Darknet Diaries

Her dad's streaming box sent tons of data to China. Then the FBI showed up. Ep. 172: SuperBox

Guest: D3ada55April 7, 2026

iot security streaming devices malware botnets ddos attacks cyberespionage supply chain security network reconnaissance propaganda cybercrime residential proxies piracy multi-level marketing

Her dad's streaming box sent tons of data to China. Then the FBI showed up. 📺 Ep. 172: SuperBox

Episode Summary

AI-generated · Apr 2026

AI-generated summary — may contain inaccuracies. Not a substitute for the full episode or professional advice.

This episode features cybersecurity expert D3ada55, a senior sales engineer at CENSUS with a non-traditional background in rhetoric and propaganda, who conducts security research "for fun." The central thesis revolves around her multi-year, deep dive into the "SuperBox," an innocuous-looking TV streaming device that turned out to be a sophisticated, malicious tool facilitating cyberespionage and large-scale botnet operations, ultimately catching the attention of the FBI.

D3ada55's investigation began when she noticed her father's home network was unusually slow after he acquired multiple SuperBoxes, which promised thousands of free channels and movies for a one-time $300 fee. Her analysis revealed the boxes immediately called out to Tencent in China, attempted to trigger SCADA vulnerabilities on her network, and performed aggressive ARP DoS attacks to knock devices offline and impersonate them. The SuperBox operates on an outdated Android operating system (2021 patch) with known vulnerabilities, comes pre-installed with remote access tools like TeamViewer, and has missing sectors in its firmware, suggesting deliberate obfuscation. Despite its dangerous nature, the SuperBox is widely available on Amazon, Walmart, and Best Buy's third-party marketplaces, supported by a vast, commission-based influencer marketing campaign that targets suburban families to gain a "bottom-up approach to intelligence gathering," potentially accessing corporate networks via work-from-home setups.

The SuperBox is part of the larger "BadBox botnet" and has been confirmed to be involved in the Kimwolf botnet, responsible for record-breaking DDoS attacks of up to 31 terabytes per second. Beyond botnet activities, these devices exfiltrate massive amounts of data, with some users reporting terabytes of uploads per month, leading to ISP throttling and concerns about credential harvesting and personal data theft. D3ada55 also discovered similar devices like the vSeeBox and the politically-branded Magabox, all exhibiting similar malicious behaviors, including covert Bluetooth antennas and microphones in their remotes, raising significant privacy concerns. This sophisticated campaign exploits consumer economic anxiety and a societal "bug in human beings" that prioritizes convenience (free streaming) over clear security risks, even after a public service announcement from the FBI in June 2025.

Listeners walk away with a stark warning about the hidden dangers of seemingly benign smart home devices, the cunning tactics used to distribute them, and the critical importance of personal cybersecurity hygiene. The episode highlights how consumer demand for convenience, coupled with fragmented streaming services, creates a fertile ground for nation-state-level threats, turning home networks into hostile environments and posing potential risks to critical infrastructure.

👤 Who Should Listen

Anyone concerned about smart home device security and privacy in their residence or workplace.
Consumers considering purchasing cheap streaming devices or 'cord-cutting' solutions from online marketplaces or informal resellers.
IT and cybersecurity professionals interested in advanced persistent threats (APTs), botnet operations, and supply chain compromises.
Individuals working from home (WFH) in sensitive industries, such as oil and gas, government, or defense.
Parents and family members looking to protect their home networks and personal data from malicious hardware.
Researchers, journalists, and policymakers investigating state-sponsored cyber campaigns, digital propaganda, and consumer protection issues.

🔑 Key Takeaways

1.The SuperBox, marketed as a cheap streaming device, actively calls out to Tencent (China), attempts SCADA exploits, and performs ARP DoS attacks to impersonate devices on local networks.
2.SuperBoxes are sold via third-party marketplaces on Amazon, Walmart, and Best Buy, despite being illegal piracy devices with pre-installed remote access software like TeamViewer and outdated Android patches.
3.A sophisticated influencer marketing campaign, including paid resellers, targets suburban families to establish a "bottom-up approach to intelligence gathering" for potential corporate network infiltration.
4.SuperBoxes have been confirmed as part of the Kimwolf botnet, a DDoS-as-a-service operation capable of launching massive attacks (e.g., 31 terabytes per second), weaponizing consumer devices.
5.The devices exfiltrate enormous amounts of data, with some users reporting thousands of gigabytes uploaded daily, leading to ISP throttling and significant privacy and data theft concerns.
6.The SuperBox campaign exploits "a bug in human beings" by leveraging economic anxiety and the desire for convenient entertainment, leading users to ignore clear security warnings, including an FBI public service announcement in 2025.
7.The SuperBox remote control contains covert microphones and a long Bluetooth antenna, raising suspicions of constant listening and passive collection of unique Bluetooth fingerprints from nearby devices and individuals.
8.Similar devices like the vSeeBox and Magabox exhibit the same malicious behaviors, indicating a broader, coordinated campaign that D3ada55 suggests may be a "pre-positioning move" by a nation-state.

