This is the part that’s going to make you uncomfortable.

1. Find the target: Fancy Bear scanned the internet for TP-Link routers running old firmware with CVE-2023-50224 — a bug that lets you grab the admin password with one HTTP request
2. Change the DNS: Once inside, they changed where the router sends your web traffic. You type “outlook.com” — your router now sends you to a Russian-controlled server instead
3. Serve a fake login page: The fake Outlook page looked pixel-perfect. You type your email and password. It goes straight to GRU servers
4. Steal the session token: They didn’t just get passwords — they grabbed authentication tokens, which means they could log in even if you had two-factor authentication turned on

The whole thing is silent. No pop-ups. No warnings. Your browser still shows “outlook.com” in the address bar.

Source: UK National Cyber Security Centre, Black Lotus Labs (Lumen), Microsoft Threat Intelligence

If you own any of these, you need to check RIGHT NOW:

• TP-Link TL-WR841N (the most common home router on Earth — this was the main target)
• TP-Link Archer C5 and C7
• TP-Link WDR3500, WDR3600, WDR4300
• TP-Link WR1043ND
• TP-Link MR3420, MR6400 (LTE routers)
• TP-Link WR740N, WR840N, WR842N, WR845N, WR941ND (all variants)
• MikroTik routers (multiple models — also targeted)

That’s over 20 TP-Link models plus MikroTik. These are the cheapest, most popular routers on the planet. You’ve probably owned at least one.

The UK’s National Cyber Security Centre put out a joint advisory with agencies from 15 countries. That almost never happens for router attacks.

Microsoft identified over 200 organizations and called this “one of the most extensive SOHO router exploitation campaigns we’ve observed from a state actor.”

Black Lotus Labs (Lumen’s threat research team) named the campaign “FrostArmada” and confirmed victims included government departments, law enforcement agencies, and email providers across North Africa, Central America, and Southeast Asia.

The FBI got a court order to remotely access compromised American routers, collect evidence, reset DNS settings, and lock the hackers back out. They literally had to hack the routers back.

Here’s the ugly truth nobody wants to talk about: home routers are the most neglected devices in computing.

• No auto-updates: Unlike your phone or laptop, most routers never update themselves
• Default passwords: Millions of people still use admin/admin
• ISPs don’t care: Your internet provider gave you this router and forgot about it
• End-of-life: Many of these TP-Link models don’t even receive security patches anymore — the manufacturer stopped supporting them years ago
• Nobody checks: When was the last time you logged into your router’s admin panel? Exactly.

Russia knows this. That’s why they target routers instead of laptops. It’s easier.

Most people have no idea their router is vulnerable. But every router brand publishes firmware updates on their website. Here’s the play: become the person who checks.

Go to your apartment building, your co-working space, your family’s houses. Offer to “fix their internet” (people LOVE hearing this). Log into their router admin panel, check the firmware version, update it, change the default password, and while you’re at it — check if their DNS settings have been tampered with. If the DNS points somewhere weird instead of their ISP’s default or 8.8.8.8 or 1.1.1.1, that’s a red flag.

Now scale this. Small businesses with 5-50 employees have routers they’ve literally never touched. Charge $50-100 per router audit. You’re not selling “cybersecurity consulting” — you’re selling “I’ll make sure Russia isn’t reading your emails.”

Example: 22-year-old IT student in Manila, Philippines checks Shodan for exposed TP-Link admin panels in his city, reaches out to the businesses directly (“your router admin page is visible to the entire internet”), charges ₱2,500 (~$45) per fix. Does 4 per day on weekends.

Timeline: First client within 3 days of posting on local Facebook groups. Hits ₱40,000/month within 6 weeks. Slows down once you’ve saturated your local area — pivot to recurring monthly checks.

Here’s something nobody’s built yet: a tiny script that runs on your home network and checks every 60 seconds whether your DNS is still pointing where it should. If someone (or some Russian intelligence operation) changes your DNS settings, you get an instant alert on your phone.

The tools exist — you can build this with a $5 Raspberry Pi Zero, a cron job, and a free Pushover notification. But nobody’s packaged it nicely. First person to make a clean GitHub repