Popa Botnet Tied to Israeli Proxy Firm NetNut Raises Global Cybersecurity Alarm

Popa Botnet and NetNut Connection

A four‑year investigation has linked the Android‑based Popa botnet to NetNut, the residential‑proxy service owned by publicly‑traded Alarum Technologies (NASDAQ:ALAR). Researchers from Qurium, Synthient and other firms say the botnet hijacks cheap streaming boxes sold on major e‑commerce sites, turning them into always‑on proxies. Millions of households unknowingly route ad fraud, account takeovers and massive web‑scraping traffic through their home broadband. The first clues emerged in a 2025 XLAB report that listed nine suspicious domains. Today, Qurium identified dozens more, including gmslb.net and ninjatech.io, which appear in pirated video apps such as CRICFy and Flixoid.

“The code was sold and licensed to third parties years ago,” said Moishi Kramer, former VP of R&D at NetNut.

Kramer insists he no longer controls the domains or infrastructure. Yet Synthient’s traffic analysis shows outbound streams that match NetNut’s proxy pools, leading them to conclude the botnet is actively used by the firm. Alarum’s public statements describe the SDK as a “bandwidth‑sharing” tool, not a botnet, and claim robust KYC procedures. Independent research from Spur contradicts that, noting anyone can purchase proxy access with a burner email and a few dollars of crypto. ↑ 2.1M IP addresses have been observed in the botnet’s daily pool, while ↓ 5% of NetNut‑claimed “verified corporate” accounts actually undergo rigorous checks. Chris Formosa, senior engineer at Lumen’s Black Lotus Labs, warns that the botnet’s reach across dozens of reseller services amplifies its impact. Reuters has highlighted similar proxy‑driven threats to AI training pipelines. The surge in AI‑focused scraping has turned residential proxies into critical infrastructure, a shift noted by Include Security. Even after the pandemic era, corporate networks remain vulnerable as employees install unvetted TV apps that embed proxy SDKs. Experts urge platforms like LG and Samsung to ban such components, following Amazon’s and Roku’s recent policies.