Security Researchers Link ‘Popa’ Botnet to Israeli Proxy Provider NetNut

Security researchers have traced the “Popa” botnet to proxy provider NetNut, a subsidiary of publicly traded Alarum Technologies. The trail leads to an Alarum executive and a company registered in Latvia in 2020.

Security researchers from the Qurium Media Foundation, working with the Nokia Deepfield Emergency Response Team and the firm Synthient, have traced the long-running Android botnet “Popa” to NetNut, a “residential proxy” provider owned by the publicly traded Israeli firm Alarum Technologies Ltd (NASDAQ: ALAR). The findings come from a Qurium report published on June 18, also covered by security journalist Brian Krebs in a report on KrebsOnSecurity. The investigation began after a scraping attack in May 2026 targeted the website of Arab Reporters for Investigative Journalism (ARIJ), an organization hosted by Qurium.

The site received requests from roughly 1.35 million unique IP addresses, spread across more than 7,300 autonomous systems and 223 country codes. According to Qurium, this traffic pattern matched NetNut’s proxy model — the company itself states that it scrapes content at scale without using proxies. Popa, the researchers say, is not standalone malware but an add-on component of the Android botnet “Vo1d.”

Vo1d registers and controls compromised devices, while Popa establishes a tunnel connection to the proxy infrastructure on top of that access. The Chinese security firm XLab documented a Vo1d variant in February 2025 that at the time affected roughly 1.6 million Android TV boxes worldwide. According to Qurium, the code was found in numerous pirated streaming apps, as well as in the torrent client MediaGet and the VPN service RoboVPN. RoboVPN is operated by CyberKick, a business unit acquired by the Safe-T Group in 2021 — the company that later became Alarum Technologies.

The popular Android TV YouTube client SmartTube was also affected, according to the researchers: the manipulation was discovered in November 2025 but traced back to version 28.56, released in June — meaning Popa, according to Qurium, ran undetected for at least five months. A central lead in the report points to Moshe (Moishi) Yehuda Kramer, who registered the company NinjaTech SIA in Riga in 2020.

The company was liquidated in 2022, but its domain continued to serve as a control server for Popa. According to Qurium, Kramer is SVP Research & Development at NetNut; according to Alarum’s own website, he also serves as Chief Strategy & Innovation Officer at Alarum Technologies.

Responding to an inquiry from Qurium, he stated that NinjaTech ceased operations years ago and cautioned against drawing premature conclusions from historical associations. Alarum Technologies denies the allegations. According to a company statement, the reports by Qurium and Synthient contain inaccurate assertions and flawed deductions.

In a more detailed response to Krebs, Kramer said the SDK NinjaTech sold roughly five years ago was called “Popa” and was designed for user-driven consent and low bandwidth usage. Once sold and relicensed, he said, the original developer no longer has control over how third parties later modify or deploy the code. Neither he nor NetNut, Kramer said, registered or operated the control domains registered in June 2025.

The SDKs in question, Alarum says, are designed to facilitate voluntary bandwidth-sharing and do not turn devices into malware-controlled systems. NetNut, the company states, operates a commercial proxy network with consent mechanisms and safeguards against misuse.

Sources: Qurium Media Foundation, KrebsOnSecurity

Frequently Asked Questions About Popa and NetNut

What is the ‘Popa’ botnet?

Popa is not standalone malware but an add-on component (SDK) of the Android botnet ‘Vo1d.’ On devices already compromised by Vo1d, it establishes a tunnel connection to a proxy infrastructure, turning the device into a relay node for third-party Internet traffic.

What is the connection to NetNut and Alarum Technologies?

Qurium describes several technical and personnel overlaps: a library used within the Popa ecosystem was also found in the VPN service RoboVPN, operated by CyberKick, now part of Alarum Technologies. Additionally, Moshe Yehuda Kramer — who according to Qurium serves as SVP Research & Development at NetNut, and according to Alarum’s own website also as Chief Strategy & Innovation Officer at Alarum Technologies — registered the company NinjaTech SIA in 2020, whose domain continued to serve as a control server for Popa.

How has Alarum Technologies responded to the allegations?

Alarum Technologies denies the allegations, describing the reports by Qurium and Synthient as inaccurate and based on flawed conclusions. The company states that the SDKs in question are designed for voluntary bandwidth-sharing and do not turn devices into malware-controlled systems. NetNut, Alarum says, operates a commercial proxy network with consent mechanisms in place.