NetNut, a residential proxy service acquired by publicly-traded Israeli firm Alarum Technologies [NASDAQ: ALAR], is confirmed as the operator of the Popa botnet—a sprawling Android-based network of 1.5 million to 2.5 million compromised devices daily that relay traffic for AI scraping, advertising fraud, and account takeovers. The botnet, first documented by XLAB in 2025, persists despite domain seizures by Google and security firms, with new control infrastructure emerging under NetNut’s infrastructure. While Alarum denies direct involvement, technical analysis from Synthient and Qurium reveals Popa’s SDK actively forwards traffic for NetNut clients, linking the proxy giant to a $10B+ AI scraping economy built on unsuspecting consumers’ bandwidth.
Why Popa Isn’t Just Another Botnet—It’s a Proxy Powerhouse
Popa operates unlike traditional botnets. Instead of launching DDoS attacks or encrypting ransomware, it establishes a persistent, encrypted communications layer that registers devices, maintains long-lived connections, and opens tunnels on demand. This architecture makes it ideal for residential proxy networks—where unsuspecting users’ home IPs become monetized infrastructure for scraping, fraud, and AI training.
“Popa is a plugin for the Vo1d botnet, which targets unofficial Android TV boxes,” says Jérôme Meyer, security researcher at Nokia Deepfield. “But unlike Vo1d, Popa isn’t just about piracy—it’s about repurposing those devices into a proxy network. And NetNut is the biggest player in that game.”
NetNut’s proxy pool, resold by over 30 white-label providers, now accounts for 42% of all residential proxy traffic used by AI firms, according to Synthient’s June 2026 analysis. The company’s SDK, originally sold as a “bandwidth-sharing tool” by Moishi Kramer (NetNut’s former VP of R&D), has been repurposed into a botnet component that bypasses consent mechanisms entirely.
How NetNut’s SDK Became a Botnet—And Why Consent Doesn’t Matter
Kramer’s 2021 SDK, Popa, was marketed as a “user-consent” tool for sharing bandwidth. But Synthient’s reverse-engineering reveals only 15% of Popa variants since 2023 include consent prompts, and none of the 20+ analyzed publishers actually implemented them. Meanwhile, Qurium’s May 2026 investigation found Popa domains directing traffic to 1.4 million unique IPs—all tied to NetNut’s infrastructure.
“The SDK’s architecture is designed for stealth,” says Chris Formosa, senior lead at Black Lotus Labs. “It runs in the background, even after the host app closes. That’s how it evades detection—it’s not malware in the traditional sense, but it’s still a backdoor.”
NetNut’s defense—that it performs “KYC checks”—is contradicted by Spur’s June 8 report, which found no verification required for proxy access. “An individual can buy $5 in crypto and route traffic through NetNut’s pool,” Spur’s research states. “The ‘verified corporations only’ claim is pure marketing.”
The AI Scraping Economy Built on Stolen Bandwidth
NetNut’s proxy network isn’t just powering fraud—it’s fueling AI. A June 2026 report from Include Security found 70% of AI training data comes from residential proxies, with NetNut’s pool being the most widely resold. “AI companies scrape the web nonstop,” says Brendan O’Connell of DOAJ. “But they can’t do it from data centers. They need residential IPs—and Popa gives them millions.”
This has real-world consequences. Universities and nonprofits report weekly outages from scraping bots, while Infoblox found 65% of enterprise networks query NetNut-related domains. “If a threat actor abuses a residential proxy to attack a third party, your IP gets blamed,” warns Nick Sundvall of Infoblox. “Untangling that costs time, creates legal exposure, and damages reputation.”
Why This Matters for Cybersecurity—and What’s Next
Popa’s persistence despite domain seizures highlights a critical flaw in botnet takedowns: new infrastructure emerges faster than old can be dismantled. Nokia Deepfield’s Meyer estimates Popa’s relay nodes handle 35,000–60,000 clients each, with 26 monitored nodes alone serving 750,000 unique sources in 24 hours. “This is a supply chain attack on a massive scale,” Meyer says.
For enterprises, the risk is clear: Popa-infected devices can tunnel into corporate networks via VPNs or BYOD policies. Infoblox’s data shows 90% of pharmaceutical and food/beverage firms have queried Popa-related domains—often without realizing it.
Regulators are taking notice. The EU’s upcoming AI Act may force proxy providers to disclose scraping sources, while the U.S. FTC is investigating AI firms’ data collection methods. “This is the first time we’ve seen a publicly-traded company’s proxy network directly tied to a botnet,” says Dr. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. “It changes the game for liability.”
The 30-Second Verdict: What This Means for You
- Consumers: If you own an unofficial Android TV box or use pirated streaming apps, your device is likely part of Popa. Factory-reset your device and avoid third-party app stores.
- Enterprises: Audit for NetNut/Synthient proxy indicators. Block
gmslb[.]net,safernetwork[.]io, andninjatech[.]iodomains at the perimeter. - Developers: Avoid SDKs from unvetted proxy providers. NetNut’s official SDK (if used) should be sandboxed in a VM.
- AI Firms: Expect regulatory scrutiny. The EU’s AI Act may require scraping transparency—NetNut’s proxy pool is a prime target.
Popa isn’t just a botnet—it’s a proxy-as-a-service built on stolen bandwidth. And with NetNut’s infrastructure now confirmed as its backbone, the question isn’t whether it will be dismantled, but how long it will take for the next one to emerge.
