SURIQ
IP address reputation is one of the oldest trust signals in security, and the residential proxy market has quietly made it close to worthless. When a login, a checkout, or a bulk request arrives from a home broadband address, most fraud and access systems score it as low risk. A botnet called Popa is one reason that assumption now fails. Researchers say it has turned millions of cheap streaming boxes into a rental pool of clean-looking residential addresses that attackers can route through at will.
The reporting, led by Brian Krebs and built on work from several research teams, links Popa to NetNut, a residential proxy provider operated by the publicly traded Israeli company Alarum Technologies (NASDAQ: ALAR). Alarum disputes that characterization, and we treat the link as contested below. But the attribution is not the part that should change how you defend. This is: the address an attacker signs in from no longer tells you much about who they are.
What Popa actually is
Popa is an Android botnet that runs as an add-on to a larger malware family called Vo1d, which targets off-brand Android TV boxes sold under thousands of names. It arrives preinstalled in pirated streaming apps on those devices. Once live it does one job: register the box, hold an encrypted tunnel open, and relay other people's internet traffic on demand. The victim here is the person who bought a cheap streaming box, not a breached company.
The scale is the whole point. Lumen's Black Lotus Labs put the network at 1.5 to 2.5 million distinct IP addresses on a typical day, steered by a few hundred control servers, with individual relay nodes each serving tens of thousands of clients at once. That is enough residential address space to make a sustained attack read as ordinary household traffic.
Why this defeats controls you already run
Three common defenses assume a residential IP is a low-risk IP. Popa breaks all three.
Risk-based authentication. Many login systems add friction, a step-up multi-factor prompt or a block, when a sign-in comes from a datacenter or a flagged network. Route a credential-stuffing or account-takeover attempt through a real home connection, often in the victim's own city, and the risk engine waves it through. The same logic that lets a user skip a prompt from a known-good location is the logic an attacker rents by the hour.
IP reputation and geo-blocking. Blocklists and reputation feeds are built for hosting and datacenter ranges. A pool of millions of rotating consumer addresses has no stable entry to block, and blocking a residential ISP wholesale takes out real customers. It is the same blind spot we covered when DragonForce hid its command channel inside Microsoft Teams traffic. When the carrier looks legitimate, signature and reputation matching has nothing to grab.
Scraping defenses. Anti-bot services throttle datacenter IPs hard, so residential proxies are sold specifically to get around that. Mass scraping to feed AI training is now one of the largest buyers of this traffic, which means demand, and the botnets that supply it, are growing rather than shrinking. Plan detections for a world where this gets worse.
The relay node may already be on your network
This is the part the coverage underplays. The same proxy plumbing ships inside ordinary consumer software. Infoblox reported that about 65 percent of its enterprise customers query proxy-related domains, with high rates among banking and government networks. Separate analysis found residential proxy code embedded in a large share of smart-TV apps for major platforms. A break-room television, a personal phone on guest wifi, or a contractor's tablet can become a relay node and an outbound data path inside your perimeter. If you treat consumer devices as harmless because they are not servers, you are carrying egress risk you never inventoried.
What to do this week
Stop treating a residential IP as evidence of anything, and move detection onto signals the proxy cannot launder.
- Hunt your resolver and proxy logs for the published control domains. The three named so far are
ninjatech[.]io(the one central to the attribution), plustera-home[.]comandgmslb[.]net. Alert on any internal host reaching them. - Shift account-takeover detection off IP and onto behavior: sign-in velocity, impossible action sequences, device-fingerprint mismatches, and headless-client tells. These survive an address change; a blocklist does not. Our ClickFix writeup makes the same case for detecting behavior over the artifact.
- Segment consumer IoT and smart TVs onto an isolated network and monitor their outbound traffic. A TV that suddenly opens long-lived encrypted tunnels to rotating endpoints is not streaming.
- Re-weight risk scoring so residential network ranges are neutral, not protective. Reserve auto-approve for signals you control, like a registered device or a passkey.
The attribution, and why it is contested
The link to NetNut rests on infrastructure overlap. After a 2025 takedown effort, new Popa control domains appeared, and one of them, ninjatech[.]io, traces to a company founded by a person listed as NetNut's head of research and development. The proxy-tracking firm Synthient assessed that devices running Popa forward traffic for NetNut customers. Other researchers found that signing up for the service required little more than a throwaway email and a few dollars in cryptocurrency, and that none of the streaming apps carrying the proxy code asked users for consent. Alarum rejects the botnet label, says its software does consensual bandwidth sharing, and calls the findings inaccurate. The dispute is real, so do not state operator intent as settled fact. Your defenses do not depend on resolving it.
The uncomfortable takeaway is that this is a market, not a one-off campaign. As long as buyers will pay for clean residential traffic to scrape, defraud, and stuff credentials, someone will supply the addresses, and a budget streaming box is a cheap place to harvest them. The IP has been a leaky identity signal for years. Treat it as finished, and build the detections that work after it is gone.