A cybercriminal group controlling the Kimwolf botnet, which has infected more than 2 million devices, shared a screenshot showing they had gained access to the control panel for Badbox 2.0, a China-based botnet running on malicious software pre-installed on Android TV streaming boxes. The screenshot, shared by a former close associate of the Kimwolf operators, may offer the clearest public identification yet of who runs Badbox 2.0.
Both the FBI and Google have been actively pursuing the operators behind Badbox 2.0. The Kimwolf botmasters, known by the nicknames “Dort” and “Snow”, apparently found a way to add Dort’s email address as a valid user of the Badbox 2.0 control panel. The panel lists seven authorized accounts. The account labeled “ABCD”, shown as actively logged in at the top right of the screenshot, is attributed to Dort.
What the Control Panel Screenshot Reveals
One of the other seven listed accounts, identified as “Chen”, uses the email address 34557257@qq.com. Public records link that address to several China-based technology companies, including Beijing Hong Dake Wang Science & Technology Co. Ltd., Beijing Hengchuang Vision Mobile Media Technology Co. Ltd., and Moxin Beijing Science and Technology Co. Ltd.
The website for Beijing Hong Dake Wang Science is asmeisvip[.]net, a domain flagged in a March 2025 report by HUMAN Security as tied to the distribution and management of Badbox 2.0. The domain moyix[.]com, associated with Beijing Hengchuang Vision Mobile, was flagged in the same report.
Tracing the Identity Behind the Account
Breach tracking service Constella Intelligence found that 34557257@qq.com was once associated with the password “cdh76111.” That same password appears connected to just two other email accounts: daihaic@gmail.com and cathead@gmail.com.
Constella records show cathead@gmail.com registered an account on JD.com, China’s largest online retailer, in 2021 under the name 陈代海, or Chen Daihai. Domain registration records at DomainTools.com show that same name in the original 2008 registration for moyix[.]com, alongside the email address cathead@astrolink[.]cn.
More Read
Badbox 2.0’s History and Scale
Badbox 2.0 did not appear without precedent. The original Badbox campaign was identified in 2023, primarily targeting Android TV boxes shipped with backdoor malware already embedded. That operation was disrupted in 2024. The FBI disclosed Badbox 2.0’s existence in a June 2025 advisory, warning that criminals were compromising home networks either by configuring devices with malware before purchase or by pushing malicious apps during the setup process.
In July 2025, Google filed a civil lawsuit against 25 unidentified defendants, describing Badbox 2.0 as a botnet spanning over 10 million unsanctioned Android streaming devices engaged in advertising fraud. Google noted the botnet can also spread by requiring users to download apps from unofficial marketplaces.
- Badbox 2.0 flagged by FBI in June 2025
- Google lawsuit filed July 2025 against 25 unnamed defendants
- Botnet estimated at over 10 million compromised devices
- Domain moyix[.]com tied to Chen Daihai since 2008
- Kimwolf botnet separately infecting more than 2 million devices
The Kimwolf operators’ apparent infiltration of a rival botnet’s control panel is an unusual development. It has inadvertently produced a trail of digital evidence that investigators at the FBI and Google may find useful in their ongoing efforts to identify and prosecute those responsible for one of the largest Android-based fraud operations ever documented.
Photo by Олег Мороз on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
