HUMAN, FBI, and Partners Take Action Against BADBOX 2.0

On June 5th, 2025, the Federal Bureau of Investigation issued Public Service Announcement I-060525, detailing how cybercriminals are exploiting compromised Internet-of-Things devices to expand the BADBOX 2.0 botnet and residential-proxy infrastructure. 

The goal of this announcement is consumer education: if you buy one of these bargain devices, you may be handing criminals the keys to your home network. You wouldn’t help someone rob a store—are you willing to let bad actors steal bandwidth, launder traffic, and commit fraud in your name? 

HUMAN is honored to have contributed intelligence to this alert alongside Google, Trend Micro, and the Shadowserver Foundation, further validating the findings our Satori Threat Intelligence & Research Team published in March 2025.

Collaboration is the decisive advantage in modern cyber defense. From the first indicators uncovered in our labs, we worked shoulder-to-shoulder with platform operators, cloud providers, and law enforcement partners, sharing data in real time and coordinating disruption actions. Google’s enforcement across Google Play Protect has already blocked malicious apps and cut off monetization avenues for the actors behind BADBOX 2.0 .

I also want to extend a special thank you to The Shadowserver Foundation for sinkholing key BADBOX 2.0 command-and-control domains. As a result of their swift action, over a million infected devices now beacon to Shadowserver-managed infrastructure instead of criminal servers, stripping the threat actor of a substantial portion of its botnet.  A live view of that global neutralization is available on Shadowserver’s public dashboard.

This investigation is very much ongoing. The adversaries responsible for BADBOX 2.0 have shown they will iterate quickly, shifting infrastructure and re-seeding supply chains when pressured. HUMAN researchers will continue to hunt for new variants, share indicators with the FBI and our industry peers, and deploy fresh detections across the Human Defense Platform to protect customers worldwide.

In the meantime, we urge manufacturers, retailers, and consumers to follow the mitigation guidance in the FBI PSA: purchase devices from reputable vendors, keep firmware up to date, monitor network traffic for anomalies, and avoid unofficial app stores. If you suspect a device on your network is compromised, disconnect it immediately and file a report at ic3.gov.

I want to personally thank every partner who leaned in—especially our colleagues at Google—for the openness, speed, and determination that made this collective defense possible. Together we are raising the cost of fraud and making the internet safer for everyone.

— Gavin Reid, Chief Information Security Officer, HUMAN Security