FBI Disrupts Russian Router Hijacking Affecting Thousands

Through a court-authorized takedown dubbed ‘Operation Masquerade,’ the U.S. Justice Department and the FBI have successfully dismantled a massive cyberespionage network.

Announced on April 7, 2026, the technical operation neutralized thousands of compromised small office/home office (SOHO) routers that were hijacked by Russian military intelligence to spy on global targets.

The disruption targeted a hacking unit within Russia’s Main Intelligence Directorate (GRU), widely tracked by cybersecurity researchers as APT28, Fancy Bear, Forest Blizzard, and Sednit.

Since at least 2024, these state-sponsored hackers have actively exploited known security vulnerabilities to steal credentials for thousands of TP-Link routers worldwide.

Russian Router Hijacking Operation

Once the GRU actors gained unauthorized access to a router, they manipulated its Domain Name System (DNS) settings. This effectively redirected the victim’s internet traffic to malicious, attacker-controlled DNS resolvers.

While the initial router compromises were indiscriminate, the hackers used an automated filtering system to identify high-value targets in the military, government, and critical infrastructure sectors.

For these selected targets, the malicious DNS resolvers served fraudulent records that mimicked legitimate online services, such as Microsoft Outlook Web Access.

This allowed the GRU to execute Actor-in-the-Middle (AitM) attacks against encrypted network traffic.

By routing traffic through their servers, the attackers successfully harvested unencrypted passwords, authentication tokens, emails, and other sensitive data from devices connected to the compromised networks.

To stop the espionage campaign, the FBI developed and deployed a series of remote commands to the compromised routers across 23 states.

These commands gathered vital evidence, purged the malicious GRU DNS resolvers, and restored legitimate ISP default settings.

The commands also locked out the attackers by patching the original means of unauthorized access.

The government extensively tested these actions alongside MIT Lincoln Laboratory to ensure they did not break normal router functionality or access private user data.

The disruption effort was a collaborative success involving the FBI’s Boston and Philadelphia Field Offices, with critical threat intelligence provided by Microsoft and Black Lotus Labs at Lumen.

Recommended Remediation Steps

While the FBI has secured the compromised devices, the agency urges all SOHO router owners to take proactive steps to defend their networks:

• Replace any End-of-Life (EoL) or unsupported routers immediately.
• Upgrade the hardware to the latest available firmware from the manufacturer.
• Verify the authenticity of the DNS resolvers listed in your router’s configuration settings.
• Review and update firewall rules to prevent the public exposure of remote management services.

The FBI is currently working directly with Internet Service Providers to notify impacted users.

If you believe your router was compromised, you are encouraged to check the official TP-Link download center for proper configuration guidelines and file a report with the FBI’s Internet Crime Complaint Center (IC3).

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.