The FBI recently raised concerns about a large-scale cybercrime network that has quietly taken control of millions of smart gadgets used in homes across the United States. This cyber threat, known as BADBOX 2.0, targets everyday devices such as TV streaming boxes, digital projectors, tablets, and even entertainment systems in cars.
What is BADBOX 2.0?
Unlike common malware that slows down or damages devices, BADBOX 2.0 silently turns these gadgets into part of a hidden network called a residential proxy network. This setup allows cybercriminals to use the victim's internet connection to carry out illegal activities, including online advertising fraud and data theft, without the device owner realizing anything is wrong.
Which Devices Are at Risk?
According to the FBI, the types of devices most affected include:
1. TV streaming boxes
2. Digital projectors
3. Aftermarket car infotainment systems
4. Digital photo frames
Many of these products are imported, often sold under unfamiliar or generic brand names. Some specific models involved in these infections belong to device families known as TV98 and X96, which are still available for purchase on popular online shopping platforms.
How Does the Infection Spread?
There are two main ways these devices become part of the BADBOX 2.0 network:
Pre-installed Malware: Some gadgets are already infected before they are even sold. This happens when malicious software is added during the manufacturing or shipping process.
Dangerous App Downloads: When setting up these devices, users are sometimes directed to install apps from unofficial sources. These apps can secretly install harmful software that gives hackers remote access.
This method shows how BADBOX 2.0 has advanced from its earlier version, which focused mainly on malware hidden deep within the device's firmware.
Signs Your Device May Be Infected
Users should watch for warning signs such as:
• The device asks to disable security protections like Google Play Protect.
• The brand is unfamiliar or seems generic.
• The device promises free access to paid content.
• You are prompted to download apps from unknown stores.
• Unusual or unexplained internet activity appears on your home network.
How to Stay Safe
The FBI recommends several steps to protect your home network:
1. Only use trusted app stores, like Google Play or Apple’s App Store.
2. Be cautious with low-cost, no-name devices. Extremely cheap gadgets are often risky.
3. Monitor your network regularly for unfamiliar devices or strange internet traffic.
4. Keep devices updated by installing the latest security patches and software updates.
5. If you believe one of your devices may be compromised, it is best to disconnect it immediately from your network and report the issue to the FBI through their official site at www.ic3.gov.
6. Be Careful with Cheap Deals
As experts warn, extremely low prices can sometimes hide dangerous risks. If something seems unusually cheap, it could come with hidden cyber threats.
The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released a critical warning about the sharp rise in Play ransomware attacks. The agencies report that this cyber threat has affected hundreds of organizations across the Americas and Europe, including vital service providers and businesses.
The updated alert comes after the FBI identified over 900 confirmed victims in May alone, which is three times more than previously reported. Cybersecurity experts are urging organizations to act quickly to strengthen their defenses and stay informed about how these cybercriminals operate.
How the Play Ransomware Works
Play ransomware attackers use various advanced methods to break into systems. They often start by targeting services that are accessible from outside, like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs). Once they gain access, they move within the network, stealing login details and aiming to control the system entirely.
The FBI notes that the attackers do not immediately demand payment in their ransom notes. Instead, they leave email addresses that victims must contact. These emails usually come from unique addresses linked to German domains. In some cases, the criminals also make threatening phone calls to pressure victims into paying.
Connections to Other Threat Groups
Investigations suggest that the Play ransomware may be connected to several known hacking groups. Some security researchers believe there could be links to Balloonfly, a cybercrime group involved in earlier ransomware attacks. There have also been reports connecting Play to serious security incidents involving Windows systems and Microsoft Exchange servers.
In the past, attackers have taken advantage of security flaws in popular software, including Microsoft’s Windows and Fortinet’s FortiOS. Most of these security gaps have already been fixed through updates, but systems that remain unpatched are still at risk.
