Who Operates the Badbox 2.0 Botnet?

Credit: Original reporting by Brian Krebs, KrebsOnSecurity (2026).

BadBox 2.0 isn’t just another botnet — it’s a full‑blown criminal service built on hacked Android devices, quietly spreading through cheap phones and TV boxes sold online. What makes this version different is how organized it is. Instead of a random collection of infected devices, BadBox 2.0 looks more like a business operation: someone is running it, maintaining it, and selling access to it.

Researchers found that the botnet is tied to a network of shady vendors who preload malware into low‑cost Android devices before they’re even shipped. Once powered on, the devices connect to BadBox’s command servers, turning everyday consumer electronics into part of a global fraud machine.

The people behind BadBox 2.0 use these hijacked devices for everything from fake ad traffic to credential theft. And because the malware is baked into the firmware, it’s almost impossible for the average user to remove.

The big question — who’s actually running this thing?

Investigators have traced pieces of the operation back to companies and individuals in China, but the structure is intentionally fragmented. It’s a supply‑chain problem: manufacturers, distributors, and software vendors all play a role, whether knowingly or not.

BadBox 2.0 shows how cybercrime has evolved. It’s not just hackers breaking into systems — it’s entire ecosystems quietly building compromised devices at scale. And unless the supply chain changes, this won’t be the last botnet built into the hardware people buy every day.