Hacked - BADBOX 2.0
Episode Date: November 2, 2025Hh hey maybe don't buy that $14 projector off amazon. In this episode, we dive into the sequel nobody asked for: BADBOX 2.0 — the return of last year’s botnet built out of bargain-bin Android ga...dgets. Google just filed a lawsuit in federal court alleging that millions of sketchy streaming boxes, projectors, and mystery electronics were shipped pre-infected from factories overseas. The moment someone plugs one in, it joins a global botnet used for ad fraud, click fraud, and even to rent out your home internet connection to criminals. We talk to the team at HUMAN Security, the researchers credited in Google’s suit, about how they traced this thing across 222 countries, why it came back bigger than before, and how you even begin to kill a botnet that ships itself directly to people’s living rooms. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
That was pretty cool. It was cool and it was scary at the same time. We were like, how deep does this go at this point? You know, and we were looking and I still look at these as kind of like, they're like sleeper cells.
So Google recently filed a lawsuit in New York federal court. And I was reading it. And I thought to myself, this sounds very familiar. And I want to see if you recognize it's got.
Also, I just have a quick question.
When you're on planes, do you often just read legal filings?
Because I think that was maybe a kickoff to an episode like two or three episodes ago
where you had spent the entire plane ride, just reading a court case.
It's a very personal question, Scott.
And I'm offended that you would ask.
The lawsuit.
Yes, I do.
The lawsuit.
Is Google versus 25 different Doze, as in John Doe's, as in Google versus 25 anonymous defendants?
Google alleges basically that a group of currently unknown operators ran a botnet built out of millions of cheap, uncertified Android devices.
TV boxes, tablets, projectors, the kind of sketchy consumer electronic slop you see on like Amazon and you're like, how is anything this cheap let alone projector?
According to Google, the devices were coming pre-compromised from the factory.
And once people plugged them in at home and connected them to the internet, the device then connected.
and became a node in this giant botnet,
a swarm of computers that the operators could use
for ad fraud or click fraud,
or even to sell people's home internet connections
as like residential proxies for other cybercrime.
Control a bunch of compromised internet-connected computers,
and you can get into all kinds of very profitable trouble with it.
The idea here is you ship the devices already infected
and let the end user just plug it in for you.
And I thought, this sounds so much,
sounds so much like a crime spree that we reported on last year called Badbox.
The name of the botnet in this lawsuit filed by Google, Badbox 2.0.
Oh, shocking.
And who does Google credit with the joint research into Badbox 2.0 that led to this lawsuit?
The same folks we talked to last year.
So?
So.
We've got those people back.
We've got our first, call it a sequel episode.
Scott.
Oh.
Bad box two.
Bad box two.
Part two.
Two bad two box.
We'll update the previous episode to be part one.
Bad box two box harder.
The bad box rises.
Bad box 2049.
I have so many of these.
The supply chain attacks, like the things that like this, like, you know, coming pre-compromised,
being delivered out into the world, people plugging them in, them, them seamlessly.
functioning as they're supposed to.
You got it.
But then also being a malicious device that's controlled from a third party from somewhere else
just seems so 2025, you know?
I bought this $43 projector and something's up.
Yeah, 100%.
The proliferation of Android across all of the cheap electronics that we get these days
and just how plug and play it is to put onto tiny little pieces of hardware
It gives us this control interface, this programming interfaces.
It does so much for the developer, creator, inventors.
But it also has created an ecosystem that they know how to operate within.
It has all of the network functionality.
You could drop a root kit into an image of Android that then goes onto one million TV boxes
or fire sticks or whatever you want to call them.
Millions, projectors, Wi-Fi nodes, you know, all of the...
I'm looking at my desk and all of the tiny electronic things.
on them. And I'm like, oh, I wonder if my audio interface control system is Android-based,
probably is. And when you look at the cost of developing a piece of electronics hardware,
the Google Mobile Services certification that when we talk about an uncertified versus a certified
Android device is thousands to tens of thousands of dollars per skew. Each object that you make
that you want to have certified by Google to say this is safe, this isn't coming pre-shipped with malware.
cost thousands of dollars.
In the context of a product that costs millions of dollars typically to make,
that's a pretty small drop in the bucket.
Totally.
When you're selling a $17 Android box in certain markets,
it makes zero sense to incur that cost.
In a lot of cases,
it's simply a cost-saving measure,
but it also opens this little door
for this whole other track of behavior
that we've been looking at in this series of stories.
Well, I'm going to make a weird,
comparison here and maybe like a lead into this, but it's, you know, like the end user license agreements
that you have in all software that nobody reads? Yeah. I read those on planes too. Yeah. Of course you do.
I do. I feel like they have developed in society a cause and effect or an action and response of just
hitting the approve button. Like we've just spent money on something. We bought something. We just have
to approve this end user license agreement to use what we've bought.
