The FBI released a flash alert on March 12, 2026, warning that thousands of older Wi‑Fi routers across the United States have been infected with AVrecon malware and quietly converted into residential proxy nodes for criminal networks. The alert follows a federal takedown of a global proxy service that exploited end‑of‑life networking hardware to defraud U.S. individuals, businesses, and financial institutions of millions of dollars. For households still running aging routers that no longer receive security patches, the risk is immediate: their devices may already be tools in someone else’s fraud operation.
Federal Takedown Exposes a Massive Proxy Network
A court‑authorized operation dismantled a global proxy service that had been enrolling compromised routers since summer 2020. According to the California prosecutors, the service had offered 369,000 IP addresses over that period, effectively renting out infected home routers as anonymizing relays for criminal traffic. Seizure warrants were issued against U.S.‑registered domains tied to the operation.
As of February 2026, approximately 8,000 infected routers remained listed on the service, with roughly 2,500 of those located in the United States. The fraud enabled by this infrastructure caused millions of dollars in losses across thousands of American victims, including both individuals and financial institutions. The scale of the network reveals how a single piece of malware, quietly installed on consumer‑grade hardware, can sustain years of criminal activity before law enforcement catches up.
What AVrecon Does to Home Routers
AVrecon is designed to target small office and home office routers, particularly models that manufacturers have stopped supporting with firmware updates. Once installed, the malware turns a router into a proxy server, routing third‑party internet traffic through the device without the owner’s knowledge. That traffic can include credential‑stuffing attacks, fraudulent ad clicks, or communications meant to obscure a criminal’s real location.
The FBI’s March 2026 FLASH, published through its cyber advisory channel and available as a technical bulletin, disseminates indicators of compromise, or IOCs, that network administrators and security teams can use to check whether their equipment has been affected. But for ordinary consumers, the infection is nearly invisible. The malware does not typically slow a connection enough to trigger suspicion, and it persists through reboots on many vulnerable devices. That stealth is precisely what makes residential proxies so valuable to criminals: the traffic appears to originate from a normal household.
A Pattern of Warnings About End‑of‑Life Devices
This alert did not arrive in a vacuum. The FBI issued a public notice in May 2025, specifically warning that cybercriminal proxy services were exploiting end‑of‑life routers. That earlier advisory detailed how attackers scan for devices that no longer receive security patches and deploy malware to conscript them into proxy networks.
The agency has also flagged state-sponsored threats to aging network hardware. A separate FBI alert from August 2025 warned that Russian operators were targeting networking devices and critical infrastructure, exploiting unpatched vulnerabilities such as CVE‑2018‑0171 on Cisco Smart Install. While that advisory addressed a different threat actor, the underlying problem is the same: outdated devices with known security holes remain connected to the internet by the millions, and both criminal enterprises and nation‑state operators are taking advantage.
The convergence of these warnings suggests that end‑of‑life routers have become a systemic weak point in American network security. Most coverage of cyber threats focuses on sophisticated software exploits or phishing campaigns. But the AVrecon case shows that the hardware itself, sitting in a closet or mounted on a wall, can be the entry point. Replacing a router is not glamorous, and it is not the kind of action most people associate with protecting themselves from cybercrime. That disconnect is exactly what proxy operators count on.
Signs Your Router May Be Compromised
The FBI’s May 2025 advisory identified commonly reported signs of router malware infections, including devices that overheat without explanation and persistent problems with connected devices such as dropped connections or degraded speeds. These symptoms are easy to dismiss as normal wear on old hardware, which is part of the reason infections go undetected for months or years.
If a router has reached end‑of‑life status, meaning the manufacturer no longer issues firmware updates, the FBI recommends replacing it outright. For devices still receiving support, the agency advises disabling remote administration, changing the default password, and rebooting the router. A reboot alone can temporarily disrupt some malware, but it will not remove persistent infections like AVrecon from devices that remain unpatched.
Who Is Most at Risk?
One dimension of the AVrecon problem that federal advisories do not directly address is who is most likely to still be running vulnerable hardware. Households in rural areas and lower‑income communities are disproportionately likely to use older routers, often provided years ago by internet service providers that have since moved on to newer equipment. These users may lack access to local tech support and may not follow cybersecurity advisories from the FBI or the Internet Crime Complaint Center.
That digital divide has concrete security consequences. People who bought a router once and never thought about it again may not realize that the manufacturer quietly stopped issuing updates. They may also rely on older computers or smartphones that no longer receive security patches, compounding the risk. When those households are drawn into proxy networks, they can unwittingly help criminals attack banks, e‑commerce platforms, or government services, even if their own accounts are never directly targeted.
Small businesses, home‑based offices, and community organizations are in a similar position. A single outdated router in a clinic, nonprofit, or local government office can become a conduit for malicious traffic that appears to originate from a trusted institution. Because AVrecon focuses on turning routers into infrastructure rather than stealing data from the local network, victims may never see obvious signs of compromise such as missing files or locked systems.
How to Reduce Your Exposure
The FBI’s consumer guidance stresses basic network hygiene as the first line of defense. In its 2025 notice on proxy services, the bureau published practical tips that apply directly to the AVrecon campaign. Users are urged to keep router firmware updated, change default administrative passwords, and disable remote management features unless they are strictly necessary.
For many households, the most important step is simply to determine whether a router is still supported. That typically involves checking the model number on the device against the manufacturer’s website. If the device is no longer receiving security updates, replacement is the safest option. While that can be an unwelcome expense, especially for families on tight budgets, the alternative is to leave a critical piece of infrastructure exposed to known vulnerabilities.
Consumers who are unsure how to evaluate their equipment can reach out to their internet service provider and ask whether the installed router is current and supported. Some providers will replace obsolete hardware at no extra cost as part of a service upgrade. Local libraries, community centers, and digital literacy programs can also play a role by helping residents identify outdated devices and understand the risks.
Staying Informed About Future Threats
Because threats like AVrecon evolve over time, staying informed is as important as any one‑time fix. The FBI offers an email subscription that delivers new cyber alerts and public service announcements directly to subscribers. Signing up can help small businesses, schools, and local governments react more quickly when law enforcement identifies new malware campaigns.
Individuals and organizations that believe their router may have been misused as part of a proxy network are encouraged to file a report with the IC3 portal. Even if the financial loss seems minor or nonexistent, those complaints help investigators map the scope of a campaign and prioritize remediation efforts. In the AVrecon case, detailed victim reports can assist in identifying which hardware models and firmware versions are most frequently targeted.
The AVrecon malware campaign underscores an uncomfortable reality: the humble home router, often ignored for years at a time, has become a high-value asset for cybercriminals. Law enforcement can disrupt specific proxy services, but as long as large numbers of unsupported devices remain online, new operations will emerge to replace the old. Closing that gap will require not only technical countermeasures but also a broader shift in how Americans think about the lifecycle of the devices that connect them to the internet.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
