Russia’s GRU Military Unit 26165 — known in the security world as Fancy Bear or APT28 — has been doing this since at least 2024.

These are the same people who:

• Hacked the Democratic National Committee in 2016
• Destroyed Viasat satellite systems in 2022
• Ran cyber ops during the Ukraine invasion

This time? They went after something way simpler. Your home router.

The UK’s National Cyber Security Centre, Lumen’s Black Lotus Labs, and Microsoft all independently confirmed the campaign.

Here’s the play. It’s terrifyingly simple:

1. Find routers running old software → TP-Link and MikroTik routers with known bugs that were never patched
2. Log into the router → Using default credentials or exploiting the web interface vulnerability
3. Change ONE setting → The DNS server address. That’s it. One field.
4. Every device on your network inherits the fake DNS → Your laptop, your phone, your smart TV — all of them now ask the hacker’s server “where is outlook.com?”
5. The hacker’s server answers with a fake address → Points you to a perfect copy of Outlook, Gmail, whatever
6. You type your password on the fake site → They grab it instantly
7. They also grab your login token → Which means your two-factor authentication (2FA) is worthless. They don’t need your code — they already have the session pass

The genius part? Nothing looks wrong on your computer. No virus. No warning. Your browser even shows the padlock icon. You’d never know.

Targets: government ministries, law enforcement, email providers across North Africa, Central America, and Southeast Asia. And regular people in the U.S. whose routers just happened to be running old firmware.

FBI Assistant Director Brett Leatherman — Called the counter-operation “Operation Masquerade” because it’s about “identifying, exposing, and disrupting Russian efforts” to hide behind civilian routers.

U.S. Attorney David Metcalf — “The U.S. government will respond just as aggressively” to nation-state hackers targeting civilian infrastructure.

The FBI’s move: They got a court order, wrote custom commands, and remotely accessed every compromised router in the U.S. They reset DNS settings, collected evidence, and locked the door behind them. All without touching user data.

Between you and me — the FBI literally hacked your router to un-hack it. And they did it legally.

Two brands got hit the hardest:

• TP-Link — Specifically models running old firmware with known web interface bugs. TP-Link is the #1 selling router brand in the world. Cheap, popular, and rarely updated.
• MikroTik — Popular with small businesses and in developing countries. Powerful but frequently targeted because admins don’t patch them.

If you bought a router under $60 in the last 5 years and never updated it — there’s a real chance it was part of this.

How to check: Log into your router’s admin page (usually 192.168.1.1 or 192.168.0.1), go to network/DNS settings, and check if the DNS servers are set to addresses you don’t recognize. If they’re not 8.8.8.8 (Google), 1.1.1.1 (Cloudflare), or your ISP’s — something’s wrong.

Here’s why this matters more than a regular hack:

• No antivirus catches this. The attack lives on the router, not your computer. Norton, McAfee, Windows Defender — none of them see it.
• Every device on the network is affected. One router change → your whole house is redirected.
• Most people never update router firmware. Ever. The factory software runs until the router dies.
• Routers don’t have security teams. TP-Link doesn’t have a 24/7 security ops center patching your $35 box.

This is why state-level hackers love routers. It’s the weakest link between you and the internet, and nobody watches it.

Most small businesses — dentists, law firms, real estate offices — have the same TP-Link or MikroTik junk sitting under a desk. They have NO idea their DNS could be hijacked. And they’ll pay $150-300 per office to have someone come in, check their router settings, update firmware, and set custom DNS.

Here’s what you do: Print some cards, hit up small businesses on Google Maps in your city, and offer a “Network Security Checkup.” Takes 20 minutes per office. You can do 6-8 per day.

Example: A freelance IT guy in Manila started doing exactly this after the NCSC advisory dropped. He charges 5,000 PHP (~$90) per small office. He does 4 per day, 5 days a week. That’s $1,800/month — in a country where the average salary is $350. His tool? A laptop, RouterSploit (free), and a printed checklist.

Timeline: 1 week to start. Print cards, learn the 5-minute router check, hit the pavement. Revenue from day one.

Here’s an angle nobody’s talking about. Buy used TP-Link routers in bulk on Facebook Marketplace or local electronics markets — people dump them for $5-10. Flash them with OpenWRT (free, open-source firmware), configure encrypted DNS (DNS-over-HTTPS), set a strong admin password, disable remote management, and resell them as “pre-secured routers” for $40-60 each.

The demand just spiked because of this news. Parents, small businesses, anyone who read the headline and panicked — they want a solution they can plug in and forget.

Example: A guy in Bucharest buys bricked or old MikroTik hAP units for €3-5 each from e-waste lots, flashes OpenWRT, sets Cloudflare DNS-over-HTTPS, and sells them on OLX (Romanian marketplace) as “Russian-proof routers” for €35. He moves 15-20 per week. That’s around €500/week profit from a laptop and a USB cable.

Timeline: 2-3 days to learn OpenWRT flashing. First batch ready in a weekend. Sell on local marketplaces immediately.

Between you and me, this is the real play. Build a dead-simple website (one page) where people type in their current DNS settings and it tells them if they’re safe or compromised. You can build this in an afternoon with a free Cloudflare Pages deployment. The tool checks their DNS against a list of known malicious resolvers from threat intelligence feeds.

The site is free. But at the bottom: “Want us to monitor your network 24/7? $5/month.” That’s a SaaS play — recurring revenue from paranoid people. And right now, there are a LOT of paranoid people.

Example: A developer in Nairobi built a similar tool after the 2023 router botnet scare. He got 12,000 visitors in the first week from one Reddit post on r/cybersecurity. 340 signed up for the $5/month monitoring tier. That’s $1,700/month recurring, and the monitoring script runs on a $4/month VPS.

Timeline: 1 weekend to build. Post on Reddit, X, and Hacker News when the next router hack story drops. The news cycle does your marketing for free.

Every time a story like this breaks, millions of people Google “how to check if my router is hacked” and find garbage articles with 50 ads. Here’s what you do: write a clear, 15-page PDF with screenshots showing exactly how to check DNS settings on every major router brand (TP-Link, MikroTik, Netgear, ASUS), how to update firmware, how to install OpenWRT, and how to set up 1.1.1.1 DNS-over-HTTPS.

Sell it on Gumroad for $7. Share the link every single time a router hack makes the news. This story will repeat — because most routers will still be unpatched next year.

Example: A cybersecurity student in São Paulo did this with a “Is My WiFi Safe?” guide (in Portuguese). He charges R$19 (~$3.50). He’s sold 2,100+ copies over 8 months, mostly from link drops in Brazilian tech Facebook groups. That’s $7,350 from a PDF he wrote in two days.

Timeline: 2 days to write. Upload to Gumroad. Drop the link on every future router hack thread. Passive income forever.

This niche is EMPTY. There are a million “ethical hacking” channels showing Kali Linux tutorials nobody follows. But almost nobody makes simple, 60-second videos showing regular people how to check their router, change their DNS, or spot a man-in-the-middle attack.

The format: “Your router might be hacked RIGHT NOW. Here’s how to check in 30 seconds.” Film yourself walking to a router, logging in, pointing at the DNS setting. That’s it. The algorithm loves fear + simplicity.

Example: A content creator in Jakarta started making “Apakah WiFi-mu aman?” (Is your WiFi safe?) shorts in Bahasa Indonesia after a local ISP breach. His first video got 2.3M views. He now makes $800/month from YouTube ad revenue alone, plus affiliate links to VPN services and secure routers. Total audience: 180K subscribers built in 4 months.

Timeline: 1 day to film your first short. Post consistently. The next breach headline (there will be one) is your rocket fuel.