In the shadowy world of cybercrime, where anonymity is paramount, a single act of hubris can often lead to the complete unraveling of a sophisticated criminal enterprise, a truth recently demonstrated in the investigation of the notorious Badbox 2.0 botnet. A rival operator’s simple boast on social media inadvertently provided the crucial piece of evidence needed to pierce the veil of secrecy surrounding one of the internet’s most extensive ad-fraud schemes. This extensive botnet, primarily composed of compromised unofficial Android TV streaming boxes, operates on a massive scale with roots in China. The malicious software that powers it is frequently pre-installed on these devices prior to sale, transforming unsuspecting consumers into unwitting nodes in a vast network designed for illicit profit. The sheer scope and impact of this operation have not gone unnoticed, drawing significant attention from major entities, including a dedicated investigation by the Federal Bureau of Investigation and a “John Doe” lawsuit filed by Google against the botnet’s unidentified operators.
A Fortuitous Mistake
The entire investigation pivoted on a critical error made by the operators of a competing botnet known as Kimwolf. In a display of overconfidence after successfully breaching the administrative control panel of their rival, one of the Kimwolf operators, identified by the handle “Dort,” shared a screenshot of the compromised interface as a digital trophy. This act, intended to taunt and assert dominance over the Badbox 2.0 administrators, backfired spectacularly. The image contained a list of the seven authorized user accounts for the control panel, complete with their associated email addresses on the Chinese messaging service QQ. What was meant as a private humiliation between criminal factions became a public roadmap for security researchers, providing the first tangible leads in a case that had long been shrouded in anonymity. This single piece of leaked intelligence became the foundational clue that would allow investigators to methodically deconstruct the operational security of a major cybercrime ring.
The screenshot was far more than just proof of a successful intrusion; it was a veritable goldmine of actionable intelligence for investigators specializing in open-source intelligence (OSINT). Each of the seven QQ email addresses represented a distinct digital thread that, when carefully pulled, had the potential to unravel the entire operation. These identifiers served as the starting point for a painstaking process of digital forensics, enabling researchers to “pivot” from one piece of public or semi-public information to another. By cross-referencing these emails with data from public records, domain registration databases, security breach aggregators, and archived websites, investigators could begin to build comprehensive profiles of the individuals behind the aliases. The boastful act by “Dort” had unintentionally handed over the keys to the kingdom, transforming a list of usernames into a direct line of inquiry pointing toward specific individuals and their intricate network of corporate entities based in China.
The Meticulous Unraveling of Identities
The investigation quickly gained momentum by focusing on the user account labeled “Chen,” which was linked to the email address 34557257@qq.com. Applying OSINT techniques, researchers discovered that this email was publicly listed as a contact for several China-based technology firms, including Beijing Hong Dake Wang Science & Technology Co Ltd. This finding was a major breakthrough, as these same companies had been identified in a March 2025 security report by HUMAN Security as being integral to the Badbox 2.0 botnet’s command-and-control infrastructure. The trail intensified when data from a previous security breach revealed a password, “cdh76111,” associated with the QQ account. This same password was reused for a Gmail account under the alias “cathead,” which in turn was used to register on a Chinese retail website under the full name Chen Daihai. The name Chen Daihai and the alias “cathead” subsequently appeared in registration records for several domains previously confirmed as Badbox 2.0 assets, creating an undeniable link between the individual, his corporate entities, and the botnet’s core infrastructure.
Further analysis of the compromised control panel led investigators to another prominent user, “Mr.Zhu,” associated with the email xavierzhu@qq.com. Research soon revealed a close professional relationship between this individual and Chen Daihai. An archived version of the website astrolink[.]cn, a known Badbox 2.0 domain linked to Chen, featured a “Contact Us” page that listed Chen Daihai in the technology department alongside another key employee: Zhu Zhiyu. This placed the two primary suspects within the same corporate structure, strongly suggesting a collaborative partnership. The connection was further solidified through additional data pivots. The contact email for Zhu Zhiyu on the archived site was xavier@astrolink[.]cn, linking him to the “Xavier” alias from the screenshot. Moreover, breach data confirmed that the xavierzhu@qq.com address was used to register an online retail account in the name of Zhu Zhiyu. The final piece of evidence emerged when it was discovered that an associated Gmail account, xavierzhu@gmail.com, was the original registrant for the astrolink[.]cn domain, cementing his foundational role in the operation.
Implications of a Cybercrime Feud
It is essential to recognize that the actions of the Kimwolf botnet operators were not born from a sense of digital vigilantism. Their infiltration of the Badbox 2.0 panel was a hostile and opportunistic maneuver aimed at expanding their own criminal enterprise. By gaining administrative access, “Dort” and his associates intended to leverage the vast, pre-existing network of millions of devices already infected by Badbox 2.0. Their goal was to deploy the Kimwolf malware onto this established infrastructure, effectively hijacking the botnet for their own purposes and bypassing security measures recently implemented by residential proxy providers. This botnet-on-botnet conflict serves as a stark illustration of the predatory and highly competitive dynamics that define the modern cybercrime ecosystem, where rival groups actively prey on one another in a constant struggle for resources and control over compromised networks.
The intelligence uncovered as a result of this inter-criminal feud provided law enforcement with a clear and compelling path forward. The evidence strongly suggested that Chen Daihai and his business associate Zhu Zhiyu were the central figures behind the Badbox 2.0 botnet, with their network of interconnected companies and domains aligning perfectly with the user information found in the compromised control panel. While the investigator’s notification to the identified Badbox 2.0 operators about the breach likely terminated “Dort’s” short-lived access, the damage to their anonymity was already done. The accidental leak has equipped agencies like the FBI with crucial leads and specific names, marking a significant advancement in the ongoing effort to dismantle one of the internet’s most pervasive and deeply embedded ad-fraud botnets. The case ultimately underscored how the very ego that drives cybercriminals to seek notoriety can become the instrument of their own downfall.
