What Is the Popa Botnet and Why Should You Care?
A sophisticated Android-based botnet known as Popa has quietly operated for the past four years, conscripting millions of consumer TV boxes into a covert network used to relay internet traffic tied to advertising fraud, account takeovers, and large-scale data scraping. What makes this discovery particularly striking is who researchers are now pointing the finger at: NetNut, a residential proxy service operated by Alarum Technologies Ltd, a publicly-traded Israeli company listed on the NASDAQ stock exchange under the ticker symbol ALAR.
Security researchers from multiple firms converged this week on the same unsettling conclusion — that the infrastructure underpinning the Popa botnet is directly connected to a legitimate, publicly-visible technology company. This revelation raises serious questions about the boundaries between lawful proxy services and the exploitation of unwitting consumers whose home internet connections are being used without their knowledge or meaningful consent.
How the Popa Botnet Works
Unlike traditional botnets — which are often deployed to launch devastating distributed denial-of-service (DDoS) attacks or to spread ransomware — the Popa botnet is engineered for a far more subtle and commercially lucrative purpose. According to researchers, Popa is not primarily a destructive tool. Instead, it functions as a persistent communications layer.
At its core, Popa is designed to do three things with surgical precision:
- Register infected devices within a broader network infrastructure
- Maintain long-lived, encrypted connections back to command-and-control servers
- Open on-demand communication tunnels that allow third parties to route their internet traffic through a victim's home IP address
Experts describe Popa as a plugin-based system, meaning its capabilities can be extended or updated remotely without needing to fully re-infect a device. This architectural flexibility makes it both resilient and adaptable, capable of evolving alongside detection efforts from cybersecurity firms and law enforcement agencies.
The Target: Cheap Android TV Boxes
The primary vectors for Popa infections are inexpensive Android-based TV streaming boxes commonly sold online through major e-commerce platforms. Devices like the X96 Mini and a wide variety of unbranded, no-name streaming sticks are among those identified in the research. These gadgets are popular with budget-conscious consumers seeking affordable alternatives to branded streaming devices like the Roku or Amazon Fire Stick.
The problem is that many of these low-cost devices come pre-loaded with modified firmware or malicious applications that silently enroll the device — and by extension, the owner's home IP address — into the Popa botnet. The victim rarely, if ever, notices anything unusual. Their internet connection may slow slightly, but in most cases, the compromise goes entirely undetected for months or even years.
This is precisely what makes residential proxy botnets so valuable on the black market and, increasingly, to commercially operating proxy providers. A residential IP address, as opposed to a datacenter IP, appears to originate from a real household. This makes traffic routed through it far harder for websites, fraud detection systems, and security tools to flag as suspicious or automated.
NetNut, Alarum Technologies, and the Proxy Economy
NetNut markets itself as a legitimate residential proxy service, offering businesses access to a large pool of real residential IP addresses for purposes such as market research, ad verification, and web scraping. Residential proxy services occupy a legally and ethically murky space in the technology industry. When the IP addresses in a proxy network are contributed knowingly and voluntarily by users who opt in through a clear agreement, the service may be considered legitimate. When those IP addresses are harvested from compromised devices — people who have no idea their home connection is being monetized — the arrangement becomes something far more troubling.
Alarum Technologies, the parent company of NetNut, is publicly traded on the NASDAQ, lending it an air of corporate legitimacy that has shielded it from the kind of scrutiny typically directed at shadier corners of the cybercrime ecosystem. The company has not, at the time of writing, issued a public statement directly addressing the researchers' findings linking Popa's infrastructure to its proxy network.
The Broader Threat Landscape of Residential Proxy Abuse
The Popa case is not an isolated incident. It fits into a well-documented and growing trend of residential proxy services — both legitimate and illicit — sourcing their IP inventory from infected consumer devices. Security researchers have previously exposed similar operations linked to smart TVs, home routers, and mobile phones. What unites these cases is a common exploitation of the trust that ordinary internet users place in the hardware they bring into their homes.
The downstream harms are significant. Traffic routed through a victim's IP address can be used to conduct credential stuffing attacks against banking and retail platforms, to commit advertising fraud that bleeds billions of dollars annually from the digital marketing ecosystem, and to scrape sensitive data at scale from websites that would otherwise block automated access. The homeowner whose TV box has been quietly enrolled into one of these networks may ultimately find themselves in an uncomfortable position — their IP address potentially blacklisted by services they use, or even flagged in connection with malicious activity they had no hand in.
What Can Consumers Do to Protect Themselves?
Awareness is the first line of defense. If you own an inexpensive Android TV box — particularly an unbranded device purchased through a third-party online marketplace — you should take the following precautions:
- Research the device model and manufacturer before purchase, and avoid devices with no verifiable brand reputation
- Monitor your home network traffic for unusual outbound connections or unexplained bandwidth consumption
- Consider replacing suspected devices with reputable alternatives that receive regular, verifiable security updates
- Use a router-level firewall or a network monitoring tool capable of flagging suspicious device behavior
- Factory reset any device you suspect may have been compromised, and check whether updated, clean firmware is available from a trusted source
The Accountability Question
Perhaps the most important question raised by the Popa botnet investigation is one of accountability. When a publicly-traded company's commercial product is linked to infrastructure that silently compromises millions of consumer devices, where does legal and moral responsibility lie? The residential proxy industry has long operated in a regulatory grey zone, and this case may represent a turning point — a moment at which regulators, investors, and the public begin demanding clearer answers about how these services source the IP addresses they sell.
Security researchers continue to monitor the Popa botnet and its associated infrastructure. As more findings emerge, the full scope of the operation — and the corporate relationships that sustain it — will likely come into sharper focus. For now, the message is clear: the streaming box sitting quietly in your living room may be doing far more than streaming your favorite shows.