In a significant development that could unravel the shadowy operations of major botnet infrastructures, the cybercriminals behind the notorious Kimwolf botnet, which has already ensnared over two million devices, have inadvertently provided crucial clues regarding the operators of the vast China-based Badbox 2.0 botnet. A recently shared screenshot, allegedly taken by Kimwolf’s administrators, reveals their access to the Badbox 2.0 control panel, offering an unprecedented glimpse into the individuals potentially orchestrating these widespread cyber threats. Both the Federal Bureau of Investigation (FBI) and Google have been actively investigating Badbox 2.0, and this revelation from the Kimwolf camp may significantly accelerate their efforts.

The Kimwolf botnet, known for its highly invasive propagation methods, primarily targets unofficial Android TV streaming boxes that are often marketed as a one-time purchase for unlimited pirated content. This insidious distribution model, detailed in a previous KrebsOnSecurity report from January 2026 titled "The Kimwolf Botnet is Stalking Your Local Network," exploits the security vulnerabilities inherent in these devices, allowing the malware to spread rapidly across local networks.

Further complicating the landscape, a January 8, 2026, KrebsOnSecurity article, "Who Benefitted from the Aisuru and Kimwolf Botnets?", identified the purported administrators of Kimwolf by the aliases "Dort" and "Snow." The recent screenshot, shared by a former close associate of Dort and Snow, depicts seven authorized users of the Badbox 2.0 control panel. Notably, one account, labeled "ABCD" and logged in at the top right of the screenshot, is reportedly an email address belonging to Dort, who appears to have gained unauthorized access to the Badbox 2.0 infrastructure. This intrusion is particularly significant as it suggests a potential convergence of operations between these two major botnets.

The Badbox 2.0 botnet has a substantial history, predating Kimwolf’s emergence in October 2025. In July 2025, Google initiated a "John Doe" lawsuit against 25 unidentified defendants accused of operating Badbox 2.0. Google’s complaint described it as a botnet encompassing over ten million unsanctioned Android streaming devices engaged in widespread advertising fraud. The modus operandi of Badbox 2.0 involves compromising devices before purchase or infecting them through malicious applications downloaded from unofficial marketplaces. This legal action followed a June 2025 advisory from the FBI, which warned of cybercriminals exploiting home networks by pre-installing malware on devices or by infecting them during the download of required applications containing backdoors, often during the initial setup process. The FBI’s discovery of Badbox 2.0 stemmed from the disruption of the original Badbox campaign in 2024, which itself was identified in 2023 and primarily consisted of Android TV boxes compromised with backdoor malware before being sold to consumers.

Initially, KrebsOnSecurity harbored skepticism regarding the claim of Kimwolf botmasters hacking into the Badbox 2.0 control panel. However, a deep dive into the history of the QQ.com email addresses present in the screenshot began to solidify the veracity of the claim.

One particular email address, [email protected], listed as the user "Chen" in the Badbox 2.0 panel, is linked to several China-based technology companies, including Beijing Hong Dake Wang Science & Technology Co. Ltd., Beijing Hengchuang Vision Mobile Media Technology Co. Ltd., and Moxin Beijing Science and Technology Co. Ltd. The website associated with Beijing Hong Dake Wang Science, asmeisvip[.]net, was previously flagged in a March 2025 report by HUMAN Security as one of numerous domains tied to the distribution and management of the Badbox 2.0 botnet. Similarly, moyix[.]com, linked to Beijing Hengchuang Vision Mobile, shares this association.

Further investigation through the breach tracking service Constella Intelligence revealed that the email address [email protected] once used the password "cdh76111." A pivot on this password within Constella’s database identified two other email accounts that had used the same password: [email protected] and [email protected]. Constella also found that [email protected] registered an account on JD.com, China’s largest online retailer, in 2021 under the name "Chen Daihai." DomainTools.com records indicate that Chen Daihai is associated with the original registration of moyix[.]com in 2008, along with the email address cathead@astrolink[.]cn. Notably, astrolink[.]cn is also among the Badbox 2.0 domains identified in HUMAN Security’s 2025 report. DomainTools further shows that cathead@astrolink[.]cn was used to register over a dozen domains, including vmud[.]net, another domain identified by HUMAN Security as part of the Badbox 2.0 infrastructure.

