Factory Backdoor: Up to 500 Million Home Devices Turn into Weapons for DDoS Attacks

The Wall Street Journal purchased five cheap home devices—two digital frames from Amazon and three streaming boxes from Walmart—and powered them on in a controlled environment: all five were found to be already connected to criminal residential proxy networks. Without any user intervention, the devices generated traffic to gambling, pornography, and cryptocurrency sites, and attempted to access journalists' Outlook and Gmail accounts.

The hostile software opens what analysts describe as a backdoor to the home connection: anyone, remotely, can browse the internet using the unaware owner's home IP address, which thus becomes the apparent responsible party for any illegal activity. This is not a vulnerability introduced after purchase; the code is pre-installed in the factory firmware and cannot be removed with subsequent updates. Additionally, devices lacking Android TV Play Protect certification remain out of reach of Google’s anti-malware countermeasures.

The FBI had already issued two formal alerts in previous months: in January, it identified streaming boxes and frames of Chinese manufacture as primary vectors for the BADBOX 2.0 botnet, while in March, with the PSA Alert I-031226-PSA, it warned that most compromised devices are produced in China.

A Business Model Built on Home IP

The mechanism exploits SDKs pre-integrated into the base firmware. Manufacturers are paid to include the software, which, upon first power-on, contacts a first-level server, obtains second-level nodes, and starts routing third-party traffic through the home connection. To verify the nature of the behavior, researchers isolated the devices in a Faraday cage: even shielded, they actively launched DDoS attacks and attempted to access hardware controls, indicating hostile activity rather than a mere passive data leak.

Profitability depends on the home IP, not on the hardware: the device is sold at a loss or break-even, and the profit comes from reselling the buyer's home IP to proxy networks. This economy explains the scale of the phenomenon, with estimates suggesting an infected device count between tens of millions and over 500 million worldwide, while the Digital Citizens Alliance calculates about 20 million compromised devices in the United States alone. It is worth noting that the European Cyber Resilience Act, effective from December 2024 with full compliance by December 2027, imposes minimum security and transparency standards on software for connected devices sold in Europe. In the United States, there is no equivalent requirement for products sold through marketplaces.

From State Spying to a Record of 30 Tbps

The same networks serve state-sponsored actors. Chinese groups Volt Typhoon and Flax Typhoon use them to mask espionage against U.S. critical infrastructures, making the traffic appear as coming from ordinary American homes: a tactical shift described in a joint advisory from April 2026 signed by CISA, FBI, NSA, and eleven international agencies. As one of the cited experts summarized, state-conducted offensives have been observed through such terminals, which means that "the device sitting in your home is part of a state attack against another state."

On the commercial front, IPIDEA, the Chinese residential proxy service behind much of the infrastructure, was dismantled by Google through legal action in January 2026: prior to closure, it operated about 7,400 second-level servers and served over 550 distinct hostile groups.

An actor in this economy emerged in May 2026, when the Ontario Provincial Police arrested Jacob Butler, 23, of Ottawa, known online as "Dort," based on a U.S. extradition warrant. He is accused of building and managing the KimWolf botnet, which infected over a million devices and launched DDoS attacks measured up to nearly 30 terabits per second, the highest recorded value ever. The network issued over 25,000 attack commands, caused losses exceeding a million dollars in the most severe cases, and affected IP addresses on the Department of Defense's network.

KrebsOnSecurity had identified and publicly named Butler in February 2026; after exposure, the operator continued to work and orchestrated at least two swatting episodes against researchers who had discovered his identity, including the founder of the startup Synthient.

KimWolf was dismantled on March 19, 2026, in an international operation involving the United States, Canada, Germany, and private companies, including Amazon, which helped track down the command infrastructure and reverse-engineer the malware; in the same action, the competing botnets Aisuru, JackSkid, and Mossad also fell. For buyers, however, few upstream defenses remain: neither Amazon nor Walmart require third-party sellers to declare the pre-installed software on connected devices, and neither has tools to detect factory-installed proxy clients before sale. Both claim to intervene only after confirming the presence of malware on a specific product. Experts gathered at industry conferences warn: "we have seen some of the largest cyberattacks ever recorded in our digital history in recent months," and even larger ones are expected if the problem is not addressed.