A ransomware organization sentencing has brought one of the key operatives behind a major cybercrime group to justice, highlighting the global reach of law enforcement in tackling ransomware attacks. A Latvian national, Deniss Zolotarjovs, has been sentenced to 102 months in prison for his role in a Russian-linked ransomware organization responsible for targeting more than 54 companies worldwide. The sentencing marks a significant development in ongoing efforts to dismantle international ransomware networks. According to the U.S. Department of Justice, Zolotarjovs played a central role in extortion operations carried out between June 2021 and August 2023. The group operated under multiple ransomware brands, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, reflecting a complex and evolving cybercrime structure.

Ransomware Organization Sentencing: Role in Extortion and Data Exploitation

Officials said Zolotarjovs was primarily responsible for increasing pressure on victims who hesitated to pay ransom demands. He analyzed stolen data and used sensitive information to intensify extortion tactics. In one case involving a pediatric healthcare provider, Zolotarjovs used children’s health information to pressure the organization into paying. When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data. Court documents reveal he distributed a bulk set of sensitive records to hundreds of patients, aiming to amplify fear and force compliance. Assistant Attorney General A. Tysen Duva described Zolotarjovs as a “cruel, ruthless, and dangerous international cybercriminal,” noting that his actions included exploiting highly personal data to increase leverage over victims.

Financial and Operational Impact of Attacks

The ransomware organization’s activities caused widespread damage. Of the more than 54 targeted companies, attacks on 13 resulted in losses exceeding $56 million, including approximately $2.8 million paid in ransom. An additional 41 companies are believed to have paid around $13 million, though detailed loss figures are still being compiled. Authorities estimate that the total financial impact could reach hundreds of millions of dollars when factoring in underreported incidents. Beyond financial losses, the attacks led to the exposure of highly sensitive data, including Social Security numbers, addresses, dates of birth, and healthcare records. In one instance, a government entity’s 911 emergency system was forced offline, raising serious concerns about public safety and the broader consequences of ransomware attacks.

Organized Structure and Global Operations

Investigators found that the ransomware organization operated with a structured hierarchy and used a network of companies across Russia, Europe, and the United States to mask its activities. Members were largely based in Russia and reportedly operated from an office in St. Petersburg. The group’s operations also involved corruption and misuse of public resources. Authorities said some members had ties to former Russian law enforcement, allowing them to access databases, intimidate individuals, and identify potential recruits. These connections also enabled members to avoid scrutiny, including evading taxes and military service through bribes.

Arrest, Extradition, and Prosecution

Zolotarjovs was arrested in Georgia in December 2023 and later extradited to the United States in August 2024 after contesting the process. In July 2025, he pleaded guilty to conspiracy charges involving money laundering and wire fraud. The case was investigated by the Federal Bureau of Investigation, with support from multiple field offices and international partners. Special Agent in Charge Jason Cromartie said the case reflects the agency’s continued efforts to track down cybercriminals operating across borders. U.S. Attorney Dominick S. Gerace II added that the prosecution demonstrates that cybercriminals cannot rely on geography or anonymity to evade justice.

Continued Focus on Ransomware Threats

The ransomware organization sentencing highlight the scale and persistence of ransomware threats targeting businesses and public services. Authorities said investigations into related actors and networks remain ongoing as part of broader efforts to disrupt global cybercrime operations.

The Federal Bureau of Investigation (FBI) has issued a public warning over a sharp rise in cyber-enabled cargo theft, as threat actors increasingly use digital tactics to impersonate legitimate businesses, hijack freight, and steal high-value shipments. According to the FBI, cybercriminals are targeting transportation and logistics companies involved in shipping, receiving, and insuring cargo. The agency said these attacks have been ongoing since at least 2024 and are now becoming more sophisticated and widespread. Losses linked to cyber-enabled cargo theft have surged significantly. In 2025, estimated cargo theft losses in the United States and Canada reached nearly $725 million, marking a 60 percent increase from the previous year. Confirmed incidents rose by 18 percent, while the average value per theft increased by 36 percent to $273,990, reflecting a shift toward more targeted, high-value shipments.

How Cyber-Enabled Cargo Theft Works

The FBI outlined a structured, multi-step process used in cyber-enabled cargo theft schemes. Attackers begin by compromising accounts of brokers and carriers through phishing techniques such as spoofed emails, fake websites, and malicious links. Victims are often sent emails posing as legitimate business communications, such as carrier agreements or service complaints. These emails include links that lead to phishing websites designed to mimic trusted platforms. Once accessed, these sites deploy malware or remote monitoring tools, allowing attackers to gain full control over systems without detection. After gaining access, cybercriminals exploit online freight marketplaces known as load boards. They impersonate legitimate brokers or carriers and post fake shipment listings, sometimes in large volumes. Unsuspecting carriers bid on these listings and are further compromised through fraudulent agreements or malicious downloads. In the next stage, attackers use the compromised accounts to accept real shipment contracts. They then engage in illegal double-brokering, rerouting freight to unintended locations. Shipment documents are manipulated, including bills of lading, and delivery destinations are altered without the knowledge of the original parties. The final stage of cyber-enabled cargo theft involves physically diverting the cargo. Goods are transferred through cross-docking or transloading to other drivers, often complicit, and then stolen for resale. In some cases, attackers demand ransom payments in exchange for information about the shipment’s location. [caption id="attachment_111803" align="aligncenter" width="972"] Image Source: https://www.ic3.gov/[/caption]

Indicators of Cyber-Enabled Cargo Theft

The FBI has identified several warning signs that may indicate a cyber-enabled cargo theft attempt. These include unexpected communications regarding shipments made in a company’s name, spoofed email domains, and requests to download documents from suspicious links. Other indicators include emails referencing negative service reviews with embedded links, unauthorized changes to email account settings, and slight variations in domain names designed to mimic legitimate organisations. Attackers may also use temporary or internet-based phone numbers to communicate with victims. These tactics are designed to create a sense of urgency or legitimacy, increasing the likelihood that employees will engage with malicious content.

