The cybercriminals behind the disruptive Kimwolf botnet recently shared a screenshot indicating they've compromised the control panel for Badbox 2.0, a vast China-based botnet. Both the FBI and Google are hunting for the people behind this botnet, thanks to these revelations from the Kimwolf botmasters.
Kimwolf has infected more than two million devices by spreading through unique and highly invasive methods, primarily targeting unofficial Android TV boxes sold as a way to watch unlimited (pirated) movie and TV streaming services. In our January 8 story, 'Who Benefitted from the Aisuru and Kimwolf Botnets?', we cited sources indicating that the current administrators of Kimwolf use nicknames ‘Dort’ and ‘Snow’.
A screenshot shared by a former associate of Dort and Snow reveals seven authorized users of the Badbox 2.0 botnet control panel, including one account known as ‘ABCD’. This account was added despite not matching other entries, indicating that ‘Dort’ managed to add their email address as a valid user.
Badbox 2.0 has a storied history dating back before Kimwolf’s rise in October 2025. In July 2025, Google filed a lawsuit against 25 unidentified defendants accused of operating Badbox 2.0, describing it as a botnet of over ten million unsanctioned Android streaming devices engaged in advertising fraud.
Further investigation into the email addresses in the screenshot points to potential ties between the administrators and several Chinese technology companies. The address 34557257@qq.com (user ‘Chen’) is listed as a point of contact for multiple companies, including Beijing Hong Dake Wang Science & Technology Co Ltd. and Beijing Hengchuang Vision Mobile Media Technology Co. Ltd. These connections are further highlighted by domains associated with these companies, such as moyix[.]com, which were flagged in a 2025 report by HUMAN Security.