Google Sues 25 in China Over Alleged BadBox 2.0 Botnet Operation

Google accuses 25 people in China of operating an extensive botnet that targets connected consumer devices.

IoT devices at the core of massive botnet

Google has filed a civil lawsuit against 25 unnamed individuals in China who allegedly operated the notorious BadBox 2.0 botnet that has hijacked over 10 million smart devices worldwide. Affected devices included Android-powered streaming boxes, projectors, tablets, and car infotainment systems, many of them inexpensive and shipped with little to no vetting.

The tech giant is asking the court to approve measures that would allow it to disrupt the botnet’s infrastructure, including sinkholing domains used to control infected devices. In a public statement, Google emphasized that the suit aims to thwart the operation’s ability to scale and to protect its business and users from further abuse.

Largest known CTV botnet to date

BadBox 2.0 is among the most notable examples of how smart devices can be silently co-opted into botnets without their owners even noticing. Court documents even describe it as the largest botnet of connected TVs ever discovered.

Investigators found malware loaded onto devices before they were sold, a tactic often used to bypass user interaction and blend malicious activity into normal traffic patterns. Infected devices were weaponized in various ways, such as displaying hidden ads, routing fraudulent traffic or harvesting sensitive user data.

The proliferation of smart devices has brought a significant downside, as attackers increasingly target embedded devices that lack robust built-in security or timely updates, zombifying and adding them to botnets.

Coordinated cybercrime syndicate behind the operation

Google’s filing spotlighted a complex criminal structure behind the BadBox operation, one that involves separate groups managing command servers, distributing fraudulent apps designed to mimic legitimate services and propagating malware.

The cybercrime syndicate is described as tightly woven, with shared infrastructure and monetization techniques that rely on mass coordination.

Some of the compromised devices exploited gaps in supply chain security, a recurring issue in the ever-expanding IoT attack surface. Since these devices are often shipped to buyers without clear oversight or post-sale updates, the risks extend far beyond any single platform or vendor.

Legal tools against a technical threat

Although none of the alleged operators are expected to face trial in the US, legal control of the botnet’s infrastructure could still seriously disrupt operations. Google has previously worked with cybersecurity researchers and nonprofit organizations to track and report the threat, and the lawsuit represents a formal step toward containing it.

For consumers, layered network defenses remain critical. Security solutions like NETGEAR Armor offer protection at the router level, where compromised IoT devices typically connect. Still, experts continue to urge vigilance and a hybrid approach combining dedicated solutions with regular security audits to reduce exposure to such threats.