FBI Warns That Your Router May Need An Urgent Upgrade

Hands typing on laptop with digital lock icons

The FBI issues an urgent warning as cybercriminals use outdated routers to build a multi-million-dollar criminal enterprise, compromising home network security nationwide.

Quick Takes

Cybercriminals have targeted at least 13 outdated router models, primarily Linksys devices, to create a botnet that generated over $46 million in illicit profits
Four individuals (three Russians and one Kazakhstani) have been charged with infecting older routers with “TheMoon” malware to hijack them for proxy services
The compromised devices were sold through domains Anyproxy.net and 5Socks.net, which have been seized by the FBI
“End-of-life” routers that no longer receive security updates are particularly vulnerable to exploitation
The FBI recommends replacing outdated routers, disabling remote administration features, and rebooting devices to prevent infection

Major Router Vulnerability Exposes Millions of American Homes

The FBI has issued a critical security warning targeting owners of older internet routers, particularly those manufactured by Linksys under the Cisco brand. These outdated devices, many from the 2000s and 2010s, have become prime targets for cybercriminals due to their lack of security updates and unpatched vulnerabilities. An international cybercrime operation has successfully hijacked these devices, turning them into tools for data theft, spam distribution, denial-of-service attacks, and illicit proxy services that netted the criminals tens of millions of dollars before authorities intervened.

Federal authorities have identified at least 13 router models that are particularly susceptible to exploitation by “TheMoon” malware. This sophisticated attack has been targeting Wi-Fi routers since 2014 and poses a significant risk because it does not require a password to infect systems. Instead, it spreads by scanning networks for open ports and sending commands to vulnerable scripts, making detection difficult for average users. Once infected, these compromised devices operate as part of a larger botnet, creating serious security concerns for both the device owners and potential victims of the criminal activities facilitated through these networks.

Your old router isn’t just outdated—it might be a silent accomplice.
FBI warns criminals are hijacking end-of-life routers to hide their tracks. Time to check your hardware.#CyberSecurity #FBI #InfoSec https://t.co/XOe5XXXRVg

— Babak Nabiee (@BabakNabiee) May 7, 2025

Criminal Enterprise Dismantled After Generating Millions

The Justice Department has taken decisive action against the individuals responsible for creating and operating the Anyproxy botnet. “The Indictment alleges that a botnet was created by infecting older-model wireless internet routers worldwide, including in the United States, using malware without their owners’ knowledge,” the DOJ said in their announcement of charges against four foreign nationals. The operation’s scope was vast, with infected devices spanning across the United States and numerous other countries, highlighting the global nature of modern cybersecurity threats.

“The defendants are believed to have amassed more than $46 million from selling access to the infected routers that were part of the Anyproxy botnet,” said federal officials.

Lumen Technologies has identified a long-term campaign using TheMoon malware, supporting a cybercriminal group known as “Faceless.” The telecommunications company has taken steps to block all traffic associated with TheMoon and Faceless on its network. Cybersecurity experts note that small office routers have become frequent targets for these types of attacks due to their widespread deployment and inconsistent security maintenance, creating an expansive attack surface that criminals can exploit with relative ease.

How to Protect Your Home Network

The FBI warns that “end-of-life” routers pose a significant security risk because manufacturers no longer provide crucial updates to address new vulnerabilities. “The remote administration feature that comes pre-installed on these routers is the major source of vulnerability,” the FBI explained in their warning. This feature, often enabled by default, creates an entry point that skilled attackers can exploit even when password protection is in place, giving them control over the device and access to data passing through it.

“Because the malware is router-based,” the FBI noted, “it can be more difficult for users to notice when something is wrong.”

To safeguard your home network, the FBI recommends replacing compromised or outdated routers with newer models that receive regular security updates. For those unable to upgrade immediately, disabling remote administration features and rebooting your router can help prevent or clear infections. Additionally, users should watch for warning signs of compromise, such as unusual network slowdowns, devices overheating, connectivity issues, or unexplained changes to router settings. Anyone suspecting their device has been compromised should report the incident to their local FBI field office.