Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Home/CyberSecurity News/FBI Disrupts Cyclops Blink Botnet, Patches Thousands of Compromised Routers
CyberSecurity News

FBI Disrupts Cyclops Blink Botnet, Patches Thousands of Compromised Routers

Key Takeaways The FBI, in “Operation Masquerade,” neutralized a sophisticated cyberespionage network operated by Russian military intelligence. Thousands of small office/home office...

Jennifer sherman
Jennifer sherman
April 8, 2026 3 Min Read
79 0

Key Takeaways

  • The FBI, in “Operation Masquerade,” neutralized a sophisticated cyberespionage network operated by Russian military intelligence.
  • Thousands of small office/home office (SOHO) routers, primarily TP-Link devices, were compromised globally since at least 2024.
  • The attackers, identified as APT28 (Fancy Bear), manipulated DNS settings to redirect traffic and harvest sensitive data from high-value targets.
  • The FBI remotely patched affected routers, purged malicious DNS resolvers, and restored legitimate settings across 23 U.S. states.
  • Users are advised to update router firmware, replace end-of-life devices, and verify DNS configurations.

The U.S. Justice Department and the Federal Bureau of Investigation (FBI) have successfully dismantled a vast cyberespionage infrastructure, codenamed “Operation Masquerade.” This court-authorized intervention targeted and neutralized thousands of compromised small office/home office (SOHO) routers that Russian military intelligence had weaponized for global surveillance.

Table Of Content

  • Key Takeaways
  • Russian Router Hijacking Operation
  • What You Should Do

Announced on April 7, 2026, the technical operation specifically disrupted a hacking unit within Russia’s Main Intelligence Directorate (GRU), widely recognized in cybersecurity circles as APT28, Fancy Bear, Forest Blizzard, and Sednit. This state-sponsored group has been actively exploiting known security vulnerabilities since at least 2024 to illicitly obtain credentials from numerous TP-Link routers worldwide.

Russian Router Hijacking Operation

Upon gaining unauthorized access to a router, the GRU operatives proceeded to alter its Domain Name System (DNS) settings. This maneuver effectively diverted the victim’s internet traffic through malicious DNS resolvers under the attackers’ control.

While the initial router compromises were widespread and indiscriminate, the hackers employed an automated filtering mechanism to pinpoint high-value targets within military, government, and critical infrastructure sectors. For these selected targets, the illicit DNS resolvers delivered fraudulent records designed to mimic legitimate online services, such as Microsoft Outlook Web Access.

This sophisticated technique enabled the GRU to execute Actor-in-the-Middle (AitM) attacks against encrypted network traffic. By routing traffic through their own servers, the attackers successfully extracted unencrypted passwords, authentication tokens, emails, and other sensitive data from devices connected to the compromised networks.

To halt this espionage campaign, the FBI developed and deployed a series of remote commands to the compromised routers across 23 states. These commands served multiple critical functions: they gathered essential evidence, purged the malicious GRU DNS resolvers, and reinstated legitimate ISP default settings. Furthermore, the commands effectively locked out the attackers by patching the original vulnerabilities that facilitated unauthorized access.

The U.S. government, in collaboration with MIT Lincoln Laboratory, rigorously tested these actions to ensure they would not disrupt normal router functionality or access private user data. This disruption effort was a testament to collaborative success, involving the FBI’s Boston and Philadelphia Field Offices, with crucial threat intelligence contributions from Microsoft and Black Lotus Labs at Lumen.

What You Should Do

  • Replace End-of-Life Routers: Immediately replace any SOHO routers that are End-of-Life (EoL) or no longer supported by the manufacturer.
  • Update Firmware: Upgrade your router’s hardware to the latest available firmware provided by the manufacturer.
  • Verify DNS Settings: Review and verify the authenticity of the DNS resolvers listed in your router’s configuration settings. They should typically match your Internet Service Provider’s (ISP) DNS or a trusted public DNS service.
  • Review Firewall Rules: Update and strengthen firewall rules to prevent public exposure of remote management services on your router.
  • Report Suspected Compromise: If you suspect your router was compromised, consult the official TP-Link download center for proper configuration guidelines and file a report with the FBI’s Internet Crime Complaint Center (IC3).

The FBI is actively collaborating with Internet Service Providers to notify affected users directly.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitHackerPatchSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical OpenSSL Vulnerabilities Expose Sensitive Data in RSA KEM Handling

Next Post

Indian Bank Warns Customers of Fake LPG Payment and KYC Scams

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us