Steps to Prevent Theft

To reduce the risk of cyber-enabled cargo theft, the FBI is urging organisations to adopt stronger verification and security practices. Companies are advised to independently confirm shipment requests using multiple communication channels before releasing goods. The agency recommends implementing multi-layer verification processes and not relying solely on familiar names or email addresses. Businesses should also maintain detailed records of all transactions, including driver identification, vehicle details, and communication logs, to support investigations if needed. Recognising phishing attempts and avoiding interaction with suspicious links remain critical preventive measures.

Reporting Theft Incidents

The FBI has encouraged victims of cyber-enabled cargo theft to report incidents promptly. In addition to contacting local law enforcement, affected organisations should file complaints with the Internet Crime Complaint Center (IC3) or reach out to their nearest FBI field office. The agency said timely reporting can help identify patterns, disrupt criminal networks, and prevent further losses across the logistics sector.

A Winona County cyberattack has disrupted critical systems and forced Minnesota to step in with emergency support. The cyberattack on Winona County began on April 6 and continued overnight into April 7, affecting key digital infrastructure used to run emergency and municipal services. County officials said the disruption significantly impaired their ability to deliver essential services, including core administrative and public-facing operations. Governor Tim Walz signed an executive order authorizing the Minnesota National Guard to assist with the response. “Cyberattacks are an evolving threat that can strike anywhere, at any time,” said Governor Walz. “Swift coordination between state and local experts matters in these moments. That's why I am authorizing the National Guard to support Winona County as they work to protect critical systems and maintain essential services.”

Winona County Cyberattack Strains Local Response

The Winona County cyberattack quickly overwhelmed local response efforts. Officials said teams have been working around the clock since the incident was detected. The county is coordinating with Minnesota Information Technology Services, the Minnesota Bureau of Criminal Apprehension, the League of Minnesota Cities, the Federal Bureau of Investigation, and external cybersecurity specialists. Despite this multi-agency response, officials confirmed that the scale and complexity of the incident exceeded both internal and commercial response capabilities. This led to a formal request for cyber protection support from the Minnesota National Guard. The incident highlights how even smaller jurisdictions are now facing large-scale cyber disruptions that require state-level intervention.

National Guard Activated Under Emergency Order

Under the emergency order, the Adjutant General is authorized to deploy personnel, equipment, and other resources to support the response to the Winona County cyberattack. The order also allows the state to procure services needed to manage the incident and confirms that costs will be covered through the state’s general fund. It is already in effect and will remain active until the emergency conditions subside or the order is formally rescinded. Officials say the priority is to stabilize affected systems, prevent further damage, and restore full functionality as quickly as possible.

Essential Services Continue Amid Disruption

Even as systems remain impacted, officials stressed that emergency services are still operational. 911 services, fire response, and other emergency operations continue to function during the Winona County cyberattack, ensuring that urgent public safety needs are not affected. However, the disruption has slowed other county services, and officials have warned that some delays are expected as systems are brought back online. Residents have been asked for patience while recovery efforts continue.

Investigation Underway

Authorities have not disclosed the nature of the Winona County cyberattack or whether it involves ransomware or another type of cyber intrusion. The FBI is actively involved in the investigation, along with state agencies and external cybersecurity experts. Investigators are working to determine how the attack occurred, what systems were impacted, and whether any sensitive data was accessed. For now, the focus remains on containment, system recovery, and strengthening defenses to prevent further intrusion.

Earlier Ransomware Incident Raises Concerns

The latest Winona County cyberattack comes as an update to a ransomware incident the county first reported in January 2026. At the time, officials said, “We recently identified and responded to a ransomware incident affecting our computer network. Upon discovery, we immediately initiated an investigation to assess the scope and impact of the incident.” A local emergency was declared during that event by County Board Chair Commissioner Meyer, as officials worked to maintain continuity of services. Emergency operations, including 911 and fire response, remained active while systems were analyzed and restored. The recurrence of cyber incidents in such a short period has raised concerns about ongoing vulnerabilities and the growing threat landscape facing local governments.

Growing Cyber Pressure on Local Governments

The Winona County cyberattack highlight a broader trend, local governments are increasingly targeted but often lack the resources to respond to complex cyber incidents on their own. When systems go down, the impact is immediate. Public services are disrupted, and recovery can take time. State support is now helping Winona County stabilize operations. But the incident highlights a larger issue: cyberattacks are becoming more frequent, more disruptive, and harder for local agencies to handle without outside assistance.

A new phishing campaign targeting messaging apps has triggered warnings from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), highlighting how even the most secure communication platforms can be undermined by human error rather than technical flaws. In a joint public service announcement, the agencies revealed that cyber actors linked to Russian Intelligence Services are actively targeting users of commercial messaging applications (CMAs), including high-profile individuals such as government officials, military personnel, political figures, and journalists. The goal is not to break encryption—but to bypass it entirely.

Phishing Campaign Targeting Messaging Apps Bypasses Encryption

The most striking aspect of this phishing campaign targeting messaging apps is that it does not rely on exploiting software vulnerabilities. Instead, attackers are focusing on users themselves. Evidence shows that while encryption remains intact, thousands of individual accounts have already been compromised globally. Once attackers gain access, they can read private messages, access contact lists, send messages as the victim, and even launch further phishing attacks. This reinforces a critical point often overlooked in cybersecurity discussions: encryption is only as strong as the user behind it.

