The cybercriminals in control of Kimwolf — a disruptive botnet that has infected more than 2 million devices — recently shared a screenshot indicating they had compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people behind Badbox 2.0, and thanks to boasting by the Kimwolf botmasters, we may now have a much clearer idea about that.
Our first story of 2026, titled 'The Kimwolf Botnet is Stalking Your Local Network,' detailed the unique and highly invasive methods Kimwolf uses to spread. The story warned that the vast majority of Kimwolf-infected systems were unofficial Android TV boxes marketed as a way to watch unlimited (pirated) movie and TV streaming services for a one-time fee.
Our January 8, 2026, story, 'Who Benefited from the Aisuru and Kimwolf Botnets?', cited multiple sources saying that the current administrators of Kimwolf went by the nicknames ‘Dort’ and ‘Snow.’ Earlier this month, a close former associate of Dort and Snow shared what they said was a screenshot taken by the Kimwolf botmasters while logged in to the Badbox 2.0 botnet control panel.
That screenshot shows seven authorized users of the control panel, including one that doesn’t quite match the others: According to my source, the account ‘ABCD’ (the one logged in and listed in the top right) belongs to Dort, who somehow figured out how to add their email address as a valid user on the Badbox 2.0 botnet.
Badbox has a storied history that predates Kimwolf’s rise in October 2025. In July 2025, Google filed a ‘John Doe’ lawsuit (PDF) against 25 unidentified defendants accused of operating Badbox 2.0, which Google described as a botnet of over ten million unsanctioned Android streaming devices engaged in advertising fraud. Google said Badbox 2.0 could compromise multiple types of devices prior to purchase and also infect them by requiring the download of malicious apps from unofficial marketplaces.
Google’s lawsuit came on the heels of a June 2025 FBI advisory, which warned that cyber criminals were gaining unauthorized access to home networks by configuring products with malware before the user's purchase or infecting devices as they downloaded required applications containing backdoors — usually during setup. The FBI said Badbox 2.0 was discovered after the original Badbox campaign was disrupted in 2024. The original Badbox, identified in 2023, primarily consisted of Android operating system devices (TV boxes) compromised with backdoor malware prior to purchase.
KrebsOnSecurity was initially skeptical of the claim that the Kimwolf botmasters had hacked the Badbox 2.0 botnet. That is, until we began investigating the history of the qq.com email addresses in the screenshot above.