FBI Catches Russian Hackers INFILTRATING U.S Homes!

Russian spies turned your home router into a secret weapon against America—until the FBI flipped the switch and severed their access overnight.

Story Snapshot

GRU hackers (APT28) hijacked 18,000+ SOHO routers worldwide, stealing credentials from U.S. and allied targets.
FBI’s Operation Dying Ember deleted malware, reset devices, and blocked Russian re-entry in a court-approved strike.
Campaign exploited unpatched MikroTik and TP-Link vulnerabilities, bypassing 2FA via traffic redirection.
Disruption spanned 120 countries, hitting governments, military, and corporations amid Ukraine war tensions.
Latest takedown on April 7, 2026, neutralized U.S. routers and domains, ending the botnet threat.

GRU Launches Global Router Hijacking Campaign

Russian GRU Unit 29155, known as APT28 or Fancy Bear, targeted unpatched MikroTik and TP-Link routers starting years ago. Hackers installed Moobot malware on thousands of home and small office devices. This botnet redirected DNS traffic to steal passwords, authentication tokens, and enable spearphishing. Victims spanned 120 countries, with over 18,000 routers compromised, including 5,000 consumer devices and 200 organizations. North Africa and Central Asia suffered heaviest hits, but U.S. infrastructure faced direct risks.

FBI and Allies Execute Operation Dying Ember

FBI and DOJ obtained court warrants to infiltrate the botnet. Agents deployed commands that deleted Moobot malware, reset router credentials, and blocked GRU command-and-control access. International partners including UK’s NCSC, Ukraine’s SBU, Lumen’s Black Lotus Labs, and Microsoft coordinated the effort. Initial disruption occurred in February 2024 at Munich Security Conference; full U.S. neutralization followed on April 7, 2026, with domain seizures. FBI Director Christopher Wray and AG Merrick Garland hailed the operation’s success.

Tactics Bypass Defenses and Target High-Value Assets

GRU operatives exploited known firmware flaws in outdated routers, turning everyday devices into espionage platforms. Malware manipulated DNS to hijack traffic, capturing credentials even behind two-factor authentication. This “wide net” approach sifted for military, government, and corporate targets. Unlike the 2016 DNC hack or 2022 Viasat attack, this relied on opportunistic SOHO compromises and criminal proxies for deniability. Experts at Black Lotus Labs confirmed the scale and methods.

Ukraine war escalated these ops against NATO allies. Russia’s shift to router botnets reflects resource strains, but common sense demands vigilance—unpatched hardware invites foreign intrusion, undermining American security and privacy. Facts align with conservative priorities: strong law enforcement disrupts enemies without overreach.

Impacts Ripple Across Security and Geopolitics

Short-term, botnet takedown halted immediate espionage, restoring victim control and collecting evidence. Long-term, it exposes persistent router vulnerabilities, urging firmware patches from manufacturers. Economic costs hit ISPs with notifications and resets; socially, credential theft eroded privacy. Politically, the win bolsters deterrence in the U.S.-Russia cyber cold war, aiding Ukraine defense. Industry now prioritizes SOHO security amid parallels to Chinese threats.

Microsoft reported hits on African governments and law enforcement; NCSC described opportunistic evolution to intel focus. FBI advises remaining victims to update devices. No active GRU control persists, but re-infection risks linger without user action. Western coalitions hold the edge through attribution and rapid response.