictured beneath).<\/p>\n Picture: F6S.com.<\/p>\n<\/div>\n Responding by way of e mail, Mr. Kramer stated Ninjatech ceased operations roughly 5 years in the past, when the corporate bought a software program improvement equipment (SDK) known as Popa that was designed to make use of a small portion of a tool\u2019s bandwidth and to run solely after the host utility obtained consumer consent.<\/p>\n \u201cThat code was bought and licensed to 3rd events together with resellers years in the past,\u201d Kramer stated. \u201cAs soon as software program is distributed that manner, the unique developer has no management over how others later modify, rebrand, or deploy it.\u201d<\/p>\n Kramer stated neither he nor NetNut builds, operates or maintains the infrastructure being described as Popa, nor does he management the Ninjatech area.<\/p>\n \u201cI didn\u2019t register the June 2025 domains you point out, and I don\u2019t know who did,\u201d he continued. \u201cI’ve no management over, or visibility into, that infrastructure. I can solely inform you it isn\u2019t operated by me or by NetNut.\u201d<\/p>\n However in a separate Popa analysis report<\/a> launched right this moment, the proxy-tracking firm Synthient<\/strong> stated a latest evaluation of the Popa SDK revealed outbound visitors clearly related to NetNut.<\/p>\n \u201cThe analysis crew assesses with excessive confidence that gadgets operating Popa ahead visitors from Netnut shoppers,\u201d Synthient wrote. \u201cThis proves with out a shadow of a doubt that Popa actively continues for use by NetNut as a part of their proxy pool.\u201d<\/p>\n Synthient\u2019s platform receiving outbound visitors from Popa. Picture: Synthient.com.<\/p>\n<\/div>\n Alarum Applied sciences, NetNut\u2019s Tel Aviv-based dad or mum firm, stated the experiences by Synthient and Qurium contained \u201cdemonstrably inaccurate assertions and flawed deductions slightly than verified info.\u201d Alarum shared an announcement saying they reject the essential characterization of the SDKs and applied sciences mentioned within the experiences as a \u201cbotnet.\u201d<\/p>\n \u201cThe SDKs at subject are designed to facilitate bandwidth-sharing performance and don’t rework consumer gadgets into malware-controlled techniques or in any other case compromise the gadgets on which they function,\u201d the assertion reads. \u201cNetnut operates a business proxy community and maintains insurance policies, procedures, and technological measures designed to advertise lawful and accountable use of its companies.\u201d<\/p>\n Alarum stated NetNut locations \u201cimportant emphasis on applicable discover and consent mechanisms, conducts buyer due diligence, displays for potential misuse, and takes steps meant to detect and mitigate suspicious or unauthorized exercise.\u201d<\/p>\n \u201cThis methodology of operation is supported each by inside procedures and insurance policies, together with performing KYC checks and extra due diligence of NetNut\u2019s clients, in addition to using varied technological measures, designed to help in figuring out and addressing suspected misuse of the community,\u201d their assertion continued.<\/p>\n Nevertheless, in a report launched on June 8, the proxy monitoring service Spur<\/strong> asserted that NetNut doesn’t require company verification or significant \u201cknow your buyer\u201d procedures earlier than permitting clients to buy proxy entry.<\/p>\n \u201cA person can enroll, pay, and route visitors via companion tackle area, together with area belonging to establishments whose customers by no means opted in,\u201d Spur wrote<\/a>. \u201cThe \u2018verified firms solely\u2019 declare is just advertising for bandwidth sellers, not an entry management on who really makes use of the proxies.\u201d<\/p>\n \u201cNeither is NetNut the one entrance door,\u201d Spur continued. \u201cPlenty of downstream white labelers and resellers repackage the identical ISP proxy pool beneath their very own manufacturers. These shops usually carry out no KYC in any respect, much less scrutiny than NetNut itself, who on the very least would possibly assign an account supervisor to potential customers. Anybody who is aware of the place to look should buy entry via a reseller with nothing greater than a burner e mail tackle and $5 in crypto.\u201d<\/p>\n Synthient discovered that though the latest builds of Popa (as of three months in the past) have added the power to ask the consumer for consent earlier than putting in proxy parts, not all variants or earlier variations of Popa comprise this performance.<\/p>\n \u201cOf the over 20 real Popa publishers analyzed, none of them had been noticed asking for consumer consent,\u201d Sythient wrote.<\/p>\n Chris Formosa<\/strong> is senior lead info safety engineer for Black Lotus Labs<\/strong>, a division of the Web spine provider Lumen Applied sciences<\/strong>.<\/p>\n \u201cWhat particularly makes Popa harmful is simply how broadly used NetNut is for reselling and sharing,\u201d Formosa stated, explaining that many different proxy companies merely resell NetNut proxies slightly than constructing out their very own far-flung proxy networks. \u201cSo these Popa IPs seem in tons of various companies everywhere in the ecosystem, which makes it one of the problematic and harmful proxy botnets in the marketplace at the moment.