💡 Key Concepts Explained

SCADA Vulnerability

SCADA (Supervisory Control and Data Acquisition) systems are control systems used in large-scale industrial settings like oil and gas. The SuperBox attempting to trigger a SCADA exploit on a home network was a significant "red flag" for D3ada55, suggesting an intent far beyond simple piracy.

ARP DoS (Denial of Service)

An ARP (Address Resolution Protocol) DoS is a network attack where a device floods a local network with ARP requests, overwhelming target devices, causing them to lose their IP address reservations, and allowing the attacking device to impersonate them. The SuperBox uses this "wild attack" to probe and gain access to other devices on a home network.

SEO Poisoning

SEO (Search Engine Optimization) poisoning is the manipulation of search engine results to promote specific content and suppress negative information. Searches for "SuperBox" primarily yield positive reviews and sales links, making it difficult to find critical information, which D3ada55 attributes to deliberate SEO poisoning.

Residential Proxy Network

A residential proxy network comprises internet-connected devices in homes (like SuperBoxes) that are controlled by malicious actors to route traffic through them, masking the origin of various cybercrimes, including ad fraud and DDoS attacks. Brian Krebs's article helped connect the SuperBox findings to the broader issue of residential proxy networks.

Kimwolf Botnet

The Kimwolf botnet is a confirmed large-scale botnet that includes SuperBoxes and other compromised IoT devices. It is known for launching some of the largest DDoS attacks ever recorded (e.g., 31 terabytes per second) and operates as a "DDoS-as-a-service" business.

Cyberpsychology

Cyberpsychology, in this context, refers to the psychological manipulation tactics used in cybersecurity attacks. D3ada55 highlights how the SuperBox campaign expertly exploits human vulnerabilities like economic anxiety, the desire for convenience, and the susceptibility to multi-level marketing (MLM) schemes to spread dangerous devices.

⚡ Actionable Takeaways

→Inspect your home network for any suspicious streaming boxes like SuperBox, vSeeBox, or Magabox, and immediately unplug and safely dispose of them if found.
→Communicate with family members, especially those in sensitive positions or who might be susceptible to "too good to be true" deals, to warn them about the dangers of these devices.
→Isolate all smart home and IoT devices on a separate, quarantined guest network to prevent them from accessing critical work or personal computers.
→Regularly monitor your internet service provider's (ISP) bandwidth usage, particularly for unusually high upload activity, as this can indicate a compromised device exfiltrating data.
→Be highly skeptical of consumer electronics sold through third-party marketplaces on major retailers or by informal "resellers" (e.g., at farmers markets, by neighbors).
→Practice strong personal cybersecurity hygiene, including using VPNs and considering a Faraday bag for mobile devices when in untrusted public environments.
→Question any device that offers pirated content for a one-time fee, recognizing that such offers often come with severe hidden risks beyond legal implications.

⏱ Timeline Breakdown

00:00Host Jack introduces the concept of dangerous consumer electronics, citing a recall of a gaming computer with pre-installed malware.

02:11Jack introduces the guest, D3ada55.

03:12D3ada55 recounts meeting Jack at Defcon and discusses her non-traditional background in rhetoric and propaganda, leading her to tech.

05:50D3ada55 explains how her research began when her father, an oil and gas executive, enthusiastically showed her his new SuperBox streaming device.

06:18D3ada55's sister reports the home network being slow, prompting D3ada55 to acquire a SuperBox for analysis, quarantining it on a separate network.

08:23D3ada55 observes the SuperBox immediately calling out to Tencent in China and later discovers it attempting to trigger a SCADA vulnerability.

09:27D3ada55 details how the SuperBox extensively scans her local network, performing ARP DoS attacks and impersonating other devices.

11:31D3ada55 notes the SuperBox's marketing is heavily SEO poisoned, making it difficult to find negative reviews or true manufacturer information (fake company GBS Labs).

12:32D3ada55 discovers SuperBoxes are widely available on Amazon, Best Buy, and Walmart's third-party marketplaces, despite their illegal pirating functions.

14:37D3ada55 uncovers a widespread influencer marketing campaign for SuperBoxes, paying individuals a 50% commission for sales.

16:42D3ada55 highlights the strategic targeting of suburban families, suggesting a "bottom-up approach" for intelligence gathering to access corporate networks.

