Criminals steal billions from TV advertising through infected streaming devices

The Federal Bureau of Investigation issued an urgent warning on June 5, 2025, about a massive cybercrime operation called BADBOX 2.0. This criminal network has infected millions of smart home devices around the world, turning them into weapons for online fraud without their owners knowing.

Think of it like this: criminals have secretly taken control of devices in people's homes - their streaming TV boxes, digital picture frames, and car entertainment systems - and are using them to steal money and commit crimes. The owners have no idea their devices are being used this way.

According to the FBI, BADBOX 2.0 affects "TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products." Most of these infected devices were manufactured in China and shipped worldwide. The criminals either install malicious software before people buy the devices, or they trick the devices into downloading harmful apps during setup.

Summary

Who: The Federal Bureau of Investigation, German Federal Office for Information Security (BSI), multiple international cybercriminal groups including SalesTracker Group, MoYu Group, Lemon Group, and Malaysian company LongTV, affecting millions of consumers worldwide who unknowingly purchased infected devices.

What: BADBOX 2.0 botnet operation compromising over 10 million Internet of Things devices including TV streaming boxes, digital projectors, vehicle infotainment systems, and digital picture frames to conduct large-scale advertising fraud, operate residential proxy services for other criminals, steal personal data, and facilitate various other criminal activities including account takeovers and identity theft.

When: The criminal operation evolved from the original BADBOX campaign disrupted in 2024, with BADBOX 2.0 discovered and investigated throughout 2024 and 2025, leading to major law enforcement and industry disruption efforts between December 2024 and July 2025.

Where: Infected devices manufactured primarily in China and distributed globally through unofficial channels, with highest concentrations in Brazil (over one-third of infected devices), followed by United States, Mexico, Argentina, and Colombia, but affecting consumers in 222 countries and territories worldwide.

Why: Cybercriminals created this massive operation to generate substantial illegal revenue through multiple fraud schemes: advertising fraud worth billions annually, residential proxy services sold for $13.64 per 5GB to other criminals, data theft for identity crimes, and facilitating other criminal activities while remaining hidden from device owners and law enforcement through sophisticated technical methods and international coordination.

What makes BADBOX 2.0 so dangerous

BADBOX 2.0 is actually the second version of this criminal operation. The FBI explained that "BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024." The first BADBOX operation was found in 2023 and mainly targeted Android devices that came with harmful software already installed.

But BADBOX 2.0 is much worse. It can infect devices in two ways: either the harmful software comes pre-installed, or it tricks people into downloading bad apps from fake app stores. This makes it much harder to stop and affects many more devices.

The scale of this operation is staggering. Research conducted by HUMAN Security, a cybersecurity company, working with Google, Trend Micro, and other security firms, found that "BADBOX 2.0 compromised over 10 million uncertified devices running Android's open-source software." To put that in perspective, that's more devices than the entire population of many countries.

The criminals have created what experts call a "botnet" - a network of infected devices they can control remotely. The FBI said this botnet "maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity."

How the criminals make money

The BADBOX 2.0 operation isn't just about causing chaos - it's a sophisticated money-making scheme. The criminals use infected devices to commit several types of fraud:

Advertising fraud: The infected devices pretend to be real people browsing websites and clicking on ads. Companies pay for these fake clicks, losing billions of dollars. At its peak, the hidden ad fraud part of BADBOX 2.0 generated 5 billion fake ad requests per week.

Residential proxy services: The criminals sell access to people's internet connections without their permission. Other criminals buy this access for $13.64 per 5 gigabytes of data to hide their location when committing crimes online.

Account takeovers: Using people's internet connections, criminals can break into online accounts, steal personal information, and commit identity theft.

Click fraud: The infected devices automatically visit low-quality websites and click on ads, generating money for the criminals while wasting advertisers' budgets.

Data theft: The devices can steal personal information from the networks they're connected to, including passwords and financial information.

The global impact

This isn't just an American problem. Germany's Federal Office for Information Security (BSI) announced on December 12, 2024, that they had to take emergency action to protect up to 30,000 infected devices in their country. BSI President Claudia Plattner said, "Malware on internet-capable products is unfortunately not a rare phenomenon. Outdated firmware versions pose a tremendous risk."

The geographic spread is massive. More than one-third of infected devices are in Brazil, followed by the United States, Mexico, Argentina, and Colombia. But researchers found infected devices in 222 countries and territories worldwide - that's almost every country on Earth.

