The FBI issued a public service announcement on May 7, 2025, warning that cybercriminals are actively exploiting outdated Wi‑Fi routers to build proxy networks that mask illegal activity. The alert, numbered I-050725-PSA, specifically targets routers manufactured in 2010 or earlier that no longer receive security patches. The warning arrived alongside an unsealed federal indictment charging four individuals with running an international proxy marketplace built on infected home and small‑business routers.
What the FBI Alert Actually Says
The bureau’s Internet Crime Complaint Center published the alert identifying variants of TheMoon botnet as the primary tool used to compromise end‑of‑life routers. Once infected, these devices are reconfigured to serve as anonymous proxies, letting paying customers route internet traffic through someone else’s home network without the owner’s knowledge. The FBI noted that routers with remote administration enabled are especially vulnerable, since that feature exposes management interfaces to the open internet.
The practical effect is straightforward: a compromised router turns an ordinary household into an unwitting relay for fraud, data theft, or worse. Because these devices no longer receive firmware updates from their manufacturers, no patch will arrive to close the holes attackers are using. The FBI’s recommended fix is blunt: replace the router with a current model.
Four Defendants and Two Proxy Brands
The same week the FBI published its warning, the U.S. Attorney’s Office for the Northern District of Oklahoma announced that a botnet dismantling had been carried out in a coordinated international operation. An unsealed indictment in the case titled United States v. Chertkov, Morozov, Rubtsov, and Shishkin charges the four Russian and Kazakhstani nationals with infecting older‑model wireless routers worldwide, including inside the United States, with malware. The defendants allegedly reconfigured those routers for unauthorized access and then resold the compromised devices as proxy servers through two services: 5socks and Anyproxy.
Court filings in case 4:25‑cr‑00160‑JDR lay out a timeline of how the proxy infrastructure was maintained over years, including domain‑history details and the operational mechanics of keeping thousands of infected routers responsive. A separate unsealed search warrant describes how investigators traced the proxy network, identified individual compromised routers, and documented how customers paid for access to the service.
How Attackers Get Inside Old Routers
The technical entry point for many of these infections is well documented. CVE‑2023‑1389, a command injection flaw in a popular router’s management interface, is cataloged in the NVD record and listed in CISA’s Known Exploited Vulnerabilities catalog. That dual listing means federal agencies have confirmed active exploitation in the wild, not just theoretical risk.
But the deeper problem goes beyond any single CVE. Routers from 2010 or earlier were designed for a different threat environment. Their processors are too weak for modern encryption, their firmware stacks are riddled with long‑known bugs, and their manufacturers stopped issuing patches years ago. TheMoon botnet variants do not need sophisticated zero‑day exploits to take over these devices. They rely on the simple reality that millions of routers sit on home networks for a decade or longer without a single update, running software with known holes that will never be fixed.
Security engineers sometimes talk about hardening systems by aligning them with standardized configuration baselines such as the CCE catalog, which enumerates specific configuration issues that can be locked down. Old consumer routers typically predate these baselines or cannot practically be brought into compliance, leaving them permanently out of step with modern security expectations.
Proxy Networks as Criminal Infrastructure
The indictment’s allegations reveal a business model, not just a hacking campaign. According to the DOJ filing, the defendants did not simply compromise routers for their own use. They packaged infected devices into a commercial proxy service and sold access to other criminals. That layered structure makes attribution harder for law enforcement, because the person committing fraud or stealing data appears to be connecting from a residential IP address in, say, suburban Oklahoma rather than from a server in another country.
An unsealed search warrant application in a related matter describes how Anyproxy functioned as command‑and‑control infrastructure, directing traffic through compromised routers and maintaining persistent access. Investigators documented the hosting arrangements and geographic distribution of infected devices, building a map of the proxy network’s reach before moving to disrupt it.
From a defender’s point of view, this turns ordinary networking gear into part of a distributed criminal platform. Each infected router becomes one node in a larger mesh that can be rented by the hour or by the gigabyte. Because the traffic emerging from these devices looks like normal home internet use, traditional IP‑based blocking is far less effective than it would be against clearly malicious data centers.
State‑Sponsored Actors Use the Same Playbook
This is not the first time federal authorities have moved against router‑based botnets, and the pattern suggests a growing overlap between criminal proxy markets and state‑level cyber operations. A separate court‑authorized operation, announced by the U.S. Attorney’s Office for the Western District of Pennsylvania, disrupted a worldwide botnet attributed to People’s Republic of China state‑sponsored hackers. That operation also targeted compromised routers and IoT devices repurposed as proxy infrastructure.
The convergence matters because it means the same class of vulnerable hardware serves both profit‑motivated criminals and nation‑state intelligence operations. A home router infected by TheMoon today could be resold as a proxy to a fraud ring and simultaneously exploited by a foreign intelligence service. The owner would have no indication of either use. When criminal proxy marketplaces and state‑sponsored groups draw from the same pool of compromised devices, dismantling one network does not necessarily protect the router from the next.
Why Replacing Your Router Is the Only Real Fix
Most coverage of the FBI alert has focused on the simple advice to upgrade hardware, and that recommendation is sound. But the deeper issue is that the consumer router market has no effective mechanism to force retirement of insecure devices. Unlike cars, which face recalls and inspections, routers can sit under a desk for a decade with no regulatory pressure to replace them.
In enterprise and government environments, security teams are expected to manage this risk systematically. Frameworks such as the SP 800‑53 controls emphasize configuration management, continuous monitoring, and timely replacement of unsupported components. Those expectations are grounded in the broader ecosystem of federal standards, including resources like the NIST vulnerability database, which centralizes information about software flaws and exposure.
Home users, by contrast, rarely have either the expertise or the tooling to track firmware lifecycles. Even diligent owners who change default passwords and disable unnecessary features cannot fix a vendor that has stopped shipping updates. Once a router is out of support, it becomes a slowly worsening liability: new vulnerabilities continue to be discovered, but none are ever patched on the device itself.
That is why the FBI’s guidance is so stark. There is no practical way for most households to harden a 2010‑era router to modern standards, and no realistic prospect that manufacturers will resume development for long‑abandoned models. Replacing the router is less about chasing performance or new features and more about exiting an unsupported security posture.
What Consumers Can Do Now
For individuals and small businesses, the most important step is to determine whether their current router still receives security updates. If the model is more than a decade old, or if the manufacturer’s support pages list it as “end of life,” it should be treated as untrustworthy regardless of whether it appears to function normally. Upgrading to a supported device closes off many of the easy avenues exploited by botnets like TheMoon.
After replacement, basic hygiene still matters: change default credentials, disable remote administration unless absolutely necessary, and enable automatic firmware updates where available. For small organizations that depend heavily on internet connectivity, it may be worth assigning explicit responsibility for router maintenance, treating it less like an appliance and more like a core piece of security infrastructure.
The FBI’s latest alert and the associated proxy‑market indictment underscore a simple reality: aging network hardware is no longer just a performance bottleneck; it is a gateway into global criminal and state‑sponsored operations. Retiring obsolete routers is not merely an upgrade choice. It is a necessary step to keep households and small businesses from becoming silent partners in someone else’s cybercrime.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
