Russian military intelligence hackers hijacked at least 18,000 home and small office routers across 120 countries to steal passwords, authentication tokens and emails, according to warnings issued by the UK, US, German and other Western intelligence agencies.
The FBI has announced the disruption of the operation, codenamed Operation Masquerade, which targeted vulnerable TP-Link and MikroTik routers.
The hacking group, known as Fancy Bear, APT28 or Forest Blizzard, is attributed to Russia’s GRU military intelligence agency, specifically its 85th Main Special Service Centre, Military Intelligence Unit 26165. The UK’s National Cyber Security Centre (NCSC) published an advisory confirming that the group has been exploiting vulnerable routers since at least 2024 to overwrite their DNS settings and redirect all connected devices through attacker-controlled servers.
The technique is straightforward but effective. The hackers exploited known vulnerabilities in TP-Link routers, primarily CVE-2023-50224 in the TP-Link WR841N model, which allows an unauthenticated attacker to extract credentials through specially crafted HTTP requests. Once inside, they modified the router’s DHCP DNS settings to point to servers they controlled.
Every device connected to that router, including laptops, phones and tablets, then inherited those modified settings and began sending DNS lookups through Russian-controlled infrastructure. When a victim typed in a familiar address like outlook.com, they were served a convincing copycat page. Entering their real credentials on the fake page handed their passwords directly to the hackers.
Independent cybersecurity researcher Lukasz Olejnik described the technique as “elegant and simple,” noting that once the router is compromised, every device on the network is affected without any malware needing to be installed on those devices.
Microsoft identified over 200 organizations and 5,000 consumer devices impacted by the operation, including at least three government organizations in Africa. Researchers at Black Lotus Labs, a security division of internet backbone provider Lumen, found that at the peak of activity in December 2025, the surveillance dragnet had ensnared more than 18,000 routers across 120 countries.
Targets included government departments, law enforcement agencies and email providers across North Africa, Central America and Southeast Asia. Germany’s domestic intelligence agency confirmed that roughly 30 vulnerable devices in Germany were compromised, with some requiring full replacement.
The NCSC listed at least 23 TP-Link router models targeted by the group, adding that the list is likely incomplete. The hackers primarily went after end-of-life routers or devices far behind on security updates. They did not need to install malware. The DNS modification alone was enough to passively intercept traffic from all connected devices.
The FBI launched Operation Masquerade in response, sending commands to hacked routers on U.S. soil that collected forensic data and reset DNS settings to remove Russia’s foothold. The U.S. Department of Justice announced the neutralization of compromised routers located in the United States. The FBI’s Boston office confirmed the court-authorized disruption of the DNS hijacking network.
The operation comes amid broader regulatory action against foreign-made routers. On March 23, the U.S. Federal Communications Commission announced it would no longer certify consumer-grade internet routers produced outside the United States, citing national security concerns. TP-Link, which manufactures in China, was among the brands facing scrutiny. The FCC warned that poorly secured foreign-made routers present “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure.”
For anyone running a TP-Link or MikroTik router at home or in a small office, the advice from the FBI, NCSC and CISA is consistent: update firmware immediately, change default usernames and passwords, disable remote management interfaces from the internet, and replace any end-of-life routers that no longer receive security updates. Users should also pay close attention to certificate warnings in web browsers, as the hackers relied on victims clicking through security warnings to reach the fake login pages.
