Popa Botnet Tied to NASDAQ-Listed Residential Proxy Firm Alarum Technologies
Researchers from Synthient and Qurium traced four years of Android TV box traffic-relaying back to infrastructure connected to NetNut, the residential proxy service owned by Israel's Alarum Technologies — raising hard questions about where legitimate proxy networks end and silent botnets begin.

Researchers publicly linked the Popa Android botnet to NetNut, the residential proxy division of NASDAQ-listed Alarum Technologies (ALAR), in findings published in June 2026.
What Is Popa, and Why Should You Care?
Popa is not a botnet in the bank-melting, DDoS-your-infrastructure sense. It is quieter and, in many ways, more insidious. For roughly four years, Popa has been enrolling cheap Android TV streaming boxes into a global proxy pool, keeping an encrypted tunnel open on the device, and waiting for third-party traffic to flow through a user's home IP address — all without meaningful informed consent from the device owner.
The affected hardware typically sells for under $50, marketed as a one-time-payment alternative to streaming subscriptions. Millions of units have shipped under countless model names. These boxes arrive carrying software development kits that silently register the purchaser's residential internet connection as a relay node. Popa is the persistence and tunneling component layered on top of the broader Vo1d malware campaign, which security researchers have tracked for years as the primary vehicle for compromising off-brand Android TV hardware at scale.
Think of it as renting out your home's IP address to strangers — except nobody asked for the keys.
The Research Trail
The investigation began with a 2025 report from Chinese threat-intelligence firm XLAB, which flagged nine controller domains linked to Popa's command-and-control infrastructure. Qurium picked up that thread after a scraping incident in May 2026 hit its hosted clients, with malicious traffic originating from more than 1.4 million distinct IP addresses. That is not a small operation.
Qurium's analysts identified several control domains — including `gmslb[.]net`, `safernetwork[.]io`, `tera-home[.]com`, and `ninjatech[.]io` — that shared hosting patterns and appeared in coordination. The first domains were found embedded in pirated streaming applications with names like CRICFy, DooFlix, RTS Tv, and CyberFlix, apps that have been distributed widely through unofficial app stores.
Most of Popa's controller infrastructure was disrupted in July 2025 during a coordinated takedown effort involving Google, HUMAN Security, and Trend Micro, part of the broader Badbox 2.0 operation. New controller domains surfaced almost immediately after. One domain did not need to be new: `ninjatech[.]io`.
Ninjatech was founded by Moishi Kramer, who currently serves as VP of Research and Development at NetNut. Kramer's own professional history credits him with architecting NetNut's infrastructure before Alarum acquired the company. Kramer told researchers that Ninjatech ceased operations approximately five years ago, that the Popa SDK was sold and licensed to external parties, and that he no longer controls the domain or operates the infrastructure. "I didn't register the June 2025 domains you mention, and I don't know who did," he said.
Synthient is not satisfied with that explanation. The firm's analysis of the current Popa SDK shows outbound traffic routing to NetNut endpoints, which Synthient argues demonstrates that compromised devices are actively forwarding traffic for paying NetNut customers today.
Alarum's Position
Alarum Technologies rejects the botnet classification entirely. The company characterizes its SDKs as bandwidth-sharing tools that include consent prompts, Know Your Customer checks, and misuse monitoring. That is the standard residential proxy industry defense, and it is not without some basis — legitimate residential proxy networks do exist and serve genuine commercial purposes, from ad verification to geo-restricted content testing.
The problem is that "legitimate" and "abusable" are not mutually exclusive categories here. Proxy-tracking firm Spur published a June 8 report arguing that Alarum's KYC controls do not survive real-world scrutiny. Per Spur's findings, anyone can sign up, begin routing traffic, and access the same IP pool through downstream white-label resellers for as little as five dollars in cryptocurrency and a disposable email address. The consent prompt on a $40 TV box does not close that gap.
Which Controls Failed — and What Defenders Must Learn
This incident does not fit neatly into a single control failure. It is a systemic problem across the device supply chain, the software distribution layer, and the proxy industry's self-regulatory posture. But for enterprise security teams, the practical lesson is concrete: residential IP addresses are no longer a reliable signal of human, benign traffic.
The Verizon 2025 Data Breach Investigations Report found that proxy and anonymization services appear in a growing share of credential-stuffing and web application attacks precisely because residential IPs evade IP-reputation blocklists built for datacenter ranges. Popa-style infrastructure industrializes that evasion. When 1.4 million home IP addresses can be rented for a few dollars through a white-label reseller, traditional perimeter controls based on IP reputation become significantly weaker. Rate limiting, CAPTCHA challenges, and behavioral analytics all have to work harder.