Yeah.
So we don't really do any investigation.
Like that contract could state any number of things in it.
But nobody really looks into it.
You know, a few key reporters will dig into ones that they think of, you know, might have some issues and things like that.
But in mass, we just hit approve.
Next, continue.
I agree.
Check the check box.
Scroll to the bottom if you have to.
You know, we all know the process of getting past those.
And I think that they've just, that is developed in us a complete.
not a disregard for things that might damage us. And buying cheap electronics from a third party in a
foreign country that comes shipped stock with default malware installed, is this something that we just
don't even think about. We're like, oh, I want my cheap TV or I want whatever the cheap, cheap product
that I'm purchasing delivers me. And we just said, I agree. We scroll to the bottom and we click next.
And I feel like it's the same loop with this. You know, we have no more criticism, critique,
of what we're doing and what we're buying and how we're using it,
we just assume that it's fine and it will be fine.
And I want the convenience and the outcome, and I agree.
In 2019, I signed away power of attorney to a smart toaster.
I don't know if you're joking.
I only know that I'm joking because I've never bought a smart toaster.
There you go.
But I have a lot of electronics that like, who knows what was in that terms of agreement?
I feel you.
Yeah, exactly.
Like I'm looking at five monitors right now and have 12 pieces of software open every single one of which I've accepted an end-usual license agreement, none of which I've read.
We have an interview to get to, but isn't it great when you buy an electronic product and you turn it on and it starts working?
And there was no like, oh, I didn't have to sign into, I didn't have to create an account in an app and scroll past a bunch of legalese.
It just turned on.
This little field recorder I use for recording audio just were turned on out of the box.
It's magical.
But I digress.
In the last year, Badbox has changed.
It has grown significantly.
Badbox 1.0 affected roughly 74,000 devices.
Badbox 2.0.
The one Google is suing over.
The one the FBI has just recently issued a public PSA about,
the one that has spread to 222 countries and territories,
infected conservatively over a million devices.
That's according to human.
Google's complaint, the lawsuit, alleges more than 10 million uncertified devices involved.
Those are radically different numbers.
It's almost like Google, and we talk about this in the interview,
has access to a much larger surface of information than literally any other body in the world
when it comes to sketchy stuff on the internet.
The point is this thing that human had done all of this really good work to try and slow down
and had made real inroads on is now spreading.
and is bigger and worse than before.
And I had questions.
So I got on the horn with Gavin Reed over at Human
to just sort of throw those questions at him.
How do you kill something like this?
How does it come back to life?
And are there banger deals in consumer electronic slop
I should be taking advantage of
or should I just assume it's all getting put on to pallets
full of malware?
Like the projector I almost bought probably one.
For 1499.
It was 1999.
I go for the good.
Yeah.
That good good.
You ready to get into it?
Let's go.
Let's do it.
This is VP of Threat Intelligence at Human Gavin Reed on this episode of Hacked.
Gavin, thank you so much for taking the time to sit down and talk with me about this.
Jordan, thanks for inviting me looking forward to it.
So last year, your colleague, Lindsay Kay, she's the VP of Threaten Intelligence, talked with me on the show about Bad Box.
I was fascinated by the scale of this.
I was also fascinated by the idea that it seemed in at least part of the answer to the question,
what is the catch with like too good to be true electronics on, say, Amazon or something?
Or maybe too cheap to be good.
And now, a year later, we're here talking about the 2.0 version of the story
because the FBI just warned that Badbox 2.0 had infected over a million consumer devices
across 222 countries.
to start, paint me a picture of this thing at a high level.
What is going on inside of these cheap gadgets?
Things people are plugging into their TVs, things people are logging into their accounts
on.
Take me through this at a high level.
Sure.
And, you know, it's, it's interesting because people think sort of like, almost like natively
that maybe there's an issue with buying some really cheap appliance and plugging it
into my home network, right?
They sort of instinctively feel that maybe it's not a good idea, but there hasn't been like a really good or great use case of exactly why that's a bad thing, I think, up until Bad Box.
And of course, you know, Bad Box, we knew with Bad Box the money is still there, even though, you know, we managed to turn down how they were profiting off of Bad Box, one, that the capability, the whole sort of network,
work to do that sort of thing didn't go away. It's still there, right? So we, you know, we figured they
would be kind of licking their wounds and figuring out some new ways to do, you know, what they
had been so successful in the past. And obviously, you know, concerns being that they would have
learned from what, you know, we used against them the last time and potentially get better about
that. So like, you know, with Bad Box 2, or, you know, as sort of Bad Box 1 came to an end,
there were certain things that we were, you know, didn't necessarily publicize that allowed
us to keep a kind of close view onto what this particular group of threat actors are doing.
And to be clear, you know, we're talking about, you know, a loose network of threat actors
or, you know, they probably call themselves businessmen that are doing this,
but it's not limited to, you know, what we've exposed in Bad Box 2.
