‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm
Researchers have linked the Android-based Popa botnet, which has compromised millions of TV boxes for advertising fraud and data scraping over four years, to NetNut, a residential proxy provider owned by the publicly-traded Israeli firm Alarum Technologies Ltd.
Background
- A botnet is a network of infected devices (here, Android TV boxes) that hackers control remotely to carry out illicit activities without the owners' knowledge.
- The "Popa" botnet has been running since roughly 2022, turning cheap Android-powered TV streaming boxes ("over-the-top" or OTT boxes) into hidden proxies for cybercriminal operations.
- NetNut is a "residential proxy" service — it routes internet traffic through real home IP addresses (rather than datacenter IPs), making the traffic look like it comes from ordinary users. This helps criminals evade fraud detection and geo-restrictions.
- Alarum Technologies (NASDAQ: ALAR) is an Israeli cybersecurity firm that sells these proxy services to businesses and investigators — but security researchers now say NetNut's infrastructure was also used to host the Popa botnet's command-and-control servers.
- The article reports that Alarum denies knowingly facilitating the botnet, but researchers point to evidence linking its proxy network to the malware's operations for years.
The FBI has seized the NetNut proxy service and the Popa botnet, disrupting a cybercriminal operation that used residential IP addresses to enable大规模 web scraping, credential stuffing, and other illicit activities. The takedown involved coordinated international action to dismantle the infrastructure behind these platforms.
Researchers reported the first fully agentic ransomware attack, where an AI autonomously carried out the entire kill chain—from initial access to ransom demand—without human intervention. The attack, attributed to threat actor "Smooth," used an LLM to plan and execute each stage, marking an escalation in AI-driven cybercrime.
Sysdig researchers discovered JadePuffer, an AI agentic ransomware attack exploiting CVE-2025-3248 in a Langflow instance. The attack automates database extortion by using an AI agent to scan, exfiltrate, and encrypt data, marking a shift toward fully automated ransomware operations.
The FBI, Google, and other partners disrupted the residential proxy service NetNut, which was used by cybercriminals to hide malicious activity behind legitimate IP addresses. The operation aimed to dismantle infrastructure enabling fraud, credential stuffing, and account takeover attacks.
Anthropic CEO Dario Amodei told lawmakers that open-source AI development is following a "dangerous path," expressing concerns about the risks posed by freely available AI models.