Millions of Americans still connect to the internet through routers built more than a decade ago, and the FBI now says that simply rebooting those devices after a compromise is not enough to remove persistent malware. In a public-service alert issued in May 2025, the bureau warned that end-of-life routers from the 2010 era or earlier are being hijacked and converted into proxy nodes for criminal networks. The warning arrived alongside a federal law-enforcement operation that dismantled a global proxy service responsible for millions of dollars in fraud losses and the compromise of roughly 8,000 routers worldwide.
Why replacing old routers matters more than rebooting them
The FBI’s alert, designated I-050725-PSA, draws a clear line between two tiers of response. Rebooting a compromised router and disabling remote administration are listed as mitigation steps, but the bureau’s primary recommendation is outright replacement of any router that has reached end-of-life status. Devices in that category no longer receive firmware patches from their manufacturers, which means every known vulnerability stays open permanently. Attackers who plant malware on these routers can survive a power cycle because the exploit path that let them in remains available the moment the device comes back online.
The practical consequence for a household is straightforward. A router manufactured in 2012 or 2013, still humming in a closet, can be quietly enrolled in a criminal proxy network without the owner noticing any performance change. Traffic from fraud schemes, credential-stuffing attacks, or other illegal activity then appears to originate from that home’s IP address. If law enforcement later traces that traffic, the homeowner’s network is the first place investigators look, even if no one in the house ever knowingly participated in the crime.
The hypothesis that replacing pre-2015 routers would measurably reduce a household’s exposure to future proxy-service indictments is plausible on its face but impossible to confirm with current data. Neither the FBI nor the Department of Justice has published metrics comparing reinfection rates between households that rebooted and those that swapped hardware. What the bureau’s alert does establish is that rebooting alone leaves the underlying vulnerability intact on devices that will never be patched, allowing attackers to return as soon as they scan the internet again for the same flaw.
SocksEscort and the scale of router-based proxy fraud
The FBI’s warning did not emerge in a vacuum. Federal prosecutors in the Eastern District of California announced the dismantling of a malicious proxy service known as SocksEscort, which had sold access to approximately 369,000 IP addresses since 2020. As of February 2026, roughly 8,000 infected routers were still listed on the platform, and about 2,500 of those sat inside American homes and small businesses.
SocksEscort operated by deploying malware onto consumer routers and then renting out the resulting residential IP addresses to paying customers. Because the traffic appeared to come from ordinary households, it was far harder for banks and online services to flag as suspicious. The Justice Department stated that the scheme defrauded thousands of U.S. persons, businesses, and financial institutions, causing millions of dollars in losses. Domain seizures were part of the takedown, cutting off the infrastructure that matched buyers with compromised devices and limiting the criminals’ ability to reconstitute the same service under the same brand.
Those numbers give shape to a problem that often feels abstract. Each of the 2,500 U.S. routers on SocksEscort’s roster represented a real home or office whose internet connection was being sold without permission. Owners of those devices had no direct relationship with the fraud victims, yet their networks served as the delivery mechanism for criminal activity that spanned years. In some cases, the only symptom a household might notice is a slightly slower connection or occasional service disruption, hardly the kind of red flag that would prompt most people to replace their hardware.
What the FBI’s alert leaves unanswered
The bureau’s public-service announcement identifies the threat and recommends replacement, but it does not estimate how many end-of-life routers are still active across the country. Internet service providers frequently supply routers to subscribers and rarely recall them when a model falls out of support. Without an industry-wide count, the true attack surface is unknown, leaving policymakers and consumers to infer the scale of the risk from takedown cases like SocksEscort.
The alert also stops short of naming specific router models or manufacturers. That omission may reflect operational caution, since publishing a target list could help attackers as much as defenders by confirming which devices are worth scanning for. Still, it leaves consumers guessing about whether their particular device qualifies. The general guidance, that routers from the 2010 era or earlier are at risk, covers a wide range of hardware from multiple brands and leaves room for interpretation when a device was sold later but built on an older, unsupported platform.
A separate gap exists in the SocksEscort case. Prosecutors described the volume of compromised IPs and the financial damage, but the indictment materials available so far do not break down how many victims were harmed specifically because of router-based proxying versus other infection methods. That distinction matters for anyone trying to measure how much risk a single outdated router actually carries. Without that granularity, it is difficult to translate national enforcement statistics into concrete odds for an individual household.
Another unanswered question involves the long-term fate of compromised devices after a takedown. Seizing domains and backend servers can disrupt a proxy network, but it does not automatically disinfect the routers themselves. Unless owners replace or securely reconfigure their hardware, the same vulnerabilities that enabled SocksEscort could be exploited by a different criminal group that stands up a new control system. The FBI’s emphasis on hardware replacement implicitly acknowledges this cycle, but the alert does not specify how many routers from previous operations later reappeared in new proxy schemes.
How households can respond in the absence of perfect data
For readers who want to act now, the first step is checking the model number printed on the router’s label and searching the manufacturer’s website for its support status. If the device no longer appears on the vendor’s list of supported products, it is end-of-life and should be replaced with a currently supported model. Disabling remote administration in the router’s settings is a useful interim measure, but it does not substitute for hardware that still receives security updates and can be patched when new vulnerabilities are disclosed.
When shopping for a replacement, consumers can look for routers that explicitly advertise automatic firmware updates and a clear support window. Some internet service providers now offer managed equipment that they commit to patching throughout its lifecycle, though the FBI’s alert does not endorse any particular vendor or service. Whatever device is chosen, changing the default administrator password and turning off unnecessary remote-access features reduces the chance that it will be swept up in the next wave of proxy malware.
Households and small businesses that want to stay ahead of similar threats can also subscribe to official cyber alerts. The FBI offers an email subscription service through its alert delivery system, which distributes public-service announcements and updates on major cyber operations. While those messages will not list every vulnerable product, they provide early notice when law enforcement sees a particular class of devices being targeted at scale.
In the end, the FBI’s router warning and the SocksEscort takedown point to the same conclusion: aging network hardware can quietly entangle ordinary people in global cybercrime. Rebooting a compromised device might temporarily disrupt malicious traffic, but it does not erase the structural weaknesses that made the compromise possible. Until manufacturers, internet providers, and regulators find a way to shrink the pool of unsupported routers still online, the safest option for many households will be to retire that decade-old box in the closet and replace it with something designed for the threats of today, not the internet of 2010.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