How the Phishing Campaign Works

According to CISA and the FBI, the phishing campaign targeting messaging apps primarily uses social engineering tactics. Attackers impersonate official support accounts within messaging platforms, sending convincing messages that prompt users to take immediate action. These messages may:

• Ask users to click on malicious links
• Request verification codes or PINs
• Encourage account “recovery” actions

[caption id="attachment_110552" align="aligncenter" width="480"] Image Source: FBI[/caption] If a user complies, attackers can link their own device to the account or take full control. In some cases, attackers may escalate their tactics by deploying malware, making the campaign more persistent and difficult to contain. Notably, reporting suggests that platforms like Signal have been specifically targeted, though similar methods can be applied across other messaging apps. [caption id="attachment_110553" align="aligncenter" width="948"] Image Source: FBI[/caption]

Why This Phishing Campaign Targeting Messaging Apps Matters

The scale and simplicity of this phishing campaign targeting messaging apps make it particularly dangerous. Unlike complex cyberattacks, phishing requires minimal technical sophistication but delivers high success rates. CISA and the FBI emphasized this reality, stating: “Phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant including end-to-end encryption.”

Key Recommendations for Users

To counter the risks posed by the phishing campaign targeting messaging apps, authorities are urging users to adopt basic but effective cybersecurity practices:

• Pause before responding: If something feels suspicious, do not engage or share sensitive information.
• Avoid unknown messages: Treat unexpected or unusual requests with caution, even from known contacts.
• Check links carefully: Do not click on unfamiliar or suspicious links.
• Monitor group chats: Watch for duplicate or fake accounts in conversations.
• Use built-in security features: Enable protections like message expiration where appropriate.
• Report incidents quickly: Notify security teams or report to authorities such as the Internet Crime Complaint Center (IC3).

Users are also reminded that legitimate support services do not request verification codes or send account recovery links via direct messages.

A Persistent Cyber Threat That Relies on Human Behavior

What makes this phishing campaign targeting messaging apps particularly concerning is its reliance on human behavior rather than technical weaknesses. Attackers are betting on urgency, confusion, and trust—factors that technology alone cannot fix. The warning from CISA and the FBI is clear: users must remain vigilant. Strengthening personal cybersecurity habits is now just as important as the security features built into the platforms themselves. As messaging apps continue to play a central role in both personal and professional communication, campaigns like this serve as a reminder that the weakest link in cybersecurity is often not the system—but the user.

The Iran Telegram malware campaign has once again put the spotlight on how state-backed cyber actors are adapting their tactics by blending into widely used digital platforms. In a recent alert, the Federal Bureau of Investigation (FBI) revealed that cyber actors linked to Iran’s Ministry of Intelligence and Security (MOIS) are using Telegram as a command-and-control (C2) infrastructure to deploy malware. The campaign specifically targets Iranian dissidents, journalists, and individuals or groups perceived as opposing the Iranian government. According to the FBI, these operations have led to intelligence collection, data leaks, and reputational damage, indicating that the intent goes beyond simple access and leans toward sustained monitoring and impact.

Iran Telegram Malware Reflects Targeted Surveillance Strategy

The Iran Telegram malware activity dates back to at least Fall 2023, with multiple malware variants identified targeting Windows systems. The victim profile is not random. It is clearly defined, focused on individuals whose views or affiliations are seen as a threat by the Iranian government. However, the FBI also notes that the malware can be used against any individual of interest, suggesting the capability is broader than the currently observed targets. What stands out is the level of preparation. The malware is not just deployed, it is tailored. Attackers appear to study their targets in advance, customizing lures to increase the chances of success. This points to a deliberate and intelligence-driven approach rather than opportunistic attacks.

How the Iran Telegram Malware Operates

The FBI outlines a structured, multi-stage malware framework that combines deception with persistence.

Social Engineering Drives Initial Access

Attackers reach out through messaging platforms, impersonating trusted contacts or even technical support. Victims are persuaded to download files disguised as legitimate applications. These files often appear as commonly used software, including messaging tools or utilities, making them harder to question.

Multi-Stage Malware Deployment

• Stage 1: Masquerades as legitimate applications such as Telegram-related tools, KeePass, or other software
• Stage 2: Installs a persistent implant after user interaction

Once executed, the second stage connects the infected device to a Telegram bot, establishing a C2 channel via Telegram’s infrastructure.

Persistent Access and Control

At this stage, attackers gain remote access to the compromised system. The use of Telegram allows bidirectional communication, enabling continuous control without raising immediate suspicion.

Data Collection and Exfiltration via Telegram

The primary objective of the Iran Telegram malware campaign is data collection. The malware is capable of:

• Recording screen activity and audio
• Capturing cached data and files
• Compressing and staging data for exfiltration
• Deleting files after extraction

Some variants were even designed to record screen and audio during active Zoom sessions, highlighting a focus on capturing sensitive, real-time information. All collected data is routed through Telegram infrastructure, reinforcing its role as a central component of the attack chain.

Links to Handala Hack and Proxy Operations

The FBI also connects this campaign to the online entity “Handala Hack,” which claimed responsibility for a 2025 hack-and-leak operation targeting individuals critical of Iran. The agency assesses that some of the leaked data was obtained using malware associated with this campaign. Handala Hack is known for phishing, data theft, extortion, and destructive cyber activities, including the use of wiper malware. Additionally, the group is linked to “Homeland Justice,” another entity assessed to be operated by MOIS cyber actors. This reflects a broader pattern where technical intrusions are followed by public data exposure. The goal is not just access, but also reputational and political damage through controlled information release.

Execution Techniques and Persistence Mechanisms

The malware used in the Iran Telegram malware campaign employs several techniques to maintain access and avoid detection:

• Use of PowerShell execution without warnings
• Registry modifications to ensure persistence
• Deployment of multiple malware files for different functions

Observed file names include variants mimicking legitimate tools, such as Telegram_authenticator.exe and WhatssApp.exe, further reinforcing the deception strategy. [caption id="attachment_110479" align="aligncenter" width="826"] Image Source: FBI[/caption] Once inside a system, additional malware components are downloaded to expand capabilities and maintain long-term access.

Why This Campaign Stands Out

What makes the Iran Telegram malware campaign particularly concerning is its simplicity combined with precision.

• It relies heavily on human interaction rather than technical exploits
• It uses trusted platforms instead of suspicious infrastructure
• It focuses on specific individuals rather than mass attacks

This combination makes detection harder and increases the likelihood of success.

