FBI Catches Russian Hackers INVADING U.S Homes!

Russian military intelligence operatives turned thousands of American home routers into silent spies, stealing passwords and intercepting communications until the FBI pulled the plug on the entire operation.

Story Snapshot

Russian GRU hackers compromised 18,000 routers across 120 countries using Moobot malware installed on vulnerable MikroTik and TP-Link devices
The FBI’s Operation Dying Ember neutralized the botnet by remotely deleting malware, resetting routers, and blocking re-access through court-authorized commands
Hackers redirected internet traffic to steal passwords and authentication tokens, bypassing two-factor authentication to target governments, military units, and corporations
Over 200 organizations and 5,000 consumer devices fell victim, with governments and law enforcement in Africa, the Americas, and Asia hit hardest

The Digital Invasion Nobody Noticed

Your home router sat on the shelf or desk, blinking its usual lights, doing its usual job of connecting you to the internet. Except it was doing something else entirely. Russian military hackers from GRU Unit 29155, operating under the notorious APT28 Fancy Bear group, exploited outdated firmware in MikroTik and TP-Link routers to install Moobot malware. These compromised devices became nodes in a global espionage botnet, redirecting traffic and harvesting credentials from unsuspecting victims. The operation ran for years before Western intelligence agencies even detected its scope.

When Your Router Works for Moscow

The hackers employed a technique called DNS hijacking, manipulating the Domain Name System to reroute internet traffic through servers they controlled. When victims logged into email accounts, corporate networks, or government portals, the malware intercepted usernames, passwords, and authentication tokens. The beauty of this attack from the GRU’s perspective was its stealth. Two-factor authentication provided no protection because the hackers captured credentials in real time as users entered them. Black Lotus Labs researchers at Lumen Technologies documented the scope: 18,000 infected routers spread across 120 countries, with 200 organizations and 5,000 individual devices compromised.

Operation Dying Ember Strikes Back

The FBI and Department of Justice assembled an international coalition including Britain’s National Cyber Security Centre, Ukraine’s SBU intelligence service, Microsoft, and Lumen Technologies. Armed with court warrants, FBI agents deployed remote commands to infected routers within U.S. jurisdiction. The commands deleted the Moobot malware, reset router configurations, and blocked the backdoors hackers used for re-entry. FBI Director Christopher Wray announced the initial disruption at the Munich Security Conference in February 2024, with final neutralization operations completing by April 2026. Attorney General Merrick Garland characterized it as part of accelerating efforts to disrupt Russian cyber campaigns targeting American infrastructure and allies.

The Proxy War Goes Digital

GRU Unit 29155 has a documented history of high-profile cyber operations, including the 2016 Democratic National Committee breach and the 2022 Viasat satellite communications attack during Russia’s invasion of Ukraine. This router botnet operation marked a tactical evolution. Rather than spectacular one-time breaches, the GRU cast wide nets across unpatched consumer devices to establish persistent espionage platforms. They targeted governments, law enforcement agencies, military organizations, and email providers, with victims concentrated in North Africa, Central Asia, and Southeast Asia. The operation’s opportunistic nature reflects post-2022 escalation in Russian cyber activities against NATO allies and Ukraine supporters.

Why Your Outdated Router Matters

Consumer routers represent the soft underbelly of network security. Small businesses and home users rarely update firmware, leaving known vulnerabilities unpatched for months or years. Security researchers identified the exploited flaws in MikroTik and TP-Link devices long before this campaign, yet thousands of routers remained vulnerable. The hackers needed no sophisticated zero-day exploits, just patience to scan the internet for unpatched devices. Once inside, they transformed ordinary routers into espionage tools, proving that the weakest link in cybersecurity is not technology but human negligence in maintaining it.

The Geopolitical Chessboard

This disruption represents more than technical success. It demonstrates Western capabilities in attribution, coalition-building, and offensive cyber operations against state adversaries. Russia’s use of criminal proxies and malware-as-a-service creates plausible deniability, but the evidence trail led directly to GRU facilities. The timing matters. With Russia prosecuting its war in Ukraine and expanding cyber operations against Ukrainian allies, the FBI’s takedown sends a deterrence message. Ukraine’s SBU participation in the operation underscores how cyber defense has become integral to the broader conflict. The FBI’s ability to neutralize infrastructure on American soil while coordinating internationally shows evolved response capabilities to state-sponsored hacking.

What Comes Next

The FBI advised internet service providers to contact affected customers and recommend router resets. No active GRU control persists according to government statements, but uncertainties remain about re-infection risks and whether hackers retained stolen credentials. The disruption exposes a persistent vulnerability that extends beyond Russia. Two weeks before the initial Operation Dying Ember announcement, authorities disrupted a similar Chinese hacking campaign targeting routers. The pattern is clear: adversaries view consumer networking equipment as strategic targets. Industry-wide firmware security improvements and consumer awareness represent the only long-term solutions. The botnet is offline, but thousands of unpatched routers worldwide remain vulnerable to the next campaign.