Key Steps to Protect Your Organization
The FBI strongly recommends that all organizations take immediate steps to reduce their risk of falling victim to these attacks. Here are the essential safety measures:
1. Create backup copies of important data and store them in secure, separate locations.
2. Use strong, unique passwords that are at least 15 characters long. Do not reuse passwords or rely on password hints.
3. Enable multi-factor authentication to add extra security to all accounts.
4. Limit the use of admin accounts and require special permissions to install new software.
5. Keep all systems and software up to date by applying security patches and updates promptly.
6. Separate networks to limit how far a ransomware attack can spread.
7. Turn off unused system ports and disable clickable links in all incoming emails.
8. Restrict the use of command-line tools that attackers commonly use to spread ransomware.
Staying alert and following these steps can help prevent your organization from becoming the next target. Cybersecurity is an ongoing effort, and keeping up with the latest updates is key to staying protected.
Recently, a mysterious leaker exposed leaders behind Trickbot and Conti ransomware, hacking groups that are known for some of the biggest extortions in recent times.
Recently, The Register contacted an anonymous individual known by the alias GangExposed, who is on a personal mission to “fight against an organized society of criminals known worldwide”. GangExposed takes pleasure in thinking he can rid society of at least some of the cybercriminals. "I simply enjoy solving the most complex cases,” he said.
One of the criminals doxxed is Stern, the mastermind of Conti ransomware operations and TrickBot. GangExposed claims Stern is Vitaly Nikolaevich, CySecurity reported about this case recently.
After the doxxing of Stern, GangExposed went after another important criminal, AKA professor, who is a 39-year-old Russian called Vladimir Viktorovich Kvitko. He is living in Dubai. Apart from exposing important individuals, GangExposed also leaked videos, ransom negotiations, and chat logs.
The leaker said it was not an “IT guy,” it just observed patterns that other people missed.
"My toolkit includes classical intelligence analysis, logic, factual research, OSINT methodology, stylometry (I am a linguist and philologist), human psychology, and the ability to piece together puzzles that others don't even notice," the leaker said.
"I am a cosmopolitan with many homes but no permanent base — I move between countries as needed. My privacy standards are often stricter than most of my investigations' subjects."
To expose the IDs of infamous threat actors, GangExposed used information received via “semi-closed databases, darknet services,” and through purchases. It has “access to the leaked FSB border control database.” GangExposed claims it purchased the database from the dark web for $250,000.
GangExposed could have gotten at least $10 million in bounty from the FBI if it wanted to, but it has decided not to demand money. This suggests the leakers may be resentful of former members looking for revenge, while some experts think taking the bounty would make them criminal as well.
CySecurity had earlier reported on this incident, you can read the full story about the international crackdown on cybercrime gangs here.
International police action has shut down AVCheck, an anti-virus scanning website used by threat actors to check whether their malware was detected by mainstream antivirus before using it in the attacks. The official domain “avcheck.net” now shows a seizure banner with the logos of the U.S. Secret Service, the U.S. Department of Justice, the FBI, and the Dutch Police (Politie).
According to the announcement, AVCheck was a famous counter antivirus (CAV) website globally that enabled hackers to check the efficiency of their malware. Politie’s Matthijs Jaspers said, “Taking the AVCheck service offline marks an important step in tackling organized cybercrime." With the collaborative effort, the agencies have disrupted the “cybercriminals as early as possible in their operations and prevent victims."
The officials also discovered evidence linking AVCheck’s administrators to encrypting services Cryptor.biz (seized) and Crypt.guru (currently offline). Crypting services allow threat actors to hide their payloads from antivirus, blending them in the ecosystem. Hackers also use a crypting service to hide their malware, check it on AVCheck or other CAV services to see if is detected, and finally launch it against their targets.
Before the shutdown of AVCheck, the police made a fake login page warning users of the legal risks when they log in to such sites. The FBI said that “cybercriminals don't just create malware; they perfect it for maximum destruction.” Special Agent Douglas Williams said threat actors leverage antivirus services to “refine their weapons against the world's toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims' systems."
