The FBI issued a public service announcement on May 7, 2025, warning that cybercriminals are actively compromising end-of-life WiFi routers, turning them into anonymous proxy servers for illegal activity. The alert, tied to a federal indictment of Russian and Kazakhstani nationals, reveals that older routers no longer receiving security patches are being infected with malware without their owners’ knowledge. For millions of households and small businesses still running aging networking equipment, the risk is not theoretical: their internet connections may already be serving as cover for someone else’s crimes.
In its latest guidance, the bureau explains that attackers are systematically scanning the internet for unsupported devices and then enrolling them into covert proxy networks. According to the FBI’s recent cyber alert on this activity, the compromised routers are used to disguise a wide range of offenses, including credential theft, fraud, and broader computer intrusions. Because the hardware continues to provide normal internet access, owners typically have no idea their equipment has been conscripted into a botnet that can be rented out to other criminals.
How Hackers Turn Old Routers Into Crime Tools
When a router reaches “end of life,” its manufacturer stops issuing firmware updates and security patches. That leaves known software flaws permanently exposed. Cyber actors exploit these unpatched vulnerabilities to install proxy malware on compromised devices, as outlined in the FBI’s May 7 notice and its broader public service announcement to small office and home users. Once installed, the malware allows criminals to route their internet traffic through a victim’s home or business IP address, effectively masking the true origin of illegal activity ranging from fraud to data theft.
The practical effect is alarming for ordinary users. Because the criminal’s traffic appears to originate from the victim’s network, law enforcement investigations could initially trace suspicious activity back to an innocent household. The router owner has no visible sign of compromise: there is no pop-up warning and often no slowdown dramatic enough to raise suspicion. The device simply continues functioning while quietly relaying someone else’s traffic in the background. This is what makes the threat distinct from more familiar forms of hacking: the victim is not the target of the crime but an unwitting shield for it, with their digital identity and physical address effectively loaned out to strangers.
The Anyproxy and 5socks Botnet Operation
The FBI’s warning did not emerge in isolation. It accompanied a coordinated law enforcement action detailed by the U.S. Department of Justice, which announced the dismantling of a botnet and the indictment of its Russian and Kazakhstani administrators. In a public statement, prosecutors described how the Anyproxy and 5socks services monetized access to infected hardware, selling routes through hijacked home and office networks to customers around the world. The Justice Department’s case summary notes that federal authorities seized the domains Anyproxy.net and 5socks.net as part of the takedown, cutting off a major marketplace for illicit proxy connections.
The formal charging documents lay out a step-by-step scheme. In the indictment filed in United States v. Chertkov et al., prosecutors allege that the administrators identified vulnerable routers, gained unauthorized access through known security flaws, installed malicious code, maintained persistent control over the devices, and configured them to relay traffic for paying customers. The detailed indictment filing describes how the defendants allegedly managed large numbers of compromised routers at once, treating them as inventory that could be switched in and out as devices went offline. A separate search warrant application outlines parts of the command-and-control infrastructure behind Anyproxy and 5socks, including references to pricing tiers and marketing language that framed the services as convenient tools for anonymity.
Why Consumer Habits Fuel the Problem
A key tension in this story sits outside the courtroom. Routers are not devices most people think about replacing on a regular cycle. Unlike smartphones, which consumers tend to upgrade every few years, a WiFi router often stays in service until it physically stops working. That behavior creates a large pool of end-of-life hardware still connected to the internet, still routing sensitive data, and still running firmware with security holes that will never be fixed. The FBI’s latest alert specifically targets this gap between consumer habits and security reality, warning that unsupported routers are prime targets for exactly the kind of proxy malware found in the Anyproxy and 5socks operation.
Economics reinforce the cycle. Replacing a router costs money, and for many households the device “works fine” from a connectivity standpoint. There is no built-in expiration mechanism that forces a user to upgrade, and internet service providers do not universally notify customers when their equipment falls out of manufacturer support. That creates a persistent supply of exploitable devices. As long as millions of outdated routers remain online, criminal proxy networks have raw material to rebuild even after law enforcement disrupts a specific operation. The Anyproxy and 5socks takedown removed two services, but the underlying vulnerability (a massive installed base of unpatched routers) remains intact and continues to invite copycat schemes.
A Pattern the FBI Has Flagged Before
This is not the first time federal authorities have raised alarms about router security. Back in 2018, the FBI published a separate public service announcement about foreign cyber actors targeting home and office routers, recommending that owners of small office and home office devices take immediate steps to prevent exploitation and block malicious network traffic. That earlier warning focused on a different threat actor and a different malware campaign, but the core weakness was the same: consumer-grade routers with outdated firmware sitting exposed on the open internet. The span of years between that notice and the current May 2025 advisory suggests that awareness alone has not solved the problem, particularly as more household devices depend on always-on connectivity.
Independent researchers have been tracking the same pattern. Threat analysts at Black Lotus Labs, the security arm of Lumen Technologies, have documented how attackers co-opt home and office hardware into proxy networks that can be rented or resold. In their reporting, the company’s security team describes a mature criminal ecosystem that treats unpatched consumer routers as disposable infrastructure, easy to compromise, cheap to abandon, and quickly replaced from a vast pool of vulnerable devices. The persistence of this threat across multiple years and multiple federal warnings signals that enforcement actions alone cannot close the gap; each takedown addresses a symptom while the root cause, a global inventory of unsupported equipment, continues to grow.
What Owners Can Do to Protect Their Networks
While the scale of the problem is daunting, the FBI emphasizes that individual owners still have meaningful defenses. The first step is to determine whether a router is still supported by its manufacturer, checking the vendor’s website for model-specific lifecycle information and firmware updates. If a device has reached end of life, the safest course is to replace it with a model that continues to receive security patches and to change default passwords and administrative settings during setup. The bureau’s guidance also points to disabling remote administration features when not needed, segmenting guest networks, and regularly rebooting devices to disrupt some forms of malware that rely on long uptimes.
Staying informed is another practical safeguard. The FBI encourages organizations and individuals to sign up for its cyber notifications so they can receive timely alerts about emerging threats to common technologies. Through its online email subscription service, the bureau distributes public service announcements and technical advisories that explain how attackers are abusing everyday devices, including routers. For households and small businesses that lack dedicated IT staff, these alerts can serve as an early warning system, prompting equipment checks and configuration changes before their networks are silently folded into someone else’s criminal enterprise.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