So in Bad Box 2, we're, you know, we're looking at some very specific people that were behind,
you know, in profiting off of Bad Box 1.
There are other groups that are doing similar stuff too.
And, you know, this is just one potential network that's doing this.
And, you know, one of the things I like to say about Bad Box 2 is it's bigger and it's badder, right?
If you look at, you know, we had hundreds of thousands in Bad Box 1, which we thought was bad enough, right?
And now we're seeing millions.
And so not only, you know, have they sort of looked and, you know, figured out what they could do better,
how they could be more effective, how they could spread further, how they could avoid detection,
how they could, you know, potentially make, you know, even more money off of what they were doing.
And they've taken advantage of that.
And so as they've come back with Bad Box 2, you know, that you've seen our blog and the various materials about their numbers are much, much stronger.
So, you know, what was, you know, maybe an interesting turn of events in Bad Box 1 and something you'd want to watch to suddenly became very mainstream with Badbox 2.
I want to talk about the scale of Bad Box too, but you very briefly, you alluded to, in the first iteration of this, things that you didn't really publicize.
Is there anything since then that wasn't originally publicized that you can tell us about that first iteration?
Like, you know, what did we keep, what did we keep and not share?
You know, they're just, spill those secrets.
Yeah, I'm not going to, you know, go into the detailed specifics, but understand that, you know, we released, I don't know, maybe like 200, 3,000.
hundred different IOCs of how these guys work and how they set up.
And there were some critical ones you could think of, you know,
like as you maybe trace your way backwards, like from, you know, the end device, right?
That's not so critical to an operation like this.
But as you go further and get closer and closer to, you know,
where these devices are being maintained and, you know, updated from,
then suddenly those IOCs become a lot more interesting.
So kind of work your way inwards,
closer to the threat actor groups. And some of those, you know, we've, we've continued to monitor.
You alluded to this last year's, you know, bad box campaign hit in that low six figures kind of
number. This time, kind of at the moment we're talking about this, you're pegging it kind of into
millions. Google's numbers were estimated at around 10 million affected devices. Like what changed
between then and now that this thing has grown so much in size? Yeah, well, you know, a lot changed.
and we, you know, I talked sort of briefly about it already,
but they looked at what they got caught up in in Bad Box 1,
and then, of course, got better.
And so let's go into a couple of those things that have allowed them to be,
you know, have a bigger spread.
And first off, let me just comment on, you know,
maybe the numbers difference between Google and ours.
You know, again, Google's painting a broad stroke there of,
Android-based CTV-type activities across multiple different threat actors, many of which are linked
to Bad Box and some of which are not. Also, Google has a much better visibility into, like, we have
a certain level of visibility into this, but Google has a much better one. And as we've done some
sink-hulling on the Bad Box 2 domains, now we're starting to see, you know, a much bigger spread
because there are, you know, components of this that we did not necessarily see.
And so we're still seeing, you know, millions of these boxes specifically for Bad Box 2 alone
that are sink hold at this moment.
But to focus back on, you know, why they were successful.
So like with Bad Box 1, one of the, you know, one of the things that, you know, made them successful
and made it kind of unique is that they had basically embedded the, you know, the malware
at the firmware level at or near the factories.
So that's a strength, right?
Because you can't get rid of it.
But it's also a bit of a weakness
because there was only one way
that they could get infected.
It was through this and, you know,
there was no way to really add to the numbers
once it had left the factory.
And then, you know,
looking into it, there was just one backdoor,
Triata in Bad Box 2.
We have counted hundreds
of different backdoors. So they obviously thought, okay, these guys are looking for Triata.
They're going to find it again if we use it. And so let's diversify. Let's, you know,
diversify in the types of backdoors that we put in. And so a lot of them are really,
you know, there could be backdoors that are campaign specific. So they were, you know,
targeting a particular group country, geography, you name it. And there's some like slight
differences in that back door than in another backdoor. Majority of the stuff's the same,
but there are some slight differences. So,
having that diversity of backdoors is one way that they achieved that. But, you know, the bigger thing,
as far as that goes, is the fact that as they were, as they were creating Bad Box 2, they thought,
like, you know, we had all these, you know, we had this firmware installation, and it had hard-coded IP addresses,
and so they could, you know, just sinkhole those, and it would go.
away. And so, you know, what they decided to do is that they would, you know, they would continue
with that pre-instillation backdoor. It was successful. They'd continue to do that. But then they'd have
some that weren't really backdoored, but as soon as you plug them in, they would reach out to a C2
and download, you know, the backdoor. So they had another way of, you know, constantly reaching out
to making sure that if they wanted to update, like a different IP address or a different backdoor,
different module, they could do that. So they just had these boxes.
is it weren't factory, you know, they didn't have the malware, they didn't have the back door,
but they did have a call out to a particular C2 who would download that and put it on the system,
which they controlled, right?