The criminal organization behind BADBOX 2.0

Security researchers discovered that BADBOX 2.0 isn't run by just one criminal group. Instead, it's a collaboration between four different criminal organizations, each with their own specialty:

SalesTracker Group: These are the main organizers. They set up the computer servers that control the infected devices and coordinate with the other criminal groups.

MoYu Group: This group creates the malicious software and manages the infected devices. They also run the residential proxy services, advertising on websites with names like "IpMoYu" to sell access to people's internet connections.

Lemon Group: A Chinese criminal organization that specializes in creating fake websites that look like games but are actually designed to generate fake advertising revenue.

LongTV: A Malaysian company that makes legitimate TV devices and apps, but some of their apps were modified to include the criminal software.

What makes this particularly dangerous is how these groups work together. They share computer servers, coordinate their attacks, and even have business relationships with each other. It's like a criminal corporation with different departments.

How the malware works

The technical details of how BADBOX 2.0 works are complex, but here's a simple explanation:

When someone first turns on an infected device, it secretly contacts a criminal-controlled computer server and downloads a file. This file installs itself deep in the device's system, where it's very hard to detect or remove. The malware calls itself "BB2DOOR" - essentially a secret back door that gives criminals permanent access to the device.

Once installed, the malware can download additional criminal software depending on what the criminals want to do. It might download software to generate fake ad clicks, steal data, or turn the device into a proxy server.

The infected devices targeted include:

• TV streaming boxes (the small devices people connect to their TVs to watch Netflix, etc.)
• Tablets
• Digital projectors
• Car entertainment systems that people install aftermarket
• Digital picture frames
• Various other Android-based devices

Security researchers found a list of specific device models on the criminals' servers, including brands like X96, TV98, GameBox, and many others. Most are "off-brand" devices - cheaper alternatives to name-brand products that often lack proper security features.

Warning signs your device might be infected

The FBI provided several warning signs that might indicate a device is infected with BADBOX 2.0:

Suspicious app stores: If your device asks you to download apps from stores you don't recognize, that's a red flag.

Disabling security: If the device asks you to turn off Google Play Protect or other security features, don't do it.

"Unlocked" streaming devices: Devices advertised as "unlocked" or capable of accessing "free content" are often too good to be true.

Unknown brands: Devices from brands you've never heard of, especially if they're much cheaper than similar products from known companies.

Unusual internet activity: If your internet connection seems slower than usual or you notice strange activity on your network.

Uncertified Android devices: Devices that aren't "Play Protect certified" lack Google's security protections.

Government and industry response

The scale of BADBOX 2.0 prompted action from governments and major technology companies around the world.

Google filed a lawsuit on July 17, 2025, in New York federal court against the criminals behind BADBOX 2.0. The company stated, "While these actions kept our users and partners safe, this lawsuit enables us to further dismantle the criminal operation behind the botnet, cutting off their ability to commit more crime and fraud."

Google also updated its security systems. Google Play Protect, which is built into Android devices, now automatically warns users and blocks apps known to be associated with BADBOX 2.0.

The FBI worked with international partners including Google, Human Security, Trend Micro, and the Shadowserver Foundation to investigate and disrupt the operation. This kind of international cooperation is essential because cybercriminals operate across borders.

Impact on the advertising industry

The BADBOX 2.0 operation has had a massive impact on digital advertising. When criminals use infected devices to generate fake ad clicks and views, they're essentially stealing money from companies that pay for advertising.

According to the World Federation of Advertisers, ad fraud is likely to exceed $50 billion globally this year. That makes it the second-largest source of income for organized crime, after only the illegal drug trade.

Major companies that were affected include Procter & Gamble, Hershey's, IBM, T-Mobile, and JPMorgan Chase. Even government agencies like the U.S. Postal Service, Department of Veterans Affairs, and Centers for Disease Control were victims.

This connects to broader problems in the advertising industry. Recent investigations have shown that the companies advertisers pay to detect and block fake traffic often fail to catch sophisticated fraud operations like BADBOX 2.0.

The problem is so severe that some major verification companies are facing lawsuits. DoubleVerify, one of the largest ad verification companies, faces a class action lawsuit alleging that their systems routinely fail to detect bot traffic, even when the bots identify themselves as fake.

The fake website network

One of the most sophisticated parts of BADBOX 2.0 was its network of fake websites designed to look like legitimate gaming sites. Researchers found nearly 1,000 of these fake websites.