Mitigation- Simple Steps, Critical Impact

Despite the sophistication of the campaign, the FBI’s recommendations remain grounded in basic cybersecurity practices:

• Be cautious of unexpected messages, even from known contacts
• Avoid downloading files from unverified sources
• Keep systems updated with the latest software patches
• Use strong passwords and enable multi-factor authentication
• Regularly run antivirus or anti-malware tools

The advisory makes one thing clear: even advanced campaigns often succeed because of small lapses in user awareness.

A Clear Signal for Cyber Defenders

The Iran Telegram malware campaign is a reminder that cyber threats are no longer confined to obscure or easily identifiable channels. By embedding malicious activity within widely used platforms like Telegram, attackers are reducing friction and increasing stealth. For defenders, this raises an important challenge, security strategies must account not just for malicious code, but for how and where that code is delivered. In this case, the platform is familiar. The method is simple. And that is exactly what makes it effective.

A federal grand jury has indicted Kwamaine Jerell Ford, a Georgia man accused of running a phishing scam that targeted professional athletes in the NBA and NFL while he was in federal prison.

Prosecutors say the scheme allowed him to gain access to victims’ Apple accounts, steal financial information, and carry out fraudulent transactions.

According to the indictment, the alleged phishing scam involved impersonating both an adult film star and Apple customer support representatives to trick athletes into sharing their login credentials and multi-factor authentication codes. Authorities say the stolen information was then used to access accounts and make unauthorized purchases.

Federal prosecutors also allege that the scheme expanded beyond financial fraud and included coercion and sex trafficking activities involving a female victim. The case is currently being investigated by the Federal Bureau of Investigation (FBI), and Ford has pleaded not guilty to multiple federal charges.

Phishing Scam Allegedly Targeted Professional Athletes

According to federal prosecutors, Kwamaine Jerell Ford, a 34-year-old from Buford, Georgia, has been indicted for orchestrating a phishing scam that targeted professional athletes in the NBA and NFL. The indictment alleges that Ford used deceptive online tactics to gain access to victims’ Apple accounts. Authorities say the phishing scam relied on a two-step social engineering approach designed to trick athletes into sharing their login credentials. First, Ford allegedly created a fake online persona posing as a well-known adult film star. Through this account, he offered to send explicit videos to the targeted athletes. At the same time, he reportedly spoofed legitimate Apple customer support accounts and contacted victims through text messages. The messages asked the athletes to send their usernames, passwords, or multi-factor authentication codes so they could supposedly access the videos. According to investigators, dozens of victims fell for the phishing scam and unknowingly handed over their account credentials.

Access to Accounts Led to Financial Fraud

Once Ford gained access to the victims’ accounts, prosecutors say he obtained their stored credit and debit card information. The indictment alleges that he then used the stolen financial details for personal spending. Authorities believe the phishing scam enabled Ford to carry out thousands of dollars in unauthorized transactions. Investigators say the tactic relied heavily on impersonation and trust manipulation—methods that remain common in modern phishing scams. The case is particularly striking because Ford had previously been convicted of similar crimes. In 2019, in the Northern District of Georgia, he was convicted of computer fraud and aggravated identity theft after carrying out phishing attacks that allowed him to spend nearly $325,000 using stolen financial information belonging to athletes and celebrities. “While serving time for stealing credit card numbers from athletes and celebrities to fund his lifestyle, Ford allegedly engaged in the same conduct again,” said Theodore S. Hertzberg. “Disturbingly, the indictment alleges that Ford went even further and used a fraudulent online persona to traffic a young woman and coerce her to produce hidden camera videos of commercial sex acts with unknowing individuals.”

Allegations of Coercion and Sex Trafficking

Federal authorities say the case escalated beyond a financial phishing scam in 2021. According to the indictment, Ford allegedly used the same fraudulent persona to recruit and manipulate a woman into engaging in commercial sex acts with professional athletes. Prosecutors say Ford promised the victim that the fake film star would help advance her modeling career. Based on those claims, the woman allegedly traveled to meet athletes and participated in encounters arranged by Ford. Authorities say Ford coordinated travel, negotiated payments with the athletes, and took a financial cut from the encounters. Investigators also allege that Ford used additional fake personas to threaten the victim and pressure her into continuing the activity. Some encounters were allegedly filmed without the athletes’ knowledge or consent. FBI officials say the case demonstrates how online fraud schemes can expand into broader criminal activity. “Kwamaine Ford clearly did not learn from his prior conviction for a similar scheme. This time, he allegedly escalated his criminal activity—stealing identities and money while also moving into coercion and sex trafficking,” said Peter Ellis. “The FBI’s dedicated agents remain committed to staying ahead of schemes like this and protecting the public from individuals who exploit and harm others for personal gain.”

Charges and Ongoing Investigation

On March 13, 2026, Ford appeared in federal court and pleaded not guilty to multiple charges, including nine counts of wire fraud, seven counts of computer fraud, one count of access device fraud, four counts of aggravated identity theft, and one count of sex trafficking. A U.S. magistrate judge ordered that he remain in custody without bail while the case proceeds. As with all federal indictments, the charges represent allegations, and Ford is presumed innocent unless proven guilty in court. The investigation is being led by the Federal Bureau of Investigation, with Assistant U.S. Attorneys Bernita B. Malloy and Phyllis Clerk prosecuting the case.

The cybercriminals in control of Kimwolf — a disruptive botnet that has infected more than 2 million devices — recently shared a screenshot indicating they’d compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people behind Badbox 2.0, and thanks to bragging by the Kimwolf botmasters we may now have a much clearer idea about that.

Our first story of 2026, The Kimwolf Botnet is Stalking Your Local Network, detailed the unique and highly invasive methods Kimwolf uses to spread. The story warned that the vast majority of Kimwolf infected systems were unofficial Android TV boxes that are typically marketed as a way to watch unlimited (pirated) movie and TV streaming services for a one-time fee.