So if we knew about one of them, they could potentially go to another one.
And then lastly, and probably most importantly, is they did this sort of bundling that backdoor
into third-party or unofficial app stores.
And so they could do, you know, the way that, you know, people typically,
get malware through things like drive-by downloads or they're enticed to, you know, download something
or, you know, that's some kid and they're, you know, they want to get, you know, RoboBlocks,
money or whatever, and they click on something. And there's a game and you have to play it and you
have to download it. Well, guess what? That came with bad blocks on it. So they, they, you know,
diversified their, you know, backdoors and then they diversified the way that they got those
backdoors onto platform. So that, you know, they, you know, they were looking at two sort of critical
ways that we could stop them so quickly last time to make sure that that wouldn't be the case
this time. I want to talk about that kind of moment when you sink hold the operation in a second,
but first, you made reference to the fact that broadly speaking, this compromise starts on
the factory floor. These devices are being shipped with this compromise and that that's both
like a strength and a limitation of this. I want to understand the moment for you and the team.
like what was the moment when you all first realized these devices are shipping pre-compromised?
Was there like a smoking gun?
Did you just order one?
Plug it in and go, yep, that shipped pre-compromised.
What was that moment like for you in the team?
So, you know, it'll have to go back to bad box one.
But certainly, you know, we suspected that.
And so then what we did is we started to buy these from all over the place, from brick and mortars, you know, online, just sort of around.
where we could, and then, yeah, we were seeing these coming shrink-racked.
You know, it looked like, you know, from the factory.
And so that was, you know, a pretty clear indication that what we thought was happening,
but was happening.
But then I think, like, the real sort of aha moment came when we ordered and got some
telephones.
They were also shrink-wrapped from the vendor involved.
And those came pre-baked with them.
So at that point, like, you know, there could be a lot of things that happen, you know, between a retailer that's, you know, shipping lots of different products.
But when you start looking at, you know, phone manufacturers and their relationships with particular carriers and stuff, and, you know, that seems a lot more likely that it is coming directly from the factory with no knowledge of anyone in the in between there.
So. And that was pretty cool.
That was, it was cool and it was scary at the same time because we were like, okay, how deep does this go at this point?
Like, you know, and we were looking and I still look at these as kind of like, they're like sleeper cells.
They, you know, they sit there, they sit on your network.
I've been, I've been working, you know, with one here, you know, at my house, obviously with a bunch of controls in place.
And it does some really scary stuff.
You know, there's things that it does that I'm like, man, I, you know, I want to,
I'm going to be real sure about my VPN and all of the guardrails I have in place because this is not good.
I'm curious, just very briefly, like we've talked about a few of them, you know, TV, Android TV set-top boxes, some phones.
Are there any other kind of devices that we're talking about here?
I saw projectors and some of the materials, like any other, you know, types of devices?
Yeah, I mean, you know, there's a, there's a, and that's another thing, they broadened out the types of devices that they're using for,
for Bad Box 2 to have more success.
And, you know, like one of the, you know,
we see tons of these tiny little TV mini sticks.
So they're, you know, Android open source operating system
running on a thumb drive, basically,
that you can buy for almost nothing.
So we've seen a bunch of different types of those.
You know, again, we've seen a bunch of tablets.
You know, we've seen a bunch of different generic Android phones
that have this on. We've seen, you know, multiple, you know, tens, if not hundreds of different TV
CTV boxes. And then kind of one of the more interesting ones for me is these Android car systems,
you know, and I put one of these in one in, in my partner's car the other day. And it's, you know,
it's if you, you know, your nav systems old or you want a new one and you don't want to have to
pay a lot of money for it, you can go buy, it's basically a tablet. And it has, you know, it has,
like Apple TV, or sorry, Apple, you know, the Connect and an Android Connect, all sort of running
in the, you know, in the auspices of the Android open-source operating system.
And then you can do things like, you know, have maps and all the rest.
And we saw a bunch of those that were compromised too, which is, you know, again, just
shows that they were casting a very, very wide net with the understanding that the more, you know,
if you start, you know, as we start getting into, you know, what they do to much,
monetize this, one of the ways that they can monetize it is if they can have a really broad net
dispersed all over the world and they don't have to use one box for very long. They can spend
a little bit of time on every box and then keep the reputation of those boxes high in, you know,
groups that track, say, IP or other reputation so that when they come to do whatever they're going
to do on a website, they look like a consumer. I got dangerously close to
buying a suspiciously cheap projector last year when I remembered, ah, there is a too good to be true
in all of this. And I'm glad I did. So you start testing these devices. You're noticing that
they're calling back to some, they're calling back somewhere. I want to talk about the moment you
start sinkholeing the operation, redirecting all the traffic. When you see where these things are calling
back to, what did that traffic tell you about how widespread this really was? What did you learn from that
part of the process. So yeah, I mean, before we started sinkholeing them, we knew, you know,
we could see through network analysis where they were calling in. We could see through, you know,
reverse engineering, you know, the payloads, sort of where they were calling in. And there was a
certain commonality. And I forget bad box, too. I think we had like about 150 commanding
controls, you know, some of the, each of them doing to some degree different things. So we had a really good
idea of, you know, where they were calling in, where they were being controlled from,
but we didn't necessarily know how many devices were calling in. And so when we, when, I should say
we, when the Shadow Server Foundation, you know, working, working with us and working with Google
started to sinkhole those command controls, then we just saw all these devices that were,
you know, constantly calling in, looking for new instructions, you know, from the bad guys.