The undercover agents exposed the illegal nature of AVCheck and its links to ransomware attacks against the U.S. by purchasing these services as clients. According to the U.S. DoJ, in the “affidavit filed in support of these seizures, authorities made undercover purchases from seized websites and analyzed the services, confirming they were designed for cybercrime.”
The crackdown was part of Operation Endgame, a joint international law enforcement action that captured 300 servers and 650 domains used in assisting ransomware attacks. Earlier, the operation cracked down on the infamous Danabot and Smokeloader malware operations.
A major criminal network operating on the dark web has been disrupted in a large international operation led by the FBI. Over 270 individuals have been arrested for their involvement in the online trade of dangerous illegal drugs such as fentanyl, meth, and cocaine. This operation involved law enforcement teams from the United States, Europe, South America, and Asia.
What is the dark web?
The dark web is a hidden part of the internet that isn’t available through standard search engines or browsers. It requires special tools to access and is often used to hide users’ identities. While it can offer privacy to those in danger or under surveillance, it is also known for being a place where criminals carry out illegal activities — from drug dealing to selling stolen data and weapons.
What was Operation RapTor?
The FBI’s mission, called Operation RapTor, focused on stopping the sale of illegal drugs through online black markets. Authorities arrested hundreds of people connected to these sites — not just the sellers, but also the buyers, website managers, and people who handled the money.
One of the most alarming parts of this case was the amount of fentanyl recovered. Authorities seized more than 317 pounds of it. According to FBI estimates, just 2 pounds of fentanyl could potentially kill about 500,000 people. This shows how serious the danger was.
Why this matters
These drug sellers operated from behind screens, often believing they were untouchable because of the privacy the dark web provides. But investigators were able to find out who they were and stop them from doing more harm. According to FBI leaders, these criminals contributed to drug addiction and violence in many communities across the country.
Aaron Pinder, a key official in the FBI’s cybercrime unit, said the agency has improved at identifying people hiding behind dark web marketplaces. Whether someone is managing the site, selling drugs, moving money, or simply buying drugs, the FBI is now better equipped to track them down.
What’s next?
While this operation won’t shut down the dark web completely, it will definitely make a difference. Removing major players from the drug trade can slow down their operations and make it harder for others to take their place — at least for now.
This is a strong reminder that the dark web, no matter how hidden, is not out of reach for law enforcement. And efforts like these could help save many lives by cutting off the supply of deadly drugs.
The CISA, NSA, and FBI teamed with cybersecurity agencies from the UK, Australia, and New Zealand to make a best-practices policy for safe AI development. The principles laid down in this document offer a strong foundation for protecting AI data and securing the reliability and accuracy of AI-driven outcomes.
The advisory comes at a crucial point, as many businesses rush to integrate AI into their workplace, but this can be a risky situation also. Governments in the West have become cautious as they believe that China, Russia, and other actors will find means to abuse AI vulnerabilities in unexpected ways.
The risks are increasing swiftly as critical infrastructure operators develop AI into operational tech that controls important parts of daily life, from scheduling meetings to paying bills to doing your taxes.
From foundational elements of AI to data consulting, the document outlines ways to protect your data at different stages of the AI life cycle such as planning, data collection, model development, installment and operations.
It requests people to use digital signature that verify modifications, secure infrastructure that prevents suspicious access and ongoing risk assessments that can track emerging threats.
The document addresses ways to prevent data quality issues, whether intentional or accidental, from compromising the reliability and safety of AI models.
Cryptographic hashes make sure that taw data is not changed once it is incorporated into a model, according to the document, and frequent curation can cancel out problems with data sets available on the web. The document also advises the use of anomaly detection algorithms that can eliminate “malicious or suspicious data points before training."
The joint guidance also highlights issues such as incorrect information, duplicate records and “data drift”, statistics bias, a natural limitation in the characteristics of the input data.