Here's how it worked: The infected devices would secretly open hidden web browsers and visit these fake gaming websites. The websites would show ads every few seconds - far more than any real person could tolerate. But since no real person was actually using these sites, the frequent ads didn't matter.

The criminals made these fake gaming sites look realistic, but they were designed to be unusable by real people. Games would be interrupted by ads every few seconds, making them impossible to play. This was a clear sign that the sites were designed for bots, not humans.

The criminals also created fake versions of real websites. They registered domain names like "espn24.co.uk" and "nbcsportz.com" to trick advertising systems into thinking they were legitimate news and sports websites.

How criminals avoid detection

The BADBOX 2.0 operation included sophisticated methods to avoid being caught:

Legitimate-looking behavior: The infected devices were programmed to browse the internet like real people. They would scroll through web pages, accept cookies, and even visit search engines before going to the criminal websites.

Evil twin apps: The criminals created fake versions of popular apps that looked legitimate but contained malicious code. These "evil twin" apps would even appear in app stores with fake download numbers and reviews.

Geographic distribution: By spreading infected devices across 222 countries, the criminals made it much harder for any single government or company to stop them.

Multiple revenue streams: Instead of relying on just one type of fraud, they ran several different schemes simultaneously, making their operation more profitable and harder to shut down completely.

International cooperation and disruption efforts

Fighting BADBOX 2.0 required unprecedented cooperation between governments, technology companies, and security researchers across multiple countries.

Germany took the lead in Europe, with their BSI agency implementing what's called a "sinkholing" operation. This involves redirecting the communication between infected devices and criminal servers to government-controlled servers instead. This stops the criminals from controlling the devices while allowing authorities to study the malware.

The collaborative effort included:

• FBI and other U.S. law enforcement agencies
• German Federal Office for Information Security (BSI)
• Google's security teams
• HUMAN Security researchers
• Trend Micro cybersecurity company
• Shadowserver Foundation

Each organization brought different capabilities. Law enforcement agencies could take legal action and work across borders. Technology companies like Google could update their security systems and file lawsuits. Security researchers could analyze the malware and track the criminals.

Consumer protection and prevention

The most important thing for consumers to understand is how to protect themselves from operations like BADBOX 2.0.

Buy from reputable sources: Stick to well-known brands and authorized retailers. If a deal seems too good to be true, it probably is.

Keep software updated: Always install security updates for your devices. The FBI emphasized that "timely patching is one of the most efficient and cost-effective steps to minimize exposure to cybersecurity threats."

Monitor your network: Pay attention to your internet usage. If your connection seems slower or you're using more data than usual, it might indicate infected devices.

Use official app stores: Only download apps from official sources like Google Play Store or Apple App Store. Avoid "sideloading" apps from unknown sources.

Check device certification: For Android devices, make sure they're "Play Protect certified." This means Google has tested them for security.

Be suspicious of "free" content: Devices advertised as giving access to free movies, TV shows, or premium content are often infected with malware.

The economics of cybercrime

BADBOX 2.0 demonstrates how profitable cybercrime has become. The criminals behind this operation weren't just random hackers - they were running a sophisticated business with multiple revenue streams.

Consider the residential proxy service alone: at $13.64 per 5 gigabytes, and with millions of infected devices, the criminals could generate millions of dollars per month just from selling access to people's internet connections.

The advertising fraud was even more lucrative. With 5 billion fake ad requests per week at peak operation, and advertisers paying anywhere from $1 to $50 per thousand ad views depending on the target audience, the potential revenue was enormous.

This profitability explains why cybercriminal operations keep growing despite law enforcement efforts. The potential profits are so high that criminals are willing to invest in sophisticated infrastructure and coordinate across international borders.

Technical sophistication and supply chain attacks

What makes BADBOX 2.0 particularly concerning is how it represents a "supply chain attack" - where criminals compromise products during the manufacturing or distribution process, before they reach consumers.

Traditional computer viruses typically infected devices after people bought them. But BADBOX 2.0 devices came pre-infected. This is much more dangerous because:

Users can't prevent infection: No amount of careful browsing or security software can protect against malware that's already installed when you buy a device.

Detection is difficult: The malware is installed at a very deep level in the device's operating system, making it extremely hard to find and remove.

Scale potential: By infecting devices during manufacturing, criminals can potentially compromise millions of devices at once.

Trust exploitation: People trust that new devices are safe, so they're less likely to look for signs of infection.

The role of cheap Android devices

A key factor in BADBOX 2.0's success was the popularity of cheap Android devices, particularly in developing countries where brand-name electronics are expensive.