For the end users whose boxes are enrolled — mostly people who bought a budget streaming device and never suspected anything was wrong — the failure is one of supply chain transparency and consumer device security. There is no patch management for a $40 Android box sold through an Amazon storefront that disappeared six months later. There is no firmware update cycle, no vulnerability disclosure program, no responsible party who will answer the phone. The device ships compromised, or it gets compromised shortly after, and it stays that way for years.
This is also a human-awareness problem. Security-awareness training that teaches employees to scrutinize the devices on their home networks — including what is plugged into the same router they use for remote work — directly reduces the attack surface these proxy networks depend on. A user who understands that a $40 streaming box may be silently routing criminal traffic through their IP is a user who asks different questions before plugging it in. Organizations that offer security awareness programs covering home network hygiene give their remote workforce a meaningful defensive layer that firewall rules alone cannot provide.
What Enterprises Should Do Now
Security teams cannot fix the residential proxy ecosystem. They can adapt to it.
First, update your threat models to treat residential IP ranges as a potential evasion vector, not a trust signal. Web application firewalls and bot-management platforms that rely heavily on IP reputation need behavioral heuristics layered on top.
Second, review your remote-access policies. Employees connecting to corporate systems from home networks that include compromised smart devices represent a lateral-movement risk that traditional VPN controls do not fully address. Endpoint detection on managed devices is necessary but not sufficient when the compromise lives in an unmanaged box two hops away on the same LAN.
Third, if your organization operates any kind of web scraping detection, fraud prevention, or bot-management tooling, add residential proxy service ranges from firms identified by Spur and similar trackers to your monitoring watchlists. The Popa IP pool is large and actively used.
Finally, review procurement policies for any Android-based devices used in office environments — digital signage, conference room displays, low-cost media players. The same supply chain vulnerability that produces compromised living-room boxes produces compromised corporate-lobby screens.
The Popa case is unlikely to be the last time a publicly traded company finds its infrastructure entangled in a debate about what separates a residential proxy from a botnet. The honest answer is that the line is thin, the financial incentives to keep it thin are strong, and defenders cannot wait for the industry to draw it for them.
How home-network hygiene training could have limited Popa's reach
- Teach remote employees to identify and avoid off-brand Android devices with known supply chain risks before those devices touch the corporate VPN's home network.
- Include residential proxy awareness in phishing and social-engineering modules — users who understand how their IP can be monetized make more skeptical purchasing decisions.
- Pair device-hygiene training with a clear internal policy on which smart devices are permitted on the same network segment as corporate endpoints.
Train2Secure's security-awareness curriculum includes home-network and device-hygiene modules built for distributed workforces — the same employees whose $40 streaming boxes can become someone else's proxy node.
Start free — no card requiredSources & further reading
Frequently asked questions
What is the Popa botnet and how does it work?
Popa is a persistence and tunneling component embedded in off-brand Android TV streaming boxes. It silently enrolls the device owner's home IP address into a residential proxy pool, allowing third parties to route internet traffic through that connection without meaningful user consent. It has operated for roughly four years as part of the broader Vo1d malware campaign.
Is NetNut or Alarum Technologies running the botnet?
Alarum Technologies denies operating a botnet and says its SDKs involve consent prompts and KYC controls. Researchers at Synthient argue that active Popa SDK traffic routes to NetNut endpoints today, while proxy-tracker Spur contends that downstream resellers make the pool accessible for minimal cost and verification. The company disputes the botnet framing; the technical findings remain contested.
How does a residential proxy network threaten enterprise security?
Residential proxy networks allow attackers to route credential-stuffing, scraping, and fraud traffic through legitimate home IP addresses, bypassing IP-reputation blocklists that would flag datacenter ranges. The Verizon 2025 DBIR identified anonymization and proxy services as a growing factor in web application attacks. Standard perimeter defenses based on IP reputation alone are insufficient against these networks.
What can employees do to avoid having their devices enrolled in proxy botnets?
Avoid purchasing off-brand Android TV boxes from unverified sellers, particularly devices marketed as one-time-payment streaming alternatives. Check router logs for unexpected outbound connections. Keep any smart device firmware updated, and prefer devices from manufacturers with active security support and vulnerability disclosure programs.



