FBI’s Unexpected Advice for Protecting Your Digital World

FBI text surrounded by digital security graphics and hands

The FBI has issued an urgent warning to Americans still using old routers, as Russian hackers have already exploited these devices to create a $46 million criminal enterprise.

Quick Takes

At least 13 outdated router models, primarily older Linksys routers, have been targeted by hackers to create botnets for illegal activities
Four foreign nationals (three Russians and one Kazakhstani) have been charged with infecting these routers with “TheMoon” malware
The criminal enterprise generated over $46 million by selling access to hijacked routers through services called Anyproxy.net and 5Socks.net
The FBI strongly recommends replacing vulnerable “end-of-life” routers that no longer receive security updates
Even password-protected routers can be compromised through their remote administration features

Russian Hackers Exploit Outdated Routers

Federal authorities have uncovered a sophisticated cybercriminal operation targeting outdated home routers across America. The scheme, allegedly run by three Russian nationals and one Kazakhstani citizen, involved hijacking vulnerable routers to create a massive network of compromised devices. These infected routers were then sold as proxy servers through online services called Anyproxy.net and 5Socks.net, allowing other criminals to conduct illegal activities anonymously while routing traffic through American homes.

“The Indictment alleges that a botnet was created by infecting older-model wireless internet routers worldwide, including in the United States, using malware without their owners’ knowledge,” said the Department of Justice in a statement.

The operation was highly profitable, with federal officials stating, “The defendants are believed to have amassed more than $46 million from selling access to the infected routers that were part of the Anyproxy botnet.” The hackers specifically targeted routers that have reached “end-of-life” status, meaning manufacturers no longer provide critical security updates to patch vulnerabilities, leaving these devices permanently exposed to attacks.

Vulnerable Devices and Attack Methods

The FBI has identified 13 particularly vulnerable router models, most sold under the Linksys brand when it was owned by Cisco. These include popular models from the 2000s and early 2010s that many Americans may still be using. The malware employed in these attacks, known as “TheMoon,” has been circulating since at least 2014 and specifically targets unpatched vulnerabilities in these older devices.

TheMoon malware operates by scanning networks for open ports and sending commands to vulnerable scripts in these routers. Once infected, the router becomes part of a botnet controlled by the hackers. What makes this attack particularly insidious is that it doesn’t require a password to execute and can remain undetected for extended periods. The FBI notes that “because the malware is router-based, it can be more difficult for users to notice when something is wrong.”

Signs of Compromise and FBI Recommendations

Router owners should watch for warning signs of compromise, including unexpected device overheating, connectivity issues, or unusual network activity. The most concerning aspect is that even routers with password protection can be breached through their remote administration features. Cybersecurity firm Lumen Technologies has identified this campaign as supporting a criminal group known as “Faceless” and has taken steps to block associated traffic on its network.

The FBI’s guidance is clear and direct: replace vulnerable routers immediately. For those unable to replace their equipment right away, the agency recommends disabling remote administration features and performing a complete router reboot, which may temporarily remove the malware. Any suspicious activity should be reported to your local FBI field office. The agency has also seized the domains Anyproxy.net and 5Socks.net as part of its ongoing investigation into these attacks.

Protecting Your Home Network

With these router vulnerabilities exposed, cybersecurity experts are emphasizing the importance of regular hardware updates for home networks. Modern routers offer significantly improved security features, including stronger encryption protocols and automatic firmware updates that patch new vulnerabilities as they’re discovered. Keeping network equipment current is now considered as essential as updating the operating systems on computers and smartphones.

Beyond replacing outdated hardware, basic security practices remain essential: change default passwords on all network devices, enable encryption settings like WPA3, disable remote management features when not needed, and maintain regular software updates. With small business routers being particularly attractive targets for cybercriminals, these protective measures have become crucial for both home and business users alike.