These devices, often called "Android Open Source Project" devices, use Google's Android operating system but don't include Google's security features. They're much cheaper than certified Android devices, making them attractive to budget-conscious consumers.

However, this cost savings comes with significant security risks:

• No Google Play Protect security scanning
• Infrequent or no security updates
• Less rigorous quality control during manufacturing
• Often sold through unofficial channels with little accountability

Brazil, which had the highest concentration of infected devices, is a perfect example of this dynamic. High import taxes and lower average incomes make expensive brand-name devices unaffordable for many people, creating a large market for cheaper alternatives.

Long-term implications for IoT security

BADBOX 2.0 highlights broader security problems with the "Internet of Things" - the growing number of everyday devices connected to the internet.

As more household items become "smart" - thermostats, door locks, security cameras, refrigerators - the potential for similar attacks grows. Many IoT device manufacturers prioritize low costs and quick time-to-market over security, creating vulnerabilities that criminals can exploit.

The challenge is that most consumers don't think of their TV streaming box or digital picture frame as a computer that needs security updates. Unlike smartphones or laptops, these devices often don't have obvious mechanisms for updating their software.

Industry response and future prevention

The discovery of BADBOX 2.0 has prompted changes across the technology industry:

Certification programs: Google and other companies are expanding their device certification programs to ensure better security standards.

Supply chain monitoring: Technology companies are implementing better oversight of their manufacturing partners to prevent pre-installation of malware.

Consumer education: Industry groups are working to educate consumers about the risks of uncertified devices and the importance of buying from reputable sources.

International cooperation: Governments are developing better mechanisms for coordinating responses to international cybercrime operations.

What happens next

While BADBOX 2.0 has been partially disrupted, security experts warn that the criminals behind it will likely adapt and try again. The underlying problems that made this operation possible - insecure devices, complex international supply chains, and insufficient consumer awareness - haven't been fully solved.

The FBI emphasized this in their warning: "If you believe you have been a victim of an intrusion, please file a report with the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov."

Consumers who think their devices might be infected should immediately disconnect them from their networks and report the incident. However, the best protection is prevention - being careful about what devices you buy and where you buy them.

The broader cybersecurity landscape

BADBOX 2.0 is part of a broader trend in cybercrime toward large-scale, professionally organized operations. Modern cybercriminals operate like businesses, with specialized roles, international supply chains, and sophisticated technology.

This represents a fundamental shift from the stereotype of the lone hacker in a basement. Today's cybercriminals are often part of organized groups with the resources to compromise millions of devices, operate complex fraud schemes, and adapt quickly to law enforcement efforts.

The success of operations like BADBOX 2.0 has significant implications beyond the immediate financial losses. It undermines trust in technology, increases costs for businesses and consumers, and creates opportunities for other criminal activities.

Understanding key terms

The BADBOX 2.0 operation involves many complex technical and marketing concepts. Here are the 20 most important terms explained in simple language:

Botnet: A network of computers or devices that have been infected with malware and can be controlled remotely by criminals without the owners' knowledge. Think of it like a secret army of devices that criminals can command to carry out attacks or fraud. In BADBOX 2.0, millions of smart TVs and other devices became part of this criminal network.

Programmatic advertising: An automated system for buying and selling digital advertising space in real-time. Instead of humans negotiating ad deals, computers make split-second decisions about which ads to show to which users. Criminals exploit this automated system because it's harder for humans to spot fake traffic when everything happens so quickly.

Click fraud: A type of online fraud where criminals generate fake clicks on digital advertisements to steal money from advertisers. Every time someone clicks on an ad, the advertiser pays money. Criminals use infected devices or software to automatically click on ads thousands of times, generating revenue without any real human interest in the products.

Ad fraud: The broader category of criminal activities designed to steal money from digital advertising budgets. This includes fake clicks, fake views, fake websites, and fake users. Ad fraud costs businesses over $50 billion annually and has become one of the largest sources of income for organized crime after illegal drugs.

Residential proxy services: Criminal services that sell access to real people's internet connections without their permission. When criminals want to hide their location while committing online crimes, they pay to route their internet traffic through infected home devices. This makes it appear as if the criminal activity is coming from innocent people's homes.

Command and control servers (C2): Special computer servers that criminals use to remotely control infected devices. These servers send instructions to compromised devices, telling them what malicious activities to perform. Think of them as the criminal headquarters that coordinates the entire botnet operation.

