> sounds like a pretty good box really.

You can buy a better one that does not have malware installed. So these are complete and total garbage and no sane person should run them under any circumstance. Sounds like you have a bias which has prevented you from thinking about this clearly.

> You can buy a better one that does not have malware installed.

You can buy a better one if you have the technical know-how. But if you did you'd probably be running the *arr stack anyway and not need such a box. But these boxes do work and aren't any more of a threat than your usual public Wi-Fi for the casual user who does not expose any services to the LAN.

The alarm around them is less about the threat to its owner and more about the threat to the tech ecosystem at large... which considering how hostile it is to users, shouldn't really be something they have any reason to worry about.

Until all their accounts get pwned due to credential stuffing over this or a similar botnet - being the average person with weak, reused passwords?

The majority of accounts out there don't have anything of value. If it gets pwned the person just resets their password and calls it a day (in fact due to the lack of password manager their usual workflow is to reset the password anyway on each login since they never remember whatever variation of their shitty weak password they used).

I’d be nice to control where the money and content go. If I could, I’d strongly consider firing up an old raspberry pi or two.

Also, is there a better word than ad fraud? It needs an innocuous sounding euphemism like pretty much everything else involving that industry has. “Monetizing ad display”? “User-agent driven conversions?”

The actual industry lingo is "invalid traffic" :P