Russian hackers hijacked home routers in broad credential-theft campaign

A familiar espionage actor adopts a quiet but effective route

Russian government-linked hackers have compromised thousands of home and small-business routers in an effort to steal passwords and authentication tokens, according to warnings released April 7 by security researchers and government authorities.

The campaign is attributed to Fancy Bear, also known as APT28, a long-running hacking group widely believed to be part of Russia’s military intelligence agency, the GRU. The group has been tied to a series of major cyber operations over the past decade, but the latest reporting points to a tactic built less around headline-grabbing disruption than around patient traffic interception at scale.

By taking over routers, the attackers gained a strategic advantage: they could manipulate the path victims’ internet traffic takes before it reaches legitimate services. That made it possible to steer targets to spoofed websites under hacker control and capture credentials or session tokens that could later be used to access accounts.

How the campaign worked

According to the report, the hackers exploited previously disclosed vulnerabilities in unpatched MikroTik and TP-Link routers. Once inside, they altered device settings so that internet requests were covertly routed through infrastructure controlled by the attackers.

That technique matters because it can bypass one of the strongest habits internet users have developed over the past decade: reliance on two-factor authentication. If a victim is redirected to a convincing fake login flow and the attackers steal the right tokens, they may be able to access the account without needing a one-time code.

Researchers said the campaign was broad in scope. Black Lotus Labs estimated that at least 18,000 victims in around 120 countries were compromised, including government departments, law-enforcement agencies, and email providers across North Africa, Central America, and Southeast Asia.

Why home routers are an attractive target

Routers are easy to overlook. They rarely receive the same attention as laptops, phones, or enterprise servers, yet they sit directly in the path of everything a user does online. If left unpatched, they can become durable surveillance points.

That appears to be exactly what made them useful in this operation. Many routers run outdated software for years, often because users do not know updates are available or because the devices are treated as simple appliances rather than security-sensitive systems. For intelligence services, that creates a large pool of targets that can be swept up opportunistically.

The U.K. National Cyber Security Centre said the operations were likely opportunistic at the start, with the actor casting a wide net before narrowing in on victims of intelligence interest as the attack developed. That description suggests a two-stage model: broad compromise first, selective exploitation second.

The strategic logic of traffic redirection

Traffic redirection is a powerful method because it can be both flexible and quiet. Instead of breaking directly into every target service, attackers use the compromised router as a way to influence the victim’s browsing experience. That lets them deploy credential phishing, token theft, or other session-based attacks without needing to crack each online platform individually.

It also gives attackers a way to operate across personal and organizational boundaries. A single compromised router can expose home users, remote workers, and small offices alike. In a world where government personnel, journalists, contractors, and executives often work from mixed environments, that makes consumer-grade networking gear a useful intelligence collection point.

The campaign described on April 7 therefore fits a broader pattern in cyber conflict: attackers are moving toward infrastructure that sits between people and the services they trust, rather than attacking only the endpoints themselves.

What the disclosure signals

The immediate significance of the new warning is defensive. Organizations and households using affected devices need to assume that unpatched routers are not merely a maintenance risk but a potential espionage foothold. The underlying vulnerabilities were previously disclosed, which means the opportunity existed because systems remained exposed after fixes were available.

The broader significance is geopolitical. Fancy Bear has long been associated with high-value Russian intelligence missions, and the scale of this activity shows continued interest in collecting access at volume. Credential theft from such a wide base of targets can support surveillance, follow-on intrusions, and account takeovers across multiple sectors and regions.

For defenders, the lesson is straightforward but uncomfortable: critical security gaps do not always begin inside a company data center. Sometimes they begin in a hallway closet, attached to a broadband line, with a router that has not been updated in years.

A warning beyond this campaign

The report is a reminder that internet infrastructure at the edge remains one of the softest targets in global cyber operations. When attackers can compromise the hardware people trust to connect them to everything else, the boundary between consumer weakness and national-security exposure becomes very thin.

That is why the router has become more than a household device. In the hands of a state-backed espionage group, it becomes a quiet collection platform, a credential-harvesting tool, and a launching point for deeper intrusion. The campaign tied to Fancy Bear shows how much leverage can be gained from devices that rarely make headlines until after they have already been turned against their owners.

This article is based on reporting by TechCrunch. Read the original article.