now calling into those sinkholes. So, and the sinkhalling bit, you know, that was sort of at the very
end. We did that, you know, really, you know, it was right about when we released our public blog
because we didn't want to, you know, we, we were pretty, I'm sure that we had a handle on exactly
what was going on with that and what was going to happen post-sinkholing, but we didn't want to
give the threat actors any sort of, you know, look into.
hey, this is going to be mitigated soon.
So maybe it's a good time to try and change things around so that they can escape or update these boxes so that they aren't as dependent on the sinkhole on the sink hold C2s that that they ended up being.
So you didn't want to give them any heads up on that.
So this is really, it was kind of like the last action that happened at the very end of, you know, over a year of investigation and working with various teams, various groups, including law enforcement on.
you know, how can we better get an understanding of the scope and who's involved and what can
we do next to make it hard for them to continue to make money?
I mean, you set it up pretty nicely there who's involved.
What if you learned about who is behind all of this?
Yeah, so there, you know, there's a number of this same kind of threat actor groups that
were behind Bad Box one.
And, you know, we've named them sales tracker group and, you know, they're the sort of original
bad box campaign.
We named them after sales tracker string that we found in their network data.
And then there's what we're calling the Moyu Group, and they are, they've bundled a, you know,
a whole bunch of these apps through the unofficial marketplace, and they sell a residential proxy
service called IPMoyu.
So we called them the Moju group.
And then there is the Lemon Group, which is a group that was found initially by our friends
and our colleagues at Trend,
trend, and they're a Chinese-based threat actor group
that were involved in Badbox,
and they're selling residential proxy service,
and they're heavily connected in Bad Box, too,
to the ad fraud scheme that was based on a series of HTML5 game website
sort of cash out places.
And then, you know, lastly, we saw the same infrastructure
being used by a Malaysian group called Long TV,
and they were, you know, part of, you know, they have branded devices and, you know, we don't know how, obviously, you know, how detailed their knowledge is of the misuse, if there's services being misused or if they're part of it, but they're actually a legitimate provider of connected TV services in Malaysia.
You made reference to the residential proxy network, which I think is, I'm not sure if that's new from Bad Box 1 to Bad Box 2, but I found that concept, particularly unsettling.
this idea that, you know, your home internet connection is for in a sense for sale to criminal networks.
For anyone that doesn't know, like, what is a residential proxy network?
And why is that valuable compared to, say, older bot nets that you would have maybe seen?
Yeah.
So let's start with what is residential proxies because they're, you know, actually a bane, bane to my existence.
But what it is is there's folks that have managed to take over the networks of,
of, you know, people, you know, people like you and I, you know, in their home network,
and then have them open up for being able to proxy, you know, almost like a VPN, other networks in,
so they can use your network as an endpoint. So if they were going to say, you know, Netflix
and watch a movie, they would be coming through, you know, your network and they would be,
you know, showing themselves to Netflix as you, right? So Netflix would think, oh, this isn't,
you know, some, you know, miscreant.
This is a user in the United States,
and we should present him with the United States material.
And in that kind of lies what the bad guys are using this for,
because folks that are using this for things like, you know,
account takeover, you know, they're using it, you know, for fishing.
They're using it for, you know, any of the sort of cybercrime activities you can think.
If it's coming from a network, if it's coming from a home,
if it's coming from an IP address where, you know,
know, 99 to 100% of all the traffic is normal, right? All the traffic at my, you know, hopefully
all the traffic in my network is normal, you know, people watching movies, buying stuff,
going on the internet, sending email. And then suddenly it makes one or two transactions that
are abnormal. Often that escapes detection from, you know, the systems in front of these other
systems that are used to protect them and to stop them. So in other words, if you came from
say, you know, if you were coming from a cloud server like Alibaba in China, you'll probably
get blocked or they would have very low trust. Whereas if you're coming from a residence in Ohio
and everything he's always done, he or she's always done has been sort of residential-related
traffic, there's a good chance you'll kind of escape the radar, so to speak. And so, and having a
really broad sped or having these residential proxy networks that have thousands and thousands
you know, hundreds of thousands of nodes allows them to persist, you know, and just do like a couple of
transactions, say, off of my iPhone, and then a couple of transactions, you know, off of someone else's,
you know, connected TV device, and then a couple of transactions off another device in a different,
you know, state or, you know, country even. And it allows them to abuse these networks in a way that's
highly effective in sort of gaining access to what they're hoping to gain access to.
