For years, unsuspecting users of unofficial Android TV boxes have unknowingly been part of a sprawling botnet operation. The **Popa** botnet, unlike traditional botnets focused on destructive activities like DDoS attacks, appears to be singularly designed to establish a persistent communication layer, registering devices, maintaining encrypted connections, and opening communication tunnels on demand. Experts suggest that **Popa** is a plugin component of the **Vo1d** botnet, a large-scale malware campaign targeting these widely available, low-cost Android-based TV boxes. These devices, often advertised to stream hundreds of subscription video services for a one-time fee, typically come pre-installed with software that transforms the user's TV into a "residential proxy."  This setup allows anyone to route their internet traffic through the compromised device, raising significant privacy and security concerns. Some of these proxy networks reportedly do little to prevent malicious customers from interacting with or even compromising systems on the unsuspecting device owner's local network. ### Tracing the Origins of Popa The first insights into **Popa**'s origins emerged in a 2025 report by Chinese security company **XLAB**, which identified several domain names used to register and direct compromised devices. More recently, security firm **Qurium** detailed how they encountered some of these same domains while investigating extensive data scraping activities in May 2026, which involved over 1.4 million internet addresses. **Qurium** identified dozens of domains controlling **Popa**, including **gmslb[.]net**, safernetwork[.]io, tera-home[.]com, and **ninjatech[.]io**. Further investigation revealed **gmslb[.]net** referenced in numerous pirated or modded video streaming apps such as **CRICFy**, **DooFlix**, **Sprozfy**, **RTS Tv**, **Flixoid**, **CyberFlix**, **Rapid Streamz**, **TvMob**, and **HD/OceanStreams**. Many of the domains used by the **Popa** botnet were seized or dismantled in July 2025 following a collaborative effort by **Google**, **HUMAN Security**, and **Trend Micro** to disrupt **Badbox 2.0**, a botnet closely associated with **Vo1d**. However, **Qurium** noted that immediately after this disruption, dozens of new control domains for **Popa** were registered, with one notable exception: **ninjatech[.]io**. ### The NetNut Connection **Ninjatech** is a company founded by **Moishi Kramer**, whose LinkedIn profile lists him as Vice President of Research and Development at **NetNut**. Kramer's resume credits him with helping to build and scale **NetNut** before its acquisition by **Alarum Technologies**. A listing on the job board **F6S** also identifies Kramer as the sole owner of the Ninjatech domain.  In response, Mr. Kramer stated that **Ninjatech** ceased operations approximately five years ago after selling a software development kit (SDK) called **Popa**. He claims this SDK was designed to use a small portion of a device’s bandwidth with user consent and that, once distributed, the original developer has no control over modifications or deployments by third parties. Kramer asserts that neither he nor **NetNut** builds, operates, or maintains the infrastructure described as **Popa**, nor does he control the **Ninjatech** domain. He denies registering the new domains in June 2025 and states he has no control or visibility into that infrastructure. ### Conflicting Evidence and Corporate Response However, a separate **Popa** research report released by proxy-tracking company **Synthient** presents conflicting evidence. Their recent analysis of the **Popa** SDK revealed outbound traffic clearly associated with **NetNut**. "The research team assesses with high confidence that devices running **Popa** forward traffic from **Netnut** clients," **Synthient** wrote. "This proves without a shadow of a doubt that **Popa** actively continues to be used by **NetNut** as part of their proxy pool."  **Alarum Technologies**, **NetNut**'s parent company, has issued a statement rejecting the characterization of their SDKs and technologies as a "botnet." They claim the reports contain "demonstrably inaccurate assertions and flawed deductions." **Alarum** states that their SDKs are designed for bandwidth-sharing functionality and do not transform user devices into malware-controlled systems. **Alarum** emphasized that **NetNut** operates a commercial proxy network with policies, procedures, and technological measures designed to promote lawful and responsible use. They highlighted their focus on appropriate notice and consent mechanisms, customer due diligence, misuse monitoring, and steps to detect and mitigate suspicious activity. Despite these assurances, a report released by proxy tracking service **Spur** on June 8 asserted that **NetNut** does not require corporate verification or meaningful "know your customer" procedures before allowing customers to purchase proxy access. This suggests that individuals can easily sign up, pay, and route traffic through partner address space, including that of institutions whose users never opted in.