Our January 8 story, Who Benefitted from the Aisuru and Kimwolf Botnets?, cited multiple sources saying the current administrators of Kimwolf went by the nicknames “Dort” and “Snow.” Earlier this month, a close former associate of Dort and Snow shared what they said was a screenshot the Kimwolf botmasters had taken while logged in to the Badbox 2.0 botnet control panel.

That screenshot, a portion of which is shown below, shows seven authorized users of the control panel, including one that doesn’t quite match the others: According to my source, the account “ABCD” (the one that is logged in and listed in the top right of the screenshot) belongs to Dort, who somehow figured out how to add their email address as a valid user of the Badbox 2.0 botnet.

Badbox has a storied history that well predates Kimwolf’s rise in October 2025. In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants accused of operating Badbox 2.0, which Google described as a botnet of over ten million unsanctioned Android streaming devices engaged in advertising fraud. Google said Badbox 2.0, in addition to compromising multiple types of devices prior to purchase, also can infect devices by requiring the download of malicious apps from unofficial marketplaces.

Google’s lawsuit came on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals were gaining unauthorized access to home networks by either configuring the products with malware prior to the user’s purchase, or infecting the device as it downloads required applications that contain backdoors — usually during the set-up process.

The FBI said Badbox 2.0 was discovered after the original Badbox campaign was disrupted in 2024. The original Badbox was identified in 2023, and primarily consisted of Android operating system devices (TV boxes) that were compromised with backdoor malware prior to purchase.

KrebsOnSecurity was initially skeptical of the claim that the Kimwolf botmasters had hacked the Badbox 2.0 botnet. That is, until we began digging into the history of the qq.com email addresses in the screenshot above.

CATHEAD

An online search for the address 34557257@qq.com (pictured in the screenshot above as the user “Chen“) shows it is listed as a point of contact for a number of China-based technology companies, including:

–Beijing Hong Dake Wang Science & Technology Co Ltd.
–Beijing Hengchuang Vision Mobile Media Technology Co. Ltd.
–Moxin Beijing Science and Technology Co. Ltd.

The website for Beijing Hong Dake Wang Science is asmeisvip[.]net, a domain that was flagged in a March 2025 report by HUMAN Security as one of several dozen sites tied to the distribution and management of the Badbox 2.0 botnet. Ditto for moyix[.]com, a domain associated with Beijing Hengchuang Vision Mobile.

A search at the breach tracking service Constella Intelligence finds 34557257@qq.com at one point used the password “cdh76111.” Pivoting on that password in Constella shows it is known to have been used by just two other email accounts: daihaic@gmail.com and cathead@gmail.com.

Constella found cathead@gmail.com registered an account at jd.com (China’s largest online retailer) in 2021 under the name “陈代海,” which translates to “Chen Daihai.” According to DomainTools.com, the name Chen Daihai is present in the original registration records (2008) for moyix[.]com, along with the email address cathead@astrolink[.]cn.

Incidentally, astrolink[.]cn also is among the Badbox 2.0 domains identified in HUMAN Security’s 2025 report. DomainTools finds cathead@astrolink[.]cn was used to register more than a dozen domains, including vmud[.]net, yet another Badbox 2.0 domain tagged by HUMAN Security.

XAVIER

A cached copy of astrolink[.]cn preserved at archive.org shows the website belongs to a mobile app development company whose full name is Beijing Astrolink Wireless Digital Technology Co. Ltd. The archived website reveals a “Contact Us” page that lists a Chen Daihai as part of the company’s technology department. The other person featured on that contact page is Zhu Zhiyu, and their email address is listed as xavier@astrolink[.]cn.

Astute readers will notice that the user Mr.Zhu in the Badbox 2.0 panel used the email address xavierzhu@qq.com. Searching this address in Constella reveals a jd.com account registered in the name of Zhu Zhiyu. A rather unique password used by this account matches the password used by the address xavierzhu@gmail.com, which DomainTools finds was the original registrant of astrolink[.]cn.

ADMIN

The very first account listed in the Badbox 2.0 panel — “admin,” registered in November 2020 — used the email address 189308024@qq.com. DomainTools shows this email is found in the 2022 registration records for the domain guilincloud[.]cn, which includes the registrant name “Huang Guilin.”

Constella finds 189308024@qq.com is associated with the China phone number 18681627767. The open-source intelligence platform osint.industries reveals this phone number is connected to a Microsoft profile created in 2014 under the name Guilin Huang (桂林 黄). The cyber intelligence platform Spycloud says that phone number was used in 2017 to create an account at the Chinese social media platform Weibo under the username “h_guilin.”

The remaining three users and corresponding qq.com email addresses were all connected to individuals in China. However, none of them (nor Mr. Huang) had any apparent connection to the entities created and operated by Chen Daihai and Zhu Zhiyu — or to any corporate entities for that matter. Also, none of these individuals responded to requests for comment.

The mind map below includes search pivots on the email addresses, company names and phone numbers that suggest a connection between Chen Daihai, Zhu Zhiyu, and Badbox 2.0.

UNAUTHORIZED ACCESS

The idea that the Kimwolf botmasters could have direct access to the Badbox 2.0 botnet is a big deal, but explaining exactly why that is requires some background on how Kimwolf spreads to new devices. The botmasters figured out they could trick residential proxy services into relaying malicious commands to vulnerable devices behind the firewall on the unsuspecting user’s local network.

The vulnerable systems sought out by Kimwolf are primarily Internet of Things (IoT) devices like unsanctioned Android TV boxes and digital photo frames that have no discernible security or authentication built-in. Put simply, if you can communicate with these devices, you can compromise them with a single command.

Our January 2 story featured research from the proxy-tracking firm Synthient, which alerted 11 different residential proxy providers that their proxy endpoints were vulnerable to being abused for this kind of local network probing and exploitation.

Most of those vulnerable proxy providers have since taken steps to prevent customers from going upstream into the local networks of residential proxy endpoints, and it appeared that Kimwolf would no longer be able to quickly spread to millions of devices simply by exploiting some residential proxy provider.