And so this has become a huge stepping stone for the criminals.
And, of course, you know, who made money in the gold rush, right?
It's people selling, you know, shovels.
The same way selling residential proxy services to the bad guys that are doing, you know,
initial access or ransomware or whatever has become a huge business.
And this is one of the biggest ways.
And one of the biggest differences between Bad Box 1 and Bad Box 2 is how they monetize
through proxy services.
Now, sorry, residential proxy,
illegal residential proxy services.
Now with Badbox 1, we saw modules for proxy service,
but we didn't actually ever see them being implemented.
So I think that was probably a next step
that they were going to do,
and they just never got around or never had time to do it.
With Bad Box 2, this was a huge part,
even bigger than the ad campaign stuff that they were doing.
And as in the middle of when Bad Box was fully operating, you know, we were watching on many,
many nodes that we had in our labs to see what was going on.
And it was like, it was really scary because we had visibility into almost any threat or crime
that you would see.
Like we would see these things talked about, you know, in the press.
And we would go and look and say, oh, yeah, here we go.
We've actually got visibility into that because these threat actors are using this
and they're using the fact that there's so much misuse of these residential proxies.
It's really, even for the threat actors,
they can hide amongst a bunch of other threat actors doing bad things.
And it's really hard to trace that back to them.
Yeah, we, I remember in Bad Box 1, it seemed like it was fundamentally a story about ad fraud.
It's like, let's get this device on your network is going to pipe a bunch of traffic towards a bunch of fake sites running real ads and, you know,
sort of just juice money out of the giant ecosystem that is internet advertising.
is that is that still part of bad box too or did they sort of move on to these new tricks no absolutely they programmatic ad fraud you know these were hidden ads you know and they're rendered without anyone being able to see them so they're going on on your phone or on your tablet and you don't see them it's not like it's an ad that shows up you don't even know it's there it's you know you may not even be using your your device at the time so there was that and then there was the hidden web views thing that we were talking about which was in the h5 game game game
game sites. So they're a bunch of these, you know, games. And what you do, if you actually went as a
real user to one of these HTML game sites and tried to play the games, it's, they're like
unplayable. There's so many ads going through them all the time. There really is no, there's no human
players on this. What they're doing is just getting, you know, they're selling this ad space and
pretending like humans are using it and they're being manipulated by, you know, bad box, too, in order to, you
generate hits. And then another thing that we saw that was kind of a step up from what we saw in
bad box one with ad fraud is is click fraud. And so, you know, if you have an ad and it shows up,
right, while you're browsing the web, you know, you might get 10 cents or a dollar or whatever,
you know, that's a low amount of money. But now if you click on that ad, suddenly the dollar
amount that you spend, you know, goes up exponentially so they can, you know, steal a lot more money.
And so what they did is they had modules inside that were not only, you know, going, you know, to, you know, display these ads, but actually going and clicking on them as if they were a user interested in buying said service.
So, and thus putting the price up for the advertisers that are ending up paying for that.
So, yeah, it was, it was, it was, you know, it was definitely a part of it.
But, you know, it was one that, you know, obviously we're very well aware of and very well equipped.
to shut down and I think they knew
that there's a good chance that that
wouldn't survive and so they
really spent a lot of time
and put a lot of development into
their proxy services which were much, much
harder to shut down. This is another
aside that I will almost certainly need
to cut out.
But a few years ago I was working on like a
multiplayer online game
and we got a little bit of transparency into
some of the other titles that were part of a
network that was part of a network that was part of a thing
we were part of. And
I remember looking at the amount of traffic that was flowing through this game that I'd never heard of and it was astonishing.
And then we were looking at it and the amount of like data basically that it was taking like it was as though I was running a speed test anytime I was we had this game open in a browser.
It was just an insane amount of traffic.
And it was this weird thing where you're like I don't quite know what shape of sketchy this is.
But I can tell something isn't right here.
Something's not right.
I hear one of these stories and it just takes me back to that moment.
I'm like,
I think maybe I'm starting to get what was going on there with that weird,
sketchy browser game.
And I'll tell you with Bad Box One,
that was the initial sort of verification that we had.
If you were a Bad Box 1,
there were three apps.
I forget the names of the apps,
but three apps in particular.
And if like 98% of your traffic was coming from those three apps,
you were Bad Box.
There was no, like,
there was no other, you know,
it was really,
and so that's how we like,
initially found, you know, a lot of, you know, or did a very quick test to see if a bad box
was a bad without having to, you know, decompile anything or reverse engineer anything.