Invalid traffic (IVT): Any web traffic that isn't generated by real humans with genuine interest in the content or ads. This includes traffic from bots, malware, fraud schemes, and accidental clicks. Advertisers don't want to pay for invalid traffic because it doesn't represent potential customers.

Supply-side platforms (SSP): Technology platforms that help website owners sell their advertising space automatically. When you visit a website, SSPs instantly auction off the ad space to the highest bidder among advertisers. Criminals create fake websites and use SSPs to sell fraudulent ad space.

Cost per mille (CPM): The price advertisers pay for 1,000 ad impressions (times their ad is shown). CPM rates vary widely depending on the audience and content type. Gaming websites often have higher CPMs, which is why criminals created fake gaming sites - they could charge more money for showing ads.

Backdoor: A secret way for criminals to access a computer or device that bypasses normal security measures. It's like having a hidden key to someone's house that they don't know about. In BADBOX 2.0, criminals installed backdoors on devices during manufacturing, giving them permanent secret access.

Internet of Things (IoT): The network of everyday objects connected to the internet, such as smart TVs, digital picture frames, thermostats, and security cameras. These devices often have weak security, making them attractive targets for criminals who want to build large networks of compromised devices.

Android Open Source Project (AOSP): The free, basic version of Google's Android operating system that device manufacturers can use without paying licensing fees. However, AOSP devices don't include Google's security features like Play Protect, making them more vulnerable to malware attacks.

Sinkholing: A cybersecurity technique where authorities redirect traffic from criminal servers to servers they control. This allows law enforcement to stop criminal operations and gather intelligence about infected devices. Germany used sinkholing to neutralize 30,000 BADBOX 2.0 infected devices.

Bid requests: In programmatic advertising, these are automated requests for advertisers to bid on showing an ad to a specific user at a specific moment. Real bid requests represent opportunities to reach genuine potential customers. Fake bid requests generated by bots waste advertisers' money and computer resources.

Play Protect certification: Google's security verification process for Android devices. Certified devices have been tested for security and compatibility and include Google's malware protection features. Non-certified devices lack these protections and are more likely to come with pre-installed malware.

WebViews: Hidden web browser windows that apps can open without users seeing them. Legitimate apps use WebViews for various purposes, but criminals use hidden WebViews to automatically visit websites, click on ads, and generate fraudulent traffic without the device owner's knowledge.

Malvertising: The practice of spreading malware through online advertising networks. Criminals create malicious ads that infect devices when people click on them or sometimes just by viewing them. This is different from ad fraud, which steals money rather than directly infecting devices.

Account takeover (ATO): A type of cybercrime where criminals gain unauthorized access to someone's online accounts using stolen passwords or other methods. Criminals often use residential proxy services to hide their location when attempting account takeovers, making the attacks appear to come from the victim's own area.

Supply chain attack: A cyber attack that targets less-secure elements in the supply chain to compromise the final product. Instead of attacking well-protected targets directly, criminals compromise suppliers, manufacturers, or distributors. BADBOX 2.0 was a supply chain attack because criminals infected devices during manufacturing.

Evil twin apps: Malicious applications that impersonate legitimate apps by using similar names, icons, and descriptions. These fake apps often appear in unofficial app stores and may even infiltrate official stores. While they may perform the advertised function, they also contain hidden malware that performs criminal activities.

Timeline

• 2023: Original BADBOX operation identified, primarily targeting Android devices with pre-installed backdoor malware
• March 2024: Security researchers discover new command-and-control servers hosting test versions of updated backdoors, indicating the criminals were developing BADBOX 2.0
• Summer 2024: HUMAN Security deploys BADBOX 2.0-specific protections to their defense platform to protect customers
• December 12, 2024: German BSI announces emergency sinkholing operation affecting up to 30,000 devices in Germany
• March 5, 2025: HUMAN Security publishes comprehensive research report detailing the full scope of BADBOX 2.0 operation
• March 30, 2025: Major investigation reveals widespread failures in bot detection systems across the advertising industry
• May 29, 2025: DoubleVerify security company identifies over 100 cases of ads.txt manipulation, showing ongoing evolution of advertising fraud
• May 31, 2025: DoubleVerify faces class action lawsuit over alleged failures in fraud detection capabilities
• June 5, 2025: FBI issues Public Service Announcement I-060525-PSA warning American consumers about BADBOX 2.0 threats
• July 17, 2025: Google files federal lawsuit in New York against BADBOX 2.0 perpetrators, seeking to permanently shut down their operations