However, the source of that Badbox 2.0 screenshot said the Kimwolf botmasters had an ace up their sleeve the whole time: Secret access to the Badbox 2.0 botnet control panel.

“Dort has gotten unauthorized access,” the source said. “So, what happened is normal proxy providers patched this. But Badbox doesn’t sell proxies by itself, so it’s not patched. And as long as Dort has access to Badbox, they would be able to load” the Kimwolf malware directly onto TV boxes associated with Badbox 2.0.

The source said it isn’t clear how Dort gained access to the Badbox botnet panel. But it’s unlikely that Dort’s existing account will persist for much longer: All of our notifications to the qq.com email addresses listed in the control panel screenshot received a copy of that image, as well as questions about the apparently rogue ABCD account.

On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers.

Superbox bills itself as an affordable way for households to stream all of the television and movie content they could possibly want, without the hassle of monthly subscription fees — for a one-time payment of nearly $400.

“Tired of confusing cable bills and hidden fees?,” Superbox’s website asks in a recent blog post titled, “Cheap Cable TV for Low Income: Watch TV, No Monthly Bills.”

“Real cheap cable TV for low income solutions does exist,” the blog continues. “This guide breaks down the best alternatives to stop overpaying, from free over-the-air options to one-time purchase devices that eliminate monthly bills.”

Superbox claims that watching a stream of movies, TV shows, and sporting events won’t violate U.S. copyright law.

“SuperBox is just like any other Android TV box on the market, we can not control what software customers will use,” the company’s website maintains. “And you won’t encounter a law issue unless uploading, downloading, or broadcasting content to a large group.”

There is nothing illegal about the sale or use of the Superbox itself, which can be used strictly as a way to stream content at providers where users already have a paid subscription. But that is not why people are shelling out $400 for these machines. The only way to watch those 2,200+ channels for free with a Superbox is to install several apps made for the device that enable them to stream this content.

Superbox’s homepage includes a prominent message stating the company does “not sell access to or preinstall any apps that bypass paywalls or provide access to unauthorized content.” The company explains that they merely provide the hardware, while customers choose which apps to install.

“We only sell the hardware device,” the notice states. “Customers must use official apps and licensed services; unauthorized use may violate copyright law.”

Superbox is technically correct here, except for maybe the part about how customers must use official apps and licensed services: Before the Superbox can stream those thousands of channels, users must configure the device to update itself, and the first step involves ripping out Google’s official Play store and replacing it with something called the “App Store” or “Blue TV Store.”

Superbox does this because the device does not use the official Google-certified Android TV system, and its apps will not load otherwise. Only after the Google Play store has been supplanted by this unofficial App Store do the various movie and video streaming apps that are built specifically for the Superbox appear available for download (again, outside of Google’s app ecosystem).

Experts say while these Android streaming boxes generally do what they advertise — enabling buyers to stream video content that would normally require a paid subscription — the apps that enable the streaming also ensnare the user’s Internet connection in a distributed residential proxy network that uses the devices to relay traffic from others.

Ashley is a senior solutions engineer at Censys, a cyber intelligence company that indexes Internet-connected devices, services and hosts. Ashley requested that only her first name be used in this story.

In a recent video interview, Ashley showed off several Superbox models that Censys was studying in the malware lab — including one purchased off the shelf at BestBuy.

“I’m sure a lot of people are thinking, ‘Hey, how bad could it be if it’s for sale at the big box stores?'” she said. “But the more I looked, things got weirder and weirder.”

Ashley said she found the Superbox devices immediately contacted a server at the Chinese instant messaging service Tencent QQ, as well as a residential proxy service called Grass IO.

GET GRASSED

Also known as getgrass[.]io, Grass says it is “a decentralized network that allows users to earn rewards by sharing their unused Internet bandwidth with AI labs and other companies.”

“Buyers seek unused internet bandwidth to access a more diverse range of IP addresses, which enables them to see certain websites from a retail perspective,” the Grass website explains. “By utilizing your unused internet bandwidth, they can conduct market research, or perform tasks like web scraping to train AI.” 

Reached via Twitter/X, Grass founder Andrej Radonjic told KrebsOnSecurity he’d never heard of a Superbox, and that Grass has no affiliation with the device maker.

“It looks like these boxes are distributing an unethical proxy network which people are using to try to take advantage of Grass,” Radonjic said. “The point of grass is to be an opt-in network. You download the grass app to monetize your unused bandwidth. There are tons of sketchy SDKs out there that hijack people’s bandwidth to help webscraping companies.”

Radonjic said Grass has implemented “a robust system to identify network abusers,” and that if it discovers anyone trying to misuse or circumvent its terms of service, the company takes steps to stop it and prevent those users from earning points or rewards.

Superbox’s parent company, Super Media Technology Company Ltd., lists its street address as a UPS store in Fountain Valley, Calif. The company did not respond to multiple inquiries.

According to this teardown by behindmlm.com, a blog that covers multi-level marketing (MLM) schemes, Grass’s compensation plan is built around “grass points,” which are earned through the use of the Grass app and through app usage by recruited affiliates. Affiliates can earn 5,000 grass points for clocking 100 hours usage of Grass’s app, but they must progress through ten affiliate tiers or ranks before they can redeem their grass points (presumably for some type of cryptocurrency). The 10th or “Titan” tier requires affiliates to accumulate a whopping 50 million grass points, or recruit at least 221 more affiliates.

Radonjic said Grass’s system has changed in recent months, and confirmed the company has a referral program where users can earn Grass Uptime Points by contributing their own bandwidth and/or by inviting other users to participate.

“Users are not required to participate in the referral program to earn Grass Uptime Points or to receive Grass Tokens,” Radonjic said. “Grass is in the process of phasing out the referral program and has introduced an updated Grass Points model.”

