← All PostsRussian Hackers Were Inside Your Home Router
CybersecurityHackingDeveloper Tools

Russian Hackers Were Inside Your Home Router

May 22, 2026

If you own a TP-Link router and haven't touched its settings in a while, there's a chance Russian military intelligence was watching your traffic. Not hypothetically — literally.

In April 2026, the FBI, NSA, and DOJ announced they'd disrupted a covert surveillance network built entirely out of hijacked home and small-office routers. The operation was called Operation Masquerade. The culprit: Russia's GRU.

Who Did This and How

The GRU's Military Unit 26165 — also known as APT28, Fancy Bear, or Forest Blizzard — exploited known vulnerabilities to steal credentials for thousands of TP-Link routers worldwide, then manipulated their settings to redirect DNS requests to GRU-controlled servers.

The hackers targeted vulnerable TP-Link and MikroTik routers, changing their DHCP and DNS settings so that traffic from every device on those networks flowed through attacker-controlled infrastructure — capturing passwords, authentication tokens, emails, and browsing data.

The specific vulnerability used: CVE-2023-50224. A known flaw. Patched. But millions of routers never got the update.

The Scale

At its peak in December 2025, more than 18,000 routers across at least 120 countries were feeding data to GRU-controlled servers. Inside the United States alone, Microsoft Threat Intelligence identified over 200 compromised organizations and at least 5,000 consumer devices across 23 states.

Hijackings occurred across Canada, Finland, Latvia, Lithuania, Norway, Poland, Portugal, Romania, and others. Romania's president called it a continuous "hybrid war."

Why This Attack Is So Effective

The technique is invisible to the end user. The browser shows a normal-looking URL. The login page looks legitimate. Nothing triggers a typical antivirus alert.

Your laptop or phone inherits whatever DNS settings your router hands out. Change the router's DNS, and you control where every lookup goes — silently, invisibly, at scale.

Rather than going after corporate VPNs or government networks directly, the GRU targeted the gateway devices that mediate traffic for entire households. A single compromised router gives visibility into every online service used by every person on that network. It's a remarkably efficient approach — exploiting a class of device most people plug in once and never think about again.

Kazuar: A Second Threat Still Active

While Operation Masquerade was being dismantled, a separate alarm went off. On May 14, 2026, Microsoft's Threat Intelligence team published a report on Kazuar — a malware family linked to Secret Blizzard, attributed by CISA to Center 16 of Russia's Federal Security Service (FSB). What was once a conventional backdoor has been transformed, over years of continuous development, into something significantly more capable.

Two separate Russian intelligence arms. Two active operations. Running concurrently.

What You Need to Do Right Now

This isn't theoretical. The FBI's official guidance is direct:

  • Update your router firmware. Especially if you're on a TP-Link or MikroTik device.
  • Change default usernames and passwords if you haven't already.
  • Disable remote management from the internet.
  • Check your DNS settings. Log into your router and verify the DNS resolver addresses haven't been altered.
  • Anyone who suspects their router was targeted can file a complaint with the Internet Crime Complaint Center at ic3.gov.

If you're a developer working remotely — or running any kind of home lab — this matters more than it does for the average user. Your router is the perimeter. If it's compromised, everything behind it is.

Sources: DOJ, FBI / IC3, SecurityWeek, TechTimes