Botnet of more than 17 million devices dismantled in coordinated international operation

In an international operation involving Europol, the FBI and 12 national law-enforcement bodies, the massive botnet called BadBox 3.0, comprising more than 17 million Android-based devices, has been dismantled. According to Ars Technica security reporter Dan Goodin, the operation was completed on 28 May and was conducted under the codename 'Operation MORPHEUS'.

BadBox 3.0 is a renewed variant of the previous BadBox and BadBox 2.0 versions. Its main target is cheap Android TV boxes, tablets and smart projectors — particularly 'fake brand' products imported cheaply from China. The devices, with malware embedded at the manufacturer level in the factory firmware, connected to C2 (Command and Control) servers immediately after user setup.

The botnet's primary functions were: (1) ad fraud — generating fake clicks and impressions; (2) residential proxy service — renting the devices' internet connections so that other criminals could hide their IP addresses; (3) account theft — unauthorised access attempts on bank, social media and e-commerce accounts. According to Europol's report, the botnet generated approximately $3.2 billion in fraudulent traffic over the past 18 months.

FBI Cyber Division deputy assistant director Joshua Skule said in a statement, 'The BadBox 3.0 operation proves that international cooperation is our most effective weapon against malicious software. It is essential that device manufacturers pay attention to supply-chain security.' Europol director Catherine De Bolle said, 'Law-enforcement bodies from Germany, France, the Netherlands, Poland, Romania, Spain, Italy, the United Kingdom, Australia, Japan and South Korea took active roles in the operation.'

The operation involved the seizure of 41 C2 servers controlling BadBox 3.0 and the neutralisation of the botnet through the DNS sinkholing technique. Digital forensic analysis work is continuing at the coordination centre held at the Hessen unit of the German Federal Police.

Cybersecurity firm Human Security's threat research group Satori Threat Intelligence Team discovered BadBox 3.0 at the end of 2024. Human Security CEO Tamer Hassan said in a statement, 'Our three years of research on BadBox formed the foundation of the operation's success. The supply-chain compromise nature of this botnet shows a different threat model from traditional user-negligence-sourced infection vectors.'

A spokesperson from Google's Android Security team said in a statement, 'Most of the devices affected by BadBox 3.0 were running Android versions not certified by Google Play Protect. Consumers are advised to purchase only Google-certified devices and to apply regular security updates.' Cisco's Talos security research group updated enterprise protection guidance against BadBox 3.0.

The US Federal Trade Commission (FTC) issued a consumer advisory; it shared a list of fake Android devices priced under $50 available on e-commerce platforms such as Amazon, eBay and Walmart. Andrew Ferguson, successor to Commissioner Lina Khan, said in a statement, 'We call on consumers to be cautious when purchasing cheap devices; we are preparing a new regulatory framework on supply-chain security audits.'

On the Turkey side, the Information and Communications Technologies Authority (BTK) issued a user advisory against BadBox 3.0. BTK Deputy Chair Dr. Omer Abdullah Karagozoglu said, 'Among the devices affected by BadBox 3.0 may be cheap Android TV box models entering Turkey; it is important that users prefer certified devices.' BTK also announced a plan to strengthen customs scrutiny of such fake Android devices entering Turkey.

The BadBox 3.0 operation forms a milestone in international cybercrime investigations. The forensic data obtained after the operation will help to understand the structure of the global cybercrime ecosystem. Europol said that intelligence gained from the BadBox 3.0 operation would also contribute to the dismantling of other botnets and fraud networks. Consumers are advised to be cautious when buying cheap Android devices, to apply regular security updates and to prefer Google Play Protect-certified devices. This article is not a substitute for individual cybersecurity advice; in cases of serious suspicion, information security professionals should be consulted.