FBI Disrupts Russian DNS Hijacking Cyber Operation Targeting Home and Office Routers

Authorities take court-authorized action to neutralize U.S. portion of compromised router network used by Russian military intelligence unit

Apr. 10, 2026 at 7:13am

Got story updates? Submit your updates here. ›

A highly detailed, 3D macro illustration of the internal components of a TP-Link router, with its circuits and hardware illuminated by vibrant neon blue and pink lights, conceptually representing the physical technology infrastructure that was compromised by Russian military intelligence in a nationwide DNS hijacking operation.Glowing cybersecurity infrastructure exposes the physical vulnerabilities exploited by Russian hackers to infiltrate American homes and businesses.Boston Today

The Department of Justice and FBI have announced a court-authorized technical operation to disrupt a Russian military intelligence unit's cyber operation that compromised thousands of home and small office routers worldwide to facilitate malicious DNS hijacking and data theft targeting individuals in the military, government, and critical infrastructure sectors.

Why it matters

This operation exposed the ongoing efforts by Russian state-sponsored actors to infiltrate and exploit vulnerable internet-connected devices, including those in American homes and businesses, to conduct espionage and potentially disrupt critical infrastructure. It highlights the need for all router owners to take steps to secure their devices and protect against such nation-state cyber threats.

The details

Since at least 2024, actors from Russia's GRU military intelligence unit have exploited known vulnerabilities to compromise TP-Link routers worldwide, stealing credentials and manipulating router settings to redirect DNS requests to GRU-controlled servers. This allowed the actors to intercept encrypted traffic and harvest sensitive data like passwords, emails, and authentication tokens. The FBI developed a court-authorized operation to collect evidence, reset DNS settings, and prevent further GRU access to the compromised routers in the U.S.

  • The GRU's cyber operation has been active since at least 2024.
  • The FBI's court-authorized disruption operation was conducted in 2026.

The players

GRU Military Unit 26165

Also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, this unit within Russia's Main Intelligence Directorate of the General Staff conducted the cyber operation to compromise routers and hijack DNS.

TP-Link

The brand of routers that were targeted and compromised by the GRU actors in this operation.

FBI

Led the court-authorized technical operation to disrupt the GRU's cyber campaign and secure compromised routers in the United States.

Department of Justice

Announced the court-authorized FBI operation to neutralize the U.S. portion of the GRU's compromised router network.

Black Lotus Labs

Lumen's threat intelligence team provided valuable technical contributions to the disruption effort.

Got photos? Submit your photos here. ›

What they’re saying

“The GRU's predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.”

— John A. Eisenberg, Assistant Attorney General for National Security

“Russian military intelligence once again hijacked Americans' hardware to commandeer critical data.”

— David Metcalf, U.S. Attorney for the Eastern District of Pennsylvania

“Operation Masquerade demonstrates the FBI's commitment to identifying, exposing, and disrupting the Russian government's efforts to compromise American devices, steal sensitive information, and target critical infrastructure.”

— Brett Leatherman, Assistant Director of FBI's Cyber Division

What’s next

The FBI is working with internet service providers to notify users of SOHO routers covered by the court's authorization. Affected users are encouraged to contact their local FBI field office or file a report with the FBI's Internet Crime Complaint Center.

The takeaway

This operation highlights the ongoing threat posed by state-sponsored cyber actors like Russia's GRU, who are actively targeting vulnerable internet-connected devices in homes and businesses to conduct espionage and potentially disrupt critical infrastructure. It underscores the need for all router owners to take proactive steps to secure their devices and protect against such nation-state cyber threats.