A review of the Terms and Conditions page for getgrass[.]io at the Wayback Machine shows Grass’s parent company has changed names at least five times in the course of its two-year existence. Searching the Wayback Machine on getgrass[.]io shows that in June 2023 Grass was owned by a company called Wynd Network. By March 2024, the owner was listed as Lower Tribeca Corp. in the Bahamas. By August 2024, Grass was controlled by a Half Space Labs Limited, and in November 2024 the company was owned by Grass OpCo (BVI) Ltd. Currently, the Grass website says its parent is just Grass OpCo Ltd (no BVI in the name).

Radonjic acknowledged that Grass has undergone “a handful of corporate clean-ups over the last couple of years,” but described them as administrative changes that had no operational impact. “These reflect normal early-stage restructuring as the project moved from initial development…into the current structure under the Grass Foundation,” he said.

UNBOXING

Censys’s Ashley said the phone home to China’s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined. She also discovered the streaming boxes included powerful network analysis and remote access tools, such as Tcpdump and Netcat.

“This thing DNS hijacked my router, did ARP poisoning to the point where things fall off the network so they can assume that IP, and attempted to bypass controls,” she said. “I have root on all of them now, and they actually have a folder called ‘secondstage.’ These devices also have Netcat and Tcpdump on them, and yet they are supposed to be streaming devices.”

A quick online search shows various Superbox models and many similar Android streaming devices for sale at a wide range of top retail destinations, including Amazon, BestBuy, Newegg, and Walmart. Newegg.com, for example, currently lists more than three dozen Superbox models. In all cases, the products are sold by third-party merchants on these platforms, but in many instances the fulfillment comes from the e-commerce platform itself.

“Newegg is pretty bad now with these devices,” Ashley said. “Ebay is the funniest, because they have Superbox in Spanish — the SuperCaja — which is very popular.”

Ashley said Amazon recently cracked down on Android streaming devices branded as Superbox, but that those listings can still be found under the more generic title “modem and router combo” (which may be slightly closer to the truth about the device’s behavior).

Superbox doesn’t advertise its products in the conventional sense. Rather, it seems to rely on lesser-known influencers on places like Youtube and TikTok to promote the devices. Meanwhile, Ashley said, Superbox pays those influencers 50 percent of the value of each device they sell.

“It’s weird to me because influencer marketing usually caps compensation at 15 percent, and it means they don’t care about the money,” she said. “This is about building their network.”

BADBOX

As plentiful as the Superbox is on e-commerce sites, it is just one brand in an ocean of no-name Android-based TV boxes available to consumers. While these devices generally do provide buyers with “free” streaming content, they also tend to include factory-installed malware or require the installation of third-party apps that engage the user’s Internet address in advertising fraud.

In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud. Google said the BADBOX 2.0 botnet, in addition to compromising multiple types of devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces.

Several of the Android streaming devices flagged in Google’s lawsuit are still for sale on top U.S. retail sites. For example, searching for the “X88Pro 10” and the “T95” Android streaming boxes finds both continue to be peddled by Amazon sellers.

Google’s lawsuit came on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals were gaining unauthorized access to home networks by either configuring the products with malicious software prior to the user’s purchase, or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process.

“Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services known to be used for malicious activity,” the FBI said.

The FBI said BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. The original BADBOX was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase.

Riley Kilmer is founder of Spur, a company that tracks residential proxy networks. Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the world’s largest residential proxy network.

Kilmer and others say IPidea is merely a rebrand of 911S5 Proxy, a China-based proxy provider sanctioned last year by the U.S. Department of the Treasury for operating a botnet that helped criminals steal billions of dollars from financial institutions, credit card issuers, and federal lending programs (the U.S. Department of Justice also arrested the alleged owner of 911S5).

How are most IPidea customers using the proxy service? According to the proxy detection service Synthient, six of the top ten destinations for IPidea proxies involved traffic that has been linked to either ad fraud or credential stuffing (account takeover attempts).

Kilmer said companies like Grass are probably being truthful when they say that some of their customers are companies performing web scraping to train artificial intelligence efforts, because a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. By routing this unwelcome traffic through residential IP addresses, Kilmer said, content scraping firms can make it far trickier to filter out.

“Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,” Kilmer told KrebsOnSecurity. “Everybody wanted to monetize their own data pots, and how they monetize that is different across the board.”

SOME FRIENDLY ADVICE

Products like Superbox are drawing increased interest from consumers as more popular network television shows and sportscasts migrate to subscription streaming services, and as people begin to realize they’re spending as much or more on streaming services than they previously paid for cable or satellite TV.

These streaming devices from no-name technology vendors are another example of the maxim, “If something is free, you are the product,” meaning the company is making money by selling access to and/or information about its users and their data.

Superbox owners might counter, “Free? I paid $400 for that device!” But remember: Just because you paid a lot for something doesn’t mean you are done paying for it, or that somehow you are the only one who might be worse off from the transaction.

It may be that many Superbox customers don’t care if someone uses their Internet connection to tunnel traffic for ad fraud and account takeovers; for them, it beats paying for multiple streaming services each month. My guess, however, is that quite a few people who buy (or are gifted) these products have little understanding of the bargain they’re making when they plug them into an Internet router.

Superbox performs some serious linguistic gymnastics to claim its products don’t violate copyright laws, and that its customers alone are responsible for understanding and observing any local laws on the matter. However, buyer beware: If you’re a resident of the United States, you should know that using these devices for unauthorized streaming violates the Digital Millennium Copyright Act (DMCA), and can incur legal action, fines, and potential warnings and/or suspension of service by your Internet service provider.

According to the FBI, there are several signs to look for that may indicate a streaming device you own is malicious, including:

-The presence of suspicious marketplaces where apps are downloaded.
-Requiring Google Play Protect settings to be disabled.
-Generic TV streaming devices advertised as unlocked or capable of accessing free content.
-IoT devices advertised from unrecognizable brands.
-Android devices that are not Play Protect certified.
-Unexplained or suspicious Internet traffic.

This explainer from the Electronic Frontier Foundation delves a bit deeper into each of the potential symptoms listed above.