We could just tell if those three boxes were saturating your network link or those
three apps were saturating your network link and nothing else was even coming close.
Then you were bad boxed.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trust, where he's,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries.
human analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model
entirely. What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions. The automation frees your concierge security
team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy production
ready AI and security operations actually looks like, go to arctic wolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their
head. Organizations around the world saw headlines they never expected and cybersecurity
teams were tested like never before, but here's the thing. These incidents aren't just
news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a live
webinar on February 5th diving to the most impactful breaches of 2025. Their field CTO and security
leaders are going to unpack not just what happened, but why these attacks succeeded. And most
importantly, what businesses can do to fortify their defenses for it's too late. You're going to walk
away with real insights into how threat actors are evolving, how defenders are responding, and what
strategies can help you stay ahead of the next big breach. It's not fear-mongering. It's practical.
intelligence from experts in the trenches.
Register now at arctic wolf.com slash hacked.
Okay, so I want to zoom in a little bit on the disruption.
So you were part of this disruption that took up parts of this infrastructure,
cut off some of this ad revenue that was coming into this scheme.
Take me through that.
How do you go about disrupting something like this?
How do you even like measure success when you're fighting something that can respond so
quickly?
Help me understand that disruption.
Well, you know, on the ad fraud side, it's, you know, we have a lot of
visibility into that. A lot of the ad, you know, a lot of the ad revenue, a lot of the ad companies,
a lot of that traffic flows through human security. And so it's very easy for us to create cool little
graphs. And if you look at the blog, you can find some. But, you know, what, you know, and we're,
you know, this is our bread and butter. We look for, you know, ways that threat actors are disrupting,
you know, the advertising economy. And then we come up with cool, you know, sort of, uh, uh,
you know, cool ways, algorithmic ways, that we can shut those down.
So in other words, you know, we're not just shutting down, you know, one specific, you know,
ad or type of technique that we see, you know, work on something that even, you know,
when the threat actors change things around a lot, we'll still be able to detect it and get
that shut down.
And so that's, that's real easy for us to see.
And then at the same time working with our partners, like, you know, we did this ourselves
and Google did a lot.
They removed or blocked publisher accounts that were tied to Badbox too.
And, you know, that was a huge help.
So the ad fraud side, you know, is, you know, went and it came and went pretty quickly.
That wasn't, you know, too hard to do.
And, you know, and Google's, you know, been really good about sort of emphasizing, you know,
that non-play, prey protect devices do have weak, you know, defenses.
and you should get, you know, one of these play-protected Android devices if you want to put it on your network, if you buy these devices.
So there's been, you know, a lot of kind of user education around that as well.
And I think, you know, the FBI's alert sort of helped with that as well.
But where, you know, the where the harder stuff to do was in the residential proxy area because, you know, they're not monetizing through advertising, you know, and we're not able to.
to, you know, if one threat actor wants to pay another threat actor, you know, there's,
there's no person in that line that can easily, um, you know, stop that from happening.
So we had to take some different approaches for that.
Google, I mean, you brought them up has now filed a lawsuit naming.
I think it was Do's as in like John Does one through 25, 25 different like groups, people.
Realistically, like how does legal action and things like domain seizure slow down
groups like this who might be operating overseas, you know, at the.
the at the start of this supply chain.
Yeah. So, you know, if you're looking at the proxy services, which were, you know,
what was left to monetize through Bad Box 2, the only way of shutting them down was taking
down some of the known command control. So we would trace back, you know, we would join, you know,
these residential proxy networks and we'd find out where they were being commanded from.
And so, you know, getting the correct legal things in place so that we can sinkhole those
command and controls is instrumental in being able to do this. You know, Google took a big,
big risk in doing that, and I commend them for doing it. And hopefully it'll be a model that we see,
you know, other groups, other companies taking responsibility for cleaning things up like they did.
So a lot of kudos to them. You know, the thing that really interests me about this one is like,
it's a, it's a tech story and it's a fascinating story about like cheap gizmos, but it feels like
it's fundamentally a story about like global supply chains. You've got a device leaving a factory
in one part of the world. It's already compromised by the time it gets shrink-wrapped.
You know, how much of this comes back to that start of the supply chain, which I think in
this particular case happens to be in China, you know, how much of this really starts there
ends there, you know, what should we understand about that? Yeah, well, there's, you know, we,
we make no, you know, we're pretty open about, you know, the folks behind this. We have traced back
to Chinese business entities inside of China.
You know, they're interested and they continue to make good money off of doing things like this.
So, you know, what's to stop them from continuing to do that?
You know, what's an area that we haven't really talked about that's as important?
So it doesn't really matter per se that they were, you know, shrink-wrapped, you know, at the factory
or if they get, you know, impacted later, the end result is the same.
