Bottom line: The four-year-old Popa botnet used to monetize compromised TV boxes is traced technically and personally to the Israeli proxy provider NetNut (Alarum Technologies).
The Android botnet Popa, which exploits millions of TV boxes for ad fraud and data theft, is being connected by researchers to the residential proxy provider NetNut — a business division of the NASDAQ-listed Israeli firm Alarum Technologies Ltd.
The Popa botnet has been operating for four years, forcing millions of consumer TV boxes to relay internet traffic for advertising fraud, account takeovers, and large-scale data scraping. Security researchers from multiple firms succeeded this week in linking Popa to NetNut — a residential proxy service operated by the NASDAQ-listed Israeli firm Alarum Technologies Ltd.
Popa differs from classic botnets: rather than coordinating massive DDoS attacks, it appears to be designed exclusively as a communication layer. The botnet registers devices, maintains encrypted connections, and opens communication tunnels on demand. Experts classify Popa as a plugin component of the Vo1d botnet, which targets unofficial Android TV boxes sold under thousands of different brand names and promise access to hundreds of streaming services for a one-time fee.
The connection to Alarum Technologies was uncovered through a chain of technical clues: The Chinese security firm XLAB first identified nine control domains for Popa in 2025. Security firm Qurium later discovered these domains while investigating massive data scraping attacks in May 2026 — distributed across over 1.4 million IP addresses. Qurium found dozens of Popa control domains such as gmslb[.]net, safernetwork[.]io, tera-home[.]com, and ninjatech[.]io in pirated streaming software like CRICFy, DooFlix, and CyberFlix.
The decisive link: ninjatech[.]io was founded by Moishi Kramer — according to LinkedIn, Vice President of Research and Development at NetNut and co-architect of the platform before its acquisition by Alarum Technologies. A job listing identifies Kramer as the sole owner of the Ninjatech domain. After the shutdown of several Popa domains in July 2025 by Google, HUMAN Security, and Trend Micro, new control domains were registered — but ninjatech[.]io was already in place.
Source: krebsonsecurity.com · Published June 18, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.1.