A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned.

Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, Ukraine, was previously referenced in U.S. federal charging documents only by his online handle “MrICQ.” According to a 13-year-old indictment (PDF) filed by prosecutors in Nebraska, MrICQ was a developer for a cybercrime group known as “Jabber Zeus.”

The Jabber Zeus name is derived from the malware they used — a custom version of the ZeuS banking trojan — that stole banking login credentials and would send the group a Jabber instant message each time a new victim entered a one-time passcode at a financial institution website. The gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called “man-in-the-browser” attacks, malware that can silently intercept any data that victims submit in a web-based form.

Once inside a victim company’s accounts, the Jabber Zeus crew would modify the firm’s payroll to add dozens of “money mules,” people recruited through elaborate work-at-home schemes to handle bank transfers. The mules in turn would forward any stolen payroll deposits — minus their commissions — via wire transfers to other mules in Ukraine and the United Kingdom.

The 2012 indictment targeting the Jabber Zeus crew named MrICQ as “John Doe #3,” and said this person handled incoming notifications of newly compromised victims. The Department of Justice (DOJ) said MrICQ also helped the group launder the proceeds of their heists through electronic currency exchange services.

Two sources familiar with the Jabber Zeus investigation said Rybtsov was arrested in Italy, although the exact date and circumstances of his arrest remain unclear. A summary of recent decisions (PDF) published by the Italian Supreme Court states that in April 2025, Rybtsov lost a final appeal to avoid extradition to the United States.

According to the mugshot website lockedup[.]wtf, Rybtsov arrived in Nebraska on October 9, and was being held under an arrest warrant from the U.S. Federal Bureau of Investigation (FBI).

The data breach tracking service Constella Intelligence found breached records from the business profiling site bvdinfo[.]com showing that a 41-year-old Yuriy Igorevich Rybtsov worked in a building at 59 Barnaulska St. in Donetsk. Further searching on this address in Constella finds the same apartment building was shared by a business registered to Vyacheslav “Tank” Penchukov, the leader of the Jabber Zeus crew in Ukraine.

Penchukov was arrested in 2022 while traveling to meet his wife in Switzerland. Last year, a federal court in Nebraska sentenced Penchukov to 18 years in prison and ordered him to pay more than $73 million in restitution.

Lawrence Baldwin is founder of myNetWatchman, a threat intelligence company based in Georgia that began tracking and disrupting the Jabber Zeus gang in 2009. myNetWatchman had secretly gained access to the Jabber chat server used by the Ukrainian hackers, allowing Baldwin to eavesdrop on the daily conversations between MrICQ and other Jabber Zeus members.

Baldwin shared those real-time chat records with multiple state and federal law enforcement agencies, and with this reporter. Between 2010 and 2013, I spent several hours each day alerting small businesses across the country that their payroll accounts were about to be drained by these cybercriminals.

Those notifications, and Baldwin’s tireless efforts, saved countless would-be victims a great deal of money. In most cases, however, we were already too late. Nevertheless, the pilfered Jabber Zeus group chats provided the basis for dozens of stories published here about small businesses fighting their banks in court over six- and seven-figure financial losses.

Baldwin said the Jabber Zeus crew was far ahead of its peers in several respects. For starters, their intercepted chats showed they worked to create a highly customized botnet directly with the author of the original Zeus Trojan — Evgeniy Mikhailovich Bogachev, a Russian man who has long been on the FBI’s “Most Wanted” list. The feds have a standing $3 million reward for information leading to Bogachev’s arrest.

The core innovation of Jabber Zeus was an alert that MrICQ would receive each time a new victim entered a one-time password code into a phishing page mimicking their financial institution. The gang’s internal name for this component was “Leprechaun,” (the video below from myNetWatchman shows it in action). Jabber Zeus would actually re-write the HTML code as displayed in the victim’s browser, allowing them to intercept any passcodes sent by the victim’s bank for multi-factor authentication.

“These guys had compromised such a large number of victims that they were getting buried in a tsunami of stolen banking credentials,” Baldwin told KrebsOnSecurity. “But the whole point of Leprechaun was to isolate the highest-value credentials — the commercial bank accounts with two-factor authentication turned on. They knew these were far juicier targets because they clearly had a lot more money to protect.”

Baldwin said the Jabber Zeus trojan also included a custom “backconnect” component that allowed the hackers to relay their bank account takeovers through the victim’s own infected PC.

“The Jabber Zeus crew were literally connecting to the victim’s bank account from the victim’s IP address, or from the remote control function and by fully emulating the device,” he said. “That trojan was like a hot knife through butter of what everyone thought was state-of-the-art secure online banking at the time.”

Although the Jabber Zeus crew was in direct contact with the Zeus author, the chats intercepted by myNetWatchman show Bogachev frequently ignored the group’s pleas for help. The government says the real leader of the Jabber Zeus crew was Maksim Yakubets, a 38-year Ukrainian man with Russian citizenship who went by the hacker handle “Aqua.”

The Jabber chats intercepted by Baldwin show that Aqua interacted almost daily with MrICQ, Tank and other members of the hacking team, often facilitating the group’s money mule and cashout activities remotely from Russia.

The government says Yakubets/Aqua would later emerge as the leader of an elite cybercrime ring of at least 17 hackers that referred to themselves internally as “Evil Corp.” Members of Evil Corp developed and used the Dridex (a.k.a. Bugat) trojan, which helped them siphon more than $100 million from hundreds of victim companies in the United States and Europe.

This 2019 story about the government’s $5 million bounty for information leading to Yakubets’s arrest includes excerpts of conversations between Aqua, Tank, Bogachev and other Jabber Zeus crew members discussing stories I’d written about their victims. Both Baldwin and I were interviewed at length for a new weekly six-part podcast by the BBC that delves deep into the history of Evil Corp. Episode One focuses on the evolution of Zeus, while the second episode centers on an investigation into the group by former FBI agent Jim Craig.