But the bit that we hadn't talked about is like, well, why do people buy these devices anyway?
And I want to just go into that a little bit.
Like we saw, I think it was like, you know, 37% or something like that of these devices we saw in Brazil.
And so we started, you know, we talked to law enforcement in Brazil and we started looking into, you know, what are these devices and why are they, you know, are these just people, you know, or they're buying them because, you know, you'd think they're buying them.
because they're cheap and, you know,
people don't have maybe as much money in Brazil.
And so that's why they're popular.
And to some degree, that's true.
But as we started looking into it,
we found that these devices were mostly being resold through people that were selling
basically pirated streaming services on top of them.
And so you could buy a box from, you know, particular vendor.
And that box you'd plug in and it would give you like Sky TV and Netflix and
HBO Max and, you know, all the sports channels and stuff.
And you would pay a bit up front for it and it would, you know, last for a certain time.
And, you know, there may have been, you know, monthly or yearly payments to update it if it stopped working.
But in reality, the, you know, the part of the supply chain that was being hacked here was the human supply chain, right?
And it's how do, you know, people, you know, potentially in, you know, countries with, you know, with, you know, lower pay rates,
how do they get access to all of the streaming media that they want to get access to?
And so there's a gap being filled there, you know, by criminals.
And I don't think the criminals in Brazil really understood that these things were already
already compromised before they added their overlay to it, nor did they, would they really
care all that much, right?
It's, you know, so there, you know, so there's like multiple, multiple different levels of
kind of weird, bad things going on.
And I think that's also allowed people to, you know, buy these and say, okay, well, there may be some weird stuff on here, but it's worth it because I'm, you know, I get to watch the Premier League all the time and I don't have to pay for it.
So there, you know, there's like a huge, there's a couple of supply chain links, not the least of which is why do people want to buy these devices in the first place?
Yeah.
I'm struck by there's a, this is, there's a product for sale right now.
It's a television that has a small monitor under it that plays out.
ads all the time. And it's this kind of bargain you make with the manufacturer of like,
do I want to basically free television in exchange for having ads piped into my home?
And in a weird way, it feels almost like you could imagine a consumer base for these products
that almost accepts the bargain. They're like, you know what? This thing is so cheap.
I will accept that sometimes my network might get used in some sort of amorphous, hard to understand
cybercrime scheme off somewhere else.
Or this projector is so unfathomably cheap.
I'll never connect it to my Wi-Fi.
I'll never log into an app.
I'll just HDMI something into it.
Is there, is there a bargain here for some people?
Or is this thing just so toxicly dangerous?
It's like bringing a landmine into your house.
So like I can see that, like you think of, you know, the, what was it, the Amazon
Kindle?
You can get one with ads, right?
Or without ads.
It was cheaper with ads.
Well, you made that bargain and said, I'm okay.
or, you know, you can get whatever, watch prime video when it comes with ads or not.
But that's all it comes with.
What I'm, you know, with bad box, you don't know what it's coming with.
You could be front-ending, you know, a pornography site that people go to your IP address at your house.
Like, there's bad stuff that you probably, like, I think if, you know, people understand,
like in your, in your house, let's say your backyard, you don't want to make it available for people to deal drugs and
stab people, right? They would, people would draw the line there, but they haven't had that same
experience with the crime that happens in, in the cyber realm. And so they're prepared to turn to
blind eye or just, you know, perhaps, you know, wish or hope it's not happening or just
not really understanding what the impact is. You know, for me, I, you know, live in this, have lived
in this world for the past couple of decades. And I can, I can see this, you know, turning out really badly
for people that even if they're, you know, unknowingly doing this, and I don't want to take the
risk. And I think until people realize that there's a risk involved in doing that, that this is going
to be ripe for exploitation, and I think the further you get away from, you know, the more, you know,
first world setups, the harder it's going to be. You know, I grew up, went to school in South Africa,
And people don't care as much there about some cybercrime happening because there's real world crime happening.
They think cyber crime is kind of a joke.
It's not a big issue.
And so until, you know, the human sort of concept around some of these crimes changes, I think it's going to be right for exploitation.
Gavin, I've taken up a lot of your time you've been very generous with it.
To wrap up, you know, I spoke with a member of your team about a year ago, about about
bad box 1.0. I didn't know it was 1.0 at the time, but here we are. Now we're here talking about
bad box 2.0. Do you expect a bad box 3.0? And if so, like, what does it take to stop that cycle
before this explodes again? Yeah. So the only thing that would stop a bad box 3.0 is if this wasn't
available to make money from. And I'm telling you now, it's still available to make money from.
And so, yes, we're expecting, you know, new devices.
We're expecting new techniques and new consequences and new targets.
And we're paying very close attention to that.
Gavin, appreciate you taking the time.
It was really fun.
It was good chatting with you.