A group of Russian government hackers has hijacked thousands of home and small business routers around the world as part of an ongoing campaign to redirect victim’s Internet traffic to steal passwords and access tokens, security researchers and government authorities warned on Tuesday.
This is the latest tactic by the long-running Russian hacking group known as Fancy Bear, or APT 28, known for its high-profile hacks and espionage operations, including the 2016 breach of the Democratic National Committee and the devastating hack that hit satellite provider Viasat in 2022. The Fancy Bear service is widely believed to be part of the Fancy Bear service.
The hacking group targeted unpatched routers made by MikroTik and TP-Link using previously disclosed vulnerabilities according to UK Government Cyber Security Unit NCSC and Lumen Research Arm Black Lotus Labswhich released new details about the campaign on Tuesday.
According to the researchers, the hackers were able to spy on a large number of people over the course of several years by compromising their routers, many of which have outdated software, leaving them vulnerable to remote attacks without their owners’ knowledge.
The NCSC said these operations are “most likely opportunistic in nature, with the actor casting a wide net to reach multiple potential victims, before narrowing the targets of intelligence interest as the attack progresses.”
According to investigators and government tips, Russian hackers compromised routers to modify the device’s settings so that the victim’s Internet requests were secretly routed through infrastructure managed by the hackers. This allows hackers to redirect victims to spoof websites under their control, and then steal passwords and tokens that allow hackers to log into that victim’s online accounts without needing the two-factor authentication codes.
Black Lotus Labs said Fancy Bear compromised at least 18,000 victims in about 120 countries, including government agencies, law enforcement agencies and email providers across North Africa, Central America and Southeast Asia.
Techcrunch event
San Francisco, California
|
13-15 October 2026
Microsoft, which also released details of the campaign on Tuesday, said in a blog post that its researchers identified over 200 organizations and 5,000 consumer devices affected by these hacking operations, including at least three government agencies in Africa.
The FBI is expected to announce the takedown of several domains used in this campaign by the hackers. Lumen said he was part of a coalition, including the FBI, that disrupted the botnet and took it offline.
An FBI spokesman did not respond to requests for comment before publication.
Tuesday afternoon, announced the US Department of Justice that it took down hacked routers located on US soil, thanks to a court order. The Justice Department said the FBI “developed a series of commands to send to compromised routers” to gather evidence, restore settings and prevent hackers from breaking into the routers.
Updated to include information from the DOJ announcement.
