FBI Cuts Off Russian Spies Hacking U.S Citizens

Russian spies hijacked thousands of American home routers to steal secrets, but the FBI just flipped the switch and cut them off cold.

Story Snapshot

GRU hackers from Russia infected MikroTik and TP-Link routers with Moobot malware, building a botnet for global espionage.
Operation Dying Ember by FBI and DOJ neutralized the threat, deleting malware from U.S. devices and seizing domains.
Over 18,000 victims in 120 countries, including governments and military targets, faced password theft bypassing 2FA.
Disruption highlights Western coalition success against Russian cyber ops amid Ukraine war tensions.

GRU Hackers Target Vulnerable Routers

Russian GRU Unit 29155, known as APT28 or Fancy Bear, exploited unpatched vulnerabilities in MikroTik and TP-Link SOHO routers. Hackers installed Moobot malware over several years, turning devices into a botnet. This network redirected traffic through DNS manipulation, stealing passwords and tokens from users worldwide. The operation focused on opportunistic infections, hitting home and small business users hardest. North Africa and Central Asia saw the most compromises, but U.S. routers fell victim too.

Botnet Enables Stealthy Credential Theft

Hackers used the botnet for spearphishing against governments, militaries, and corporations. DNS hijacking bypassed two-factor authentication, granting access to sensitive accounts. Microsoft reported over 200 organizations and 5,000 consumer devices affected. Black Lotus Labs at Lumen detailed how attackers cast wide nets to snag high-value targets. This tactic marked a shift from direct hacks like the 2016 DNC breach or 2022 Viasat attack, favoring low-profile router proxies for deniability.

FBI Leads Operation Dying Ember Disruption

FBI and DOJ secured court warrants to deploy commands on compromised U.S. routers. Agents deleted Moobot malware, reset devices to factory settings, and blocked Russian re-access. International partners including UK’s NCSC, Ukraine’s SBU, Lumen, and Microsoft joined the coalition. FBI Director Christopher Wray announced initial takedowns at the 2024 Munich Security Conference. By April 7, 2026, DOJ confirmed U.S. neutralization and domain seizures, taking the full botnet offline.

Attorney General Merrick Garland stated the U.S. accelerates disruptions of Russian cyber campaigns. FBI now advises ISPs to notify remaining victims and patch firmware. No active GRU control persists, per Lumen reports. This victory aligns with American values of robust national security and common-sense defenses against foreign aggression.

Impacts Span Security, Economy, and Geopolitics

Short-term, victims regained router control, slashing immediate espionage risks. Long-term, the operation exposes persistent router vulnerabilities, urging MikroTik and TP-Link firmware updates industry-wide. Economic costs hit ISPs with notifications and resets; individuals faced privacy breaches from stolen credentials. Politically, it disrupts GRU efforts supporting Russia’s Ukraine war, strengthening Western deterrence. U.S. infrastructure dodged direct hits but learned from global patterns.

Socially, everyday users unwittingly aided Russian spying, eroding trust in home networks. The campaign paralleled recent Chinese router threats, pushing global coalitions. Experts like NCSC call it opportunistic evolution toward intel focus. Facts confirm this as a clear win for rule-of-law nations over state-sponsored thuggery, resonating with conservative priorities on sovereignty and vigilance.