More than 1.4 million Internet addresses were hit by data‑scraping traffic in May 2026, and the culprit appears to be a sprawling Android‑based residential proxy botnet called Popa. Researchers from several security firms said they’ve now tied Popa to NetNut, a residential proxy provider run by publicly‑traded Israeli firm Alarum Technologies Ltd (NASDAQ: ALAR). That connection flips a known fraud‑focused botnet into a corporate‑level concern.
Key Takeaways
- Popa has been active for four years, co‑opting cheap Android TV boxes sold on major e‑commerce sites.
- The botnet routes traffic for advertising fraud, account takeovers, and massive data‑scraping campaigns.
- Security researchers linked Popa to NetNut, a residential proxy service owned by Alarum Technologies.
- Over 1.4 million IPs were targeted in a single scraping wave in May 2026.
- Devices enroll users’ home IPs into a proxy service, exposing local networks to malicious actors.
Why the Residential Proxy Botnet Matters
It’s not just that Popa’s traffic volume is massive; it’s that the botnet’s architecture is built for persistence. Instead of launching flashy DDoS attacks, Popa registers each compromised device, keeps a long‑lived encrypted channel open, and opens tunnels on demand. That design lets attackers treat a single TV box like a rented server, routing any kind of traffic through a user’s home connection.
From Streaming Boxes to Proxy Hubs
Those boxes are marketed under thousands of brand names, promising “one‑time fees” for unlimited streaming of subscription video services. The FBI has warned that many of these devices come pre‑installed with software that turns the TV into a residential proxy. When a buyer plugs one in, the device automatically enrolls the home’s IP address with a proxy network, and that address becomes a cheap exit node for anyone willing to pay.
How Researchers Traced Popa to NetNut
We’ve seen security firms chase botnet command‑and‑control domains for years, but this time Qurium’s investigation turned up a pattern. The firm found dozens of domains—gmslb[.]net, safernetwork[.]io, tera‑home[.]com, ninjatech[.]io—hosted together across multiple IP blocks. Those domains matched a 2025 report from Chinese security firm XLAB, which first flagged nine domains that Popa used.
Domain Overlap and the Plug‑In Connection
Qurium said those same domains appeared in pirated streaming apps like CRICfy, DooFlix, Sprozfy, and others. The overlap suggests the malicious apps are the vector that installs the Popa plug‑in. Once installed, the plug‑in contacts the C&C servers, registers the device, and then sits idle until a buyer on NetNut’s proxy marketplace requests a tunnel.
The Role of NetNut and Alarum Technologies
NetNut markets itself as a “residential proxy” service, selling access to IPs that appear to be home users rather than data‑center addresses. Alarum Technologies, the publicly‑traded parent, listed NetNut as a core product on its investor filings. While NetNut claims it vets customers, the research shows that malicious traffic still flows through the service, meaning the vetting process either isn’t strict enough or is being bypassed.
- Alarum Technologies (NASDAQ: ALAR) is an Israeli firm that went public in 2024.
- NetNut’s residential proxy network includes millions of IPs, many of which originate from compromised TV boxes.
- Popa’s encrypted tunnels let proxy customers route any traffic, including malicious scraping, through those IPs.
What Makes Popa Different from Classic Botnets
Most botnets you hear about are built for destructive purposes—think massive DDoS attacks that flood a target with traffic. Popa, by contrast, behaves like a service layer. It’s less about smashing servers and more about providing a reliable, low‑cost conduit for traffic that needs to look like it’s coming from a residential address.
That design is why security experts find it particularly concerning. When a compromised TV box becomes a proxy node, it can also expose the homeowner’s local network. An attacker could, for example, scan the LAN for vulnerable devices or even pivot into a home’s IoT ecosystem.
Broader Implications for the Security Industry
We’ve known for years that cheap streaming devices can be a privacy nightmare, but the Popa findings raise the stakes. If a legitimate‑looking proxy service can be fed with compromised devices, the line between “legitimate traffic” and “malicious traffic” blurs. That makes attribution harder for law‑enforcement and complicates network‑defense strategies for enterprises that rely on IP‑based reputation.
And because NetNut is publicly listed, shareholders and regulators now have a direct line to the controversy. Alarum’s quarterly reports will likely be scrutinized for any mention of proxy‑related abuse, and investors may start asking tough questions about compliance and due‑diligence practices.