\u201d<\/p>\n Formosa stated the Popa botnet averages between 1.5 million to 2.5 million distinct IP addresses every day, counting on between 250 and 300 Web addresses which are used to direct its actions.<\/p>\n \u201cThat\u2019s why Popa is so harmful,\u201d Formosa stated. \u201cIt is probably not the biggest botnet we now have seen, however it’s unfold everywhere in the trade, making its energy very amplified.\u201d<\/p>\n Formosa stated whereas that makes Popa one of many bigger botnets on the market right this moment, its numbers pale compared to these beforehand boasted by IPIDEA<\/a>, a China-based proxy supplier that till lately operated a each day pool of almost 10 million gadgets that they resold as proxies to anybody. In January 2026, Synthient printed analysis<\/a> exhibiting that a number of new giant DDoS botnets had grown quickly by tunneling via IPIDEA proxies into the native networks of unsuspecting TV field house owners and infecting different Android-based gadgets behind the consumer\u2019s firewall.<\/p>\n IPIDEA relies largely on SDKs used to view pirated streaming content material on an unlimited variety of TV field gadgets, however the service\u2019s numbers have dwindled since January, when Google and trade companions took authorized motion<\/a> to grab domains that IPIDEA used to manage gadgets and proxy visitors via them.<\/p>\n J\u00e9r\u00f4me Meyer<\/strong>, a safety researcher at Nokia Deepfield<\/strong>, stated the entire inhabitants of gadgets collaborating within the Popa botnet could also be far greater than Lumen\u2019s estimates. Meyer informed KrebsOnSecurity that Nokia is monitoring 26 of at the least 359 identified relay nodes for the botnet, and estimates that every relay node handles between 35,000 and 60,000 shoppers concurrently.<\/p>\n \u201cOn the relay node subset I’m taking a look at (26 of them), 750,000 distinctive sources in 24 hours,\u201d Meyer wrote in response to questions.<\/p>\n Nokia Deepfield launched its personal report right this moment<\/a> on RoboVPN<\/strong>, a VPN app tied to the Vo1d botnet\u2019s Popa plugin that Qurium attributes to NetNut\/Alarum Applied sciences.<\/p>\n Specialists say lots of the world\u2019s largest proxy suppliers have up to date their public-facing branding to focus on their utility for coaching AI platforms, implying it’s a main use case for his or her residential proxies. That\u2019s as a result of AI companies are inclined to depend on continuously mass-scraping the Web for brand new textual content, pictures and video content material that can be utilized to coach giant language fashions (LLMs).<\/p>\n NetNut and different proxy companies have recast themselves as crucial infrastructure for the AI scraping financial system. Picture: Synthient.com.<\/p>\n<\/div>\n \u201cAI corporations rely on web-scraped content material: for pre-training, for retrieval, for agent grounding, for search,\u201d reads a report<\/a> this month from Embrace Safety<\/strong> that examines the prevalence of proxy SDKs in sensible TV apps. \u201cHowever the trendy net isn\u2019t scrapeable from a datacenter. Cloudflare, DataDome, HUMAN, amongst others throttle or block requests from identified cloud IPs. The workaround is residential proxies. A scraping job routed via a Comcast or T-Cell subscriber\u2019s connection arrives on the goal website from an IP that belongs to a paying residential buyer.\u201d<\/p>\n This continuous content material scraping has spawned greater than 70 copyright infringement lawsuits<\/a> in opposition to main tech corporations which have acknowledged large-scale knowledge scraping as a significant supply of the \u201cbrains\u201d behind their business AI choices. Mockingly, a lot of that scraping is being aided by proxy companies which are intimately tied to unofficial Android TV bins and related SDKs whose said objective is streaming pirated content material.<\/p>\n The scraping exercise has grow to be so aggressive that it typically overwhelms the focused web sites, stopping them from being reachable by reputable guests. In lots of reported circumstances, nonprofit organizations, libraries and universities have complained of regularly battling to maintain their companies on-line within the face of relentless data-scraping corporations hiding behind residential proxy companies.<\/p>\n A survey carried out final yr by the Confederation of Open Entry Repositories<\/strong> (COAR) discovered<\/a> whereas some content material scraping bots are slightly innocuous, \u201cothers are sufficiently aggressive that they’re more and more inflicting service disruptions in repositories and different scholarly communications infrastructures.\u201d Greater than 90 % of survey respondents indicated their repository is encountering aggressive bots, normally greater than as soon as every week, and sometimes resulting in sluggish downs and repair outages.<\/p>\n![\"Malicious](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvboxes-proxy.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/f6s-kramer-1.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/synthient-flixview.png\")
<\/p>\nTHE PREVALENCE OF POPA<\/h2>\n
THE SYMBIOSIS OF PROXIES AND DATA SCRAPING<\/h2>\n
![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/proxy-scraping-ai.png\")
<\/a><\/p>\n
![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/spur-tvproxy.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/06\/tvstreamz.png\")
<\/p>\n