Morning Overview

Hackers are hijacking outdated home routers, and the FBI named the models at risk.

The FBI told Americans that cybercriminals are actively infecting aging home routers, some dating back to 2010 or earlier, with malware that turns the devices into anonymous proxy tools for fraud and other crimes. The bureau’s Internet Crime Complaint Center published Alert Number I-050725-PSA identifying the threat, while federal prosecutors in Oklahoma unsealed charges against administrators who allegedly ran two of the largest proxy services built on hijacked routers. For households still running hardware that no longer receives security patches, the warning carries an immediate, practical cost: their own internet connection may already be part of a criminal network they know nothing about.

Why outdated routers became criminal infrastructure

Routers that have reached end-of-life status no longer get firmware updates from their manufacturers. That gap is the entire attack surface. According to the FBI’s public service announcement, cybercriminals are loading variants of TheMoon malware onto these devices, exploiting known vulnerabilities that will never be fixed. Once infected, a router silently forwards traffic for paying customers of proxy services, letting bad actors mask their real IP addresses while committing fraud, launching attacks, or evading law enforcement.

The business model is straightforward. Criminals compromise thousands of routers, bundle them into proxy pools, and sell access by subscription. Buyers get a rotating list of residential IP addresses that look like ordinary home internet connections, making their traffic far harder to trace. The routers’ owners typically notice nothing beyond occasional slowdowns, if that. Because these are consumer-grade devices with limited logging and monitoring, the criminal traffic they relay often leaves almost no trace that a typical homeowner could recognize.

From the attackers’ perspective, older routers are ideal: they are widely deployed, rarely updated, and often forgotten once they are working well enough to connect phones, laptops, and smart TVs. Many still use default passwords or outdated encryption, and some expose remote management interfaces to the open internet. When manufacturers stop issuing patches, every newly discovered bug effectively becomes a permanent doorway into the device.

A related question is what happens after law enforcement takes down the services that monetize these botnets. If operators scatter and rebuild using different infrastructure, the short-term effect could be a spike in direct exploitation attempts against consumer routers as displaced actors scramble for new footholds. IC3 complaint data over the next 90 days may reveal whether that pattern holds, or whether the disruptions genuinely reduced the threat.

Operation Moonlander and the Anyproxy/5socks indictment

Federal prosecutors tied the proxy scheme to two specific services, Anyproxy and 5socks, through an investigation called Operation Moonlander. The U.S. Attorney’s Office in Oklahoma announced that the botnet had been dismantled and that Russian and Kazakhstani administrators were indicted for running it. The services allegedly monetized access to infected older-model routers, offering subscribers proxy connections through devices their owners believed were simply connecting a household to the internet.

Court filings name Alexey Viktorovich Chertkov as one of the defendants. The unsealed indictment document lays out the statutory charges and describes how the operation recruited compromised routers into its network, sold access, and collected payments. According to the charging papers, the administrators allegedly worked with sellers who supplied access to infected devices, then resold that access to downstream customers who wanted to disguise their online activity.

Seizure warrants targeted the underlying infrastructure, including servers that coordinated the botnet and payment accounts used to receive subscription fees. By removing the control systems and financial lifelines, investigators aimed not only to stop ongoing abuse but also to make it harder for the same operators to rapidly rebuild the service under a new name. However, the filings leave open how many of the infected routers remain compromised, and whether other criminal groups are now attempting to take them over.

The FBI’s alert and the Moonlander prosecution did not arrive in isolation. Europol and international partners disrupted the SocksEscort proxy service through a separate effort called Operation Lightning. SocksEscort reportedly operated on a similar model, routing criminal traffic through compromised residential devices. The parallel takedowns suggest that law enforcement agencies across multiple jurisdictions coordinated a broader campaign against proxy services that rely on hijacked consumer hardware, even if each case focused on a specific cluster of operators.

Unresolved gaps in the router threat picture

Several important details remain unclear. The FBI’s alert references routers from circa 2010 or earlier, but the specific models flagged in the I-050725-PSA have not been fully enumerated in public reporting. Households trying to determine whether their own equipment is vulnerable need that list, and its absence leaves a practical gap between the warning and any meaningful self-assessment. Without precise model information, many consumers are left to guess based on purchase date and brand alone.

The scale of infection is also uncertain. Neither the IC3 alert nor the unsealed court documents have produced a confirmed total count of compromised devices. Investigators have described the botnet as large, but without a number or even a range, it is difficult to gauge how widespread the problem is or how many routers remain active proxies even after the Anyproxy and 5socks infrastructure was seized. This ambiguity complicates risk communication: a threat that could involve tens of thousands of devices demands a different response than one limited to a few hundred.

There is also no public accounting of direct victim impact. The indictment and warrant filings describe the mechanics of the scheme, but statements from affected router owners or downstream fraud victims have not surfaced in the available record. That makes it harder to measure the real-world harm beyond the abstract description of anonymized cybercrime. For instance, it is not yet clear how often law enforcement initially knocked on the doors of innocent homeowners because criminal traffic appeared to originate from their IP addresses.

Another unresolved issue is the long tail of unsupported hardware. Even if current law enforcement actions significantly disrupt existing proxy services, millions of aging routers are likely still plugged in and powered on. As long as they remain online without security updates, they represent a standing pool of potential nodes for future botnets. The FBI’s warning implicitly acknowledges this structural problem but stops short of prescribing how internet service providers or manufacturers should help retire unsafe devices.

What households can realistically do

For anyone running a router purchased before 2011 or one that has not received a firmware update in years, the practical first step is to check the manufacturer’s website for end-of-life notices. If the device is no longer supported, replacing it is the only reliable fix. Disabling remote administration and restarting the router can interrupt an active infection, but neither step prevents reinfection on hardware that will never be patched. The FBI’s alert recommends reporting suspected compromises to IC3, both to document the scope of the problem and to help investigators trace remaining infrastructure.

Consumers who decide to keep an older but still supported router should at minimum change default passwords, enable automatic updates if available, and turn off any features that allow configuration from outside the home network. They should also be wary of “free” proxy or VPN tools that encourage routing other people’s traffic through their connection, as these can blur the line between legitimate sharing and participation in an abuse-prone proxy network.

In the long run, reducing the risk posed by hijacked routers will likely require more than individual vigilance. Internet providers could notify customers when they detect suspicious traffic patterns from home networks, and manufacturers could commit to longer support lifecycles or clearer labeling when devices reach end of life. Until those systemic changes take hold, however, the burden falls largely on households to retire outdated equipment and treat their routers as critical security devices rather than invisible appliances.

Whether the Moonlander and Lightning disruptions actually reduce the volume of proxy-based attacks, or merely clear space for the next generation of services built on the same pool of vulnerable hardware, will depend on how quickly those aging routers disappear from the internet. For now, the message from investigators is blunt: if your router is too old to receive updates, it is also too old to trust with your connection.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.