Historical Context
Botnets that use consumer‑grade hardware have surfaced repeatedly over the past decade. Earlier campaigns repurposed webcams, routers, and even smart thermostats to create sprawling networks. Those efforts typically aimed at generating click‑fraud revenue or amplifying ransomware distribution. Popa’s reliance on Android TV boxes mirrors that trajectory: a commodity device, mass‑produced, low‑cost, and often shipped without rigorous firmware verification. The shift from overt denial‑of‑service attacks to a stealthy proxy service reflects an evolution in attacker economics—where the value lies in the ability to hide behind a “home” IP rather than to overwhelm a target.
Regulatory bodies have issued warnings about the privacy risks of pre‑installed software on streaming hardware. Those alerts, combined with law‑enforcement advisories, form a backdrop that makes Popa’s emergence less surprising and more indicative of a broader pattern: attackers are exploiting the same supply‑chain weaknesses that have plagued IoT ecosystems for years.
What This Means For You
If you’re a developer building services that rely on IP reputation, you’ll want to start flagging traffic that originates from known residential proxy networks, especially those that have been associated with Popa. Adding a layer of verification—like checking for unusual TLS fingerprints or atypical traffic patterns—can help you spot abuse before it hurts your brand.
For founders of IoT or consumer‑device startups, the lesson’s clear: you can’t afford to ship devices with pre‑installed software that silently enrolls users in a proxy service. Conduct thorough supply‑chain audits, and consider implementing a kill‑switch that disables any proxy‑related functionality if it’s detected.
We’ll be watching Alarum’s next earnings call to see how the company responds. Will they tighten NetNut’s onboarding procedures, or will they double‑down on a business model that’s now under a cloud of scrutiny?
Only whether the Popa botnet will remain a niche nuisance or become a catalyst for broader regulatory action against residential proxy services.
Concrete Scenarios
Scenario 1 – API‑driven SaaS platforms. A SaaS product that offers a public API often rates clients based on request volume and IP health. If a client’s calls originate from a compromised TV box, the API may appear to be coming from a legitimate residential address, bypassing rate‑limit safeguards. Developers can mitigate this risk by integrating real‑time proxy‑list checks and by requiring API keys to be bound to verified corporate IP ranges.
Scenario 2 – Advertising technology firms. An ad exchange that purchases inventory on behalf of advertisers relies on IP reputation to prevent click fraud. Traffic routed through Popa‑controlled devices can masquerade as genuine user clicks, inflating metrics and draining budgets. Building heuristics that spot the characteristic traffic patterns of residential proxy tunnels—such as low‑entropy TLS handshakes or repetitive request signatures—helps protect campaign integrity.
Scenario 3 – Managed security services. A company that monitors client networks for anomalies may flag inbound connections from a single IP as benign because it belongs to a residential range. When that IP is, in fact, a proxy node, the hidden threat can slip past detection. Security teams should augment traditional reputation databases with threat‑intel feeds that include known proxy botnet identifiers, ensuring that alerts trigger on suspicious proxy activity even when the source appears innocuous.
Competitive Landscape
Residential proxy providers have proliferated as demand for “real‑world” IP addresses skyrocketed. Many of those services position themselves as privacy‑preserving tools for market research, brand monitoring, and localized testing. The Popa incident casts a shadow over the entire segment, because it demonstrates how a legitimate‑looking service can be weaponized when its underlying IP pool is polluted with compromised devices.
Companies that rely on third‑party proxy networks now face heightened scrutiny from both customers and regulators. Expect a wave of due‑diligence questionnaires that probe the provenance of IP addresses, the strongness of customer‑screening processes, and the existence of any remediation programs for compromised nodes. Those that can prove a clean, audited pool will likely gain a competitive edge, while others may see their market share erode under the pressure of compliance demands.
Key Questions Remaining
- What detection mechanisms can enterprises deploy to reliably differentiate between benign residential traffic and traffic that originates from a proxy botnet like Popa?
- How will regulators respond to the intersection of publicly listed proxy services and illicit botnet activity? Will new reporting requirements be introduced for firms that sell residential IPs?
- Can the supply chain for Android TV boxes be hardened enough to prevent pre‑installed proxy software from reaching end users, or will the market shift toward more secure firmware verification standards?
- What responsibility does Alarum Technologies bear for the misuse of its NetNut platform, and how might that influence future corporate governance frameworks for similar businesses?
“The FBI and security industry experts have warned repeatedly that these streaming boxes typically bundle or come pre‑installed with software that turns the user’s TV into a ‘residential proxy’—allowing anyone to route their Internet traffic through that device for as long as it remains plugged into a wall socket and connected to a local network,” the original report noted.
Sources: Krebs on Security, Human Security
