FBI Disrupts Cyclops Blink Botnet, Patches Thousands of Compromised Routers
Key Takeaways The FBI, in “Operation Masquerade,” neutralized a sophisticated cyberespionage network operated by Russian military intelligence. Thousands of small office/home office...
Key Takeaways
- The FBI, in “Operation Masquerade,” neutralized a sophisticated cyberespionage network operated by Russian military intelligence.
- Thousands of small office/home office (SOHO) routers, primarily TP-Link devices, were compromised globally since at least 2024.
- The attackers, identified as APT28 (Fancy Bear), manipulated DNS settings to redirect traffic and harvest sensitive data from high-value targets.
- The FBI remotely patched affected routers, purged malicious DNS resolvers, and restored legitimate settings across 23 U.S. states.
- Users are advised to update router firmware, replace end-of-life devices, and verify DNS configurations.
The U.S. Justice Department and the Federal Bureau of Investigation (FBI) have successfully dismantled a vast cyberespionage infrastructure, codenamed “Operation Masquerade.” This court-authorized intervention targeted and neutralized thousands of compromised small office/home office (SOHO) routers that Russian military intelligence had weaponized for global surveillance.
Table Of Content
Announced on April 7, 2026, the technical operation specifically disrupted a hacking unit within Russia’s Main Intelligence Directorate (GRU), widely recognized in cybersecurity circles as APT28, Fancy Bear, Forest Blizzard, and Sednit. This state-sponsored group has been actively exploiting known security vulnerabilities since at least 2024 to illicitly obtain credentials from numerous TP-Link routers worldwide.
Russian Router Hijacking Operation
Upon gaining unauthorized access to a router, the GRU operatives proceeded to alter its Domain Name System (DNS) settings. This maneuver effectively diverted the victim’s internet traffic through malicious DNS resolvers under the attackers’ control.
While the initial router compromises were widespread and indiscriminate, the hackers employed an automated filtering mechanism to pinpoint high-value targets within military, government, and critical infrastructure sectors. For these selected targets, the illicit DNS resolvers delivered fraudulent records designed to mimic legitimate online services, such as Microsoft Outlook Web Access.
This sophisticated technique enabled the GRU to execute Actor-in-the-Middle (AitM) attacks against encrypted network traffic. By routing traffic through their own servers, the attackers successfully extracted unencrypted passwords, authentication tokens, emails, and other sensitive data from devices connected to the compromised networks.
To halt this espionage campaign, the FBI developed and deployed a series of remote commands to the compromised routers across 23 states. These commands served multiple critical functions: they gathered essential evidence, purged the malicious GRU DNS resolvers, and reinstated legitimate ISP default settings. Furthermore, the commands effectively locked out the attackers by patching the original vulnerabilities that facilitated unauthorized access.
The U.S. government, in collaboration with MIT Lincoln Laboratory, rigorously tested these actions to ensure they would not disrupt normal router functionality or access private user data. This disruption effort was a testament to collaborative success, involving the FBI’s Boston and Philadelphia Field Offices, with crucial threat intelligence contributions from Microsoft and Black Lotus Labs at Lumen.
What You Should Do
- Replace End-of-Life Routers: Immediately replace any SOHO routers that are End-of-Life (EoL) or no longer supported by the manufacturer.
- Update Firmware: Upgrade your router’s hardware to the latest available firmware provided by the manufacturer.
- Verify DNS Settings: Review and verify the authenticity of the DNS resolvers listed in your router’s configuration settings. They should typically match your Internet Service Provider’s (ISP) DNS or a trusted public DNS service.
- Review Firewall Rules: Update and strengthen firewall rules to prevent public exposure of remote management services on your router.
- Report Suspected Compromise: If you suspect your router was compromised, consult the official TP-Link download center for proper configuration guidelines and file a report with the FBI’s Internet Crime Complaint Center (IC3).
The FBI is actively collaborating with Internet Service Providers to notify affected users directly.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.