The article says the operators of the Kimwolf botnet (a malware network that has infected 2+ million devices) appear to have gained unauthorized access to the control panel of BadBox 2.0, a much larger botnet that is often preinstalled on uncertified Android TV streaming boxes. A source shared a screenshot of the BadBox 2.0 admin panel showing seven authorized users, plus a suspicious extra account (“ABCD”) that the source claims belongs to “Dort,” one of Kimwolf’s administrators. Krebs notes he was initially skeptical, but the email addresses shown in that panel provided enough breadcrumbs to investigate who might actually run BadBox 2.0.

Krebs then “pivots” on those email addresses using OSINT and breach-intel services and finds links to specific people and China-based companies/domains previously flagged as part of the BadBox 2.0 ecosystem. One key trail ties a panel user email to “cathead@gmail.com,” which appears associated with Chen Daihai, whose name shows up in historical domain registration and archived corporate contact pages connected to BadBox-linked infrastructure; another points to Zhu Zhiyu (with “xavier”-style emails) connected to the same cluster. The “admin” account email is also linked via domain records and phone-number pivots to a person named Guilin Huang. The practical takeaway is why this matters: if Kimwolf really can access BadBox 2.0’s panel, it could potentially push Kimwolf malware directly to BadBox-infected devices (bypassing recent fixes some proxy providers made lawmakers have made), dramatically boosting Kimwolf’s ability to spread inside home and small-office networks.

Source: https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/