17:45D3ada55 explains that SuperBoxes use an outdated Android OS (2021 patch) with known vulnerabilities and come pre-installed with remote management tools like TeamViewer.

20:53D3ada55 gives her first technical talk on the SuperBox at a BSides event, leading to government interest and a federal investigation.

22:00D3ada55 reveals the SuperBox is part of the "BadBox botnet," a second iteration of Android streaming devices with malware, noting its significantly higher price ($300 vs $30) compared to other BadBoxes.

25:05D3ada55 details decompiling APKs from the SuperBox's unique, multi-layer encoded app store, which is distinct from the Google Play Store.

27:11D3ada55 uncovers missing sectors in the SuperBox's firmware and notes the device's fake regulatory information and questionable certificates of authenticity.

29:13D3ada55 highlights the SuperBox's suspicious packaging, including a "6k" claim and fabricated regulatory certifications.

30:16D3ada55 discusses the FBI's public service announcement in June 2025, warning about IoT devices, including TV streaming devices, facilitating criminal activity.

31:17D3ada55 recounts how she convinced her father to unplug the box by highlighting the risk to his retirement and bank accounts due to network monitoring.

33:25Jack discusses the "bug in human beings" where people ignore clear dangers for perceived value, using the SuperBox as a prime example of this exploitation.

34:29D3ada55 reports that SuperBoxes were being mysteriously mailed to oil and gas workers, further escalating the campaign's seriousness.

37:40D3ada55 emphasizes the "cyberpsychology" at play, exploiting economic anxiety and implied trust in major retailers despite blatant scams and propaganda.

39:49Jack attributes the rise of piracy to the fragmented and frustrating streaming service landscape, which the SuperBox expertly exploits.

42:57D3ada55 discovers the "vSeeBox," another similar streaming device that also beacons to Tencent and communicates with the SuperBoxes when on the same network.

46:10D3ada55 notes the SuperBox remotes have self-signed certificates, microphones, open ports, and unusually long, covert Bluetooth antennas, raising further surveillance concerns.

52:24D3ada55 describes being targeted by phishing attempts after Brian Krebs published an article on SuperBoxes, with attackers trying to acquire her research data.

55:34D3ada55 confirms that SuperBoxes were part of the Kimwolf botnet, the largest DDoS botnet, used for DDoS-as-a-service attacks.

60:42D3ada55 critiques a recent article from The Verge that she perceives as "literal propaganda," promoting the SuperBox by interviewing happy users and resellers without highlighting security risks.

68:00D3ada55 shares her personal experience of connecting her work computer to her dad's network without knowing about his SuperBoxes, prompting her to use a Faraday bag and improve her security hygiene.

71:03D3ada55 posits that "China" is the likely perpetrator, given geopolitical context, Tencent beacons, and China's manufacturing capabilities, noting its "perfect MLM" structure.

75:14D3ada55 discusses the challenges of stopping the SuperBox, noting that even if banned, the peer-to-peer distribution continues, and ISPs are struggling to cope with excessive data uploads.

77:17D3ada55 expresses surprise that major media companies like Disney haven't sued the SuperBox operators more aggressively, given their history with piracy.

82:30Jack concludes by reflecting on the "new hostile environment" of home networks and the difficulty of eradicating such pervasive, spyware-laden devices.

Best of this topic

Best iot security episodes →Best streaming devices episodes →Best malware episodes →Best botnets episodes →Best ddos attacks episodes →

💬 Notable Quotes

“The first thing it does is call out to Tencent. Like, just straight...”
— D3ada55

“Holy cow, these things aren't just spreading; they're spreading in specific places. Suburban families are getting them, and why there? Okay, let's think about it. By targeting suburban families, it's almost like a bottom-up approach to intelligence gathering.”
— D3ada55

“With TeamViewer installed on it, that means that whoever is behind this has a dashboard at their fingertips of all the SuperBoxes out there with TeamViewer running, and with one click, they could just jump right into any of them. That's horrible. Holy cow.”
— D3ada55

“This puts me in deep thought, actually, on how to fix this. This isn't a one off. It's an industry trend, and it's not even just an industry trend in cybersecurity. It's a bug in human beings.”
— D3ada55

“It's like a perfect Trojan horse, like in the traditional sense. If we go back to the original story, here's this big present, and we're gonna hide inside. Here is this device that lets you get all the channels, and somebody is going to hide inside.”
— D3ada55

“This is literal propaganda. Like, oh my goodness. This is what they mean when they say it's gonna be plain as day in your face and you're not gonna understand that — again, an average, everyday person is going to read that and be like, oh, well, these people don't care.”
— D3ada55