‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm – Krebs on Security

https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/

Publish Date: 2026-06-18 16:45:04

Summary

In recent reports, cybersecurity researchers have highlighted a widespread botnet named Popa, which has utilized millions of compromised consumer TV boxes to engage in data scraping, advertising fraud, and other illicit activities. Connected to the Israeli firm NetNut, operated by Alarum Technologies Ltd, Popa’s structure is unique in botnet history; it is specifically focused on maintaining a persistent communications layer. Although Alarum Technologies denies any connection to the botnet, evidence suggests that Popa is indeed active within NetNut’s network. The botnet has contributed to major disruptive data scraping efforts and poses a significant threat due to its prevalence in the proxy service ecosystem used for AI training. With vast numbers of devices across the world still participating, many without the explicit consent of users, the botnet’s operations raise serious privacy and security concerns.

Key Points:

Popa botnet forces millions of consumer TV boxes to relay Internet traffic used for advertising fraud, data scraping, and unauthorized activities.
Popa’s unique structure maintains persistent communications, distinct from traditional botnets associated with destructive activities.
Security firms link Popa to NetNut, managed by Alarum Technologies Ltd, despite denials from the company.
Popa’s massive scale, combined with widespread proxy services reselling NetNut connections, signifies a severe threat in the industry.
The covert involvement of residential proxies in AI data training highlights the lack of transparency and user consent in these operations.