The association with "Chen Daihai" is further strengthened by an archived version of astrolink[.]cn from archive.org. This cached website, belonging to a mobile app development company named Beijing Astrolink Wireless Digital Technology Co. Ltd., features a "Contact Us" page listing Chen Daihai as part of the company’s technology department. Alongside Chen Daihai on this page is Zhu Zhiyu, whose email address is provided as xavier@astrolink[.]cn.

The user "Mr.Zhu" in the Badbox 2.0 panel utilized the email address [email protected]. A search of this address in Constella reveals a JD.com account registered under the name Zhu Zhiyu. A distinctive password used by this account is identical to the password used by [email protected], which DomainTools identifies as the original registrant of astrolink[.]cn. This compelling connection between Chen Daihai and Zhu Zhiyu, and their historical ties to domains implicated in Badbox 2.0 operations, strongly suggests their involvement.

The "admin" account in the Badbox 2.0 panel, registered in November 2020, used the email address [email protected]. DomainTools records link this email to the 2022 registration of the domain guilincloud[.]cn, with the registrant name "Huang Guilin." Constella finds that [email protected] is associated with the Chinese phone number 18681627767. Open-source intelligence platform osint.industries links this phone number to a Microsoft profile created in 2014 under the name Guilin Huang. Cyber intelligence platform Spycloud indicates that this phone number was used in 2017 to create a Weibo account under the username "h_guilin."

The remaining three users and their corresponding QQ.com email addresses in the Badbox 2.0 control panel screenshot were also found to be connected to individuals in China. However, unlike Chen Daihai and Zhu Zhiyu, these individuals, including Mr. Huang, did not exhibit any apparent direct connections to known Badbox 2.0 operational entities or corporate structures. None of these individuals responded to requests for comment. A mind map compiled by KrebsOnSecurity, based on extensive research pivots of the email addresses, company names, and phone numbers, strongly suggests a tangible link between Chen Daihai, Zhu Zhiyu, and the Badbox 2.0 botnet.

The notion that the Kimwolf botmasters could have direct access to the Badbox 2.0 botnet control panel is profoundly significant, primarily due to Kimwolf’s unique propagation methods. Kimwolf’s operators discovered a way to leverage residential proxy services to relay malicious commands to vulnerable devices residing behind the firewalls of unsuspecting users on their local networks. The primary targets for Kimwolf are Internet of Things (IoT) devices, such as unsanctioned Android TV boxes and digital photo frames, which often lack any discernible security or authentication mechanisms. This means that any device accessible via these protocols can be compromised with a single command.

Previous research from proxy-tracking firm Synthient, highlighted in a January 2, 2026, KrebsOnSecurity story, alerted 11 residential proxy providers to vulnerabilities in their services that allowed for such local network probing and exploitation. Many of these providers have since implemented measures to prevent their proxy endpoints from being abused for upstream network access, seemingly curtailing Kimwolf’s ability to rapidly infect millions of devices.

However, the source who provided the Badbox 2.0 screenshot indicated that the Kimwolf botmasters possessed a critical advantage: undisclosed access to the Badbox 2.0 botnet’s control panel. "Dort has gotten unauthorized access," the source stated. "So, what happened is normal proxy providers patched this. But Badbox doesn’t sell proxies by itself, so it’s not patched. And as long as Dort has access to Badbox, they would be able to load the Kimwolf malware directly onto TV boxes associated with Badbox 2.0." The exact method by which Dort gained access to the Badbox botnet panel remains unclear. Nevertheless, it is highly probable that Dort’s unauthorized access will be short-lived. Upon receiving notifications and the shared screenshot, all the QQ.com email addresses listed in the control panel, along with inquiries about the anomalous "ABCD" account, likely prompted immediate action from the Badbox 2.0 operators. This development underscores the intricate and often interconnected nature of sophisticated cybercriminal operations, where breaches in one infrastructure can have cascading effects on others.