FBI CRUSHES Russian Spy Network Lurking Inside American Homes

Russian GRU spies hijacked thousands of American home routers to steal sensitive data, but the FBI just severed their access in a decisive counterstrike.

Story Highlights

FBI and DOJ disrupted a massive GRU botnet exploiting unpatched MikroTik and TP-Link routers in U.S. homes and small businesses.
Hackers stole passwords and bypassed 2FA from over 18,000 victims worldwide, targeting governments and military.
Operation Dying Ember reset infected devices and blocked re-infection, neutralizing the threat as of April 7, 2026.
This victory underscores persistent foreign cyber dangers to everyday Americans amid ongoing Russia-West tensions.

GRU’s Router Hijacking Campaign

Russian GRU Unit 29155, known as APT28 or Fancy Bear, compromised thousands of SOHO routers globally, including in the United States. Attackers exploited known vulnerabilities in outdated MikroTik and TP-Link firmware to install Moobot malware. This turned everyday devices into a botnet for redirecting internet traffic and stealing credentials. The campaign spanned several years, casting wide nets for spearphishing against high-value targets like governments and corporations. Homeowners and small businesses unknowingly aided Russian espionage.

FBI-Led Disruption Under Operation Dying Ember

The FBI and Department of Justice executed Operation Dying Ember, securing court warrants to deploy cleanup commands on infected U.S. routers. Agents deleted malware, reset devices to factory settings, and blocked hackers’ re-access. International partners including the UK’s NCSC, Ukraine’s SBU, Lumen’s Black Lotus Labs, and Microsoft contributed intelligence. As of April 7, 2026, the DOJ confirmed neutralization of U.S.-based infections and takedown of malicious domains. FBI Director Christopher Wray highlighted the operation’s success at the Munich Security Conference.

Historical Context and Evolving Threats

GRU’s actions build on prior operations like the 2016 DNC hack and the 2022 Viasat attack during Russia’s Ukraine invasion. Post-2022, Moscow escalated cyber efforts against NATO allies using proxies for deniability. This router campaign differed by opportunistically targeting consumer devices via DNS manipulation to bypass two-factor authentication. It impacted 18,000 routers across 120 countries, with 200 organizations and 5,000 consumer devices hit hardest in Africa, Asia, and the Americas. U.S. critical infrastructure faced indirect risks from unpatched devices.

Impacts on Americans and Path Forward

Americans now face clear evidence that foreign adversaries lurk in their homes through vulnerable routers, eroding privacy and national security. Short-term, the botnet takedown reduces immediate espionage risks, but long-term vulnerabilities persist without firmware updates. Economic costs include ISP notifications and device resets. Politically, this bolsters deterrence in the U.S.-Russia cyber cold war while aiding Ukraine’s defense. Both conservatives and liberals share frustration over government failures to protect citizens from such elite-manipulated threats, demanding stronger individual safeguards and limited but effective federal action. FBI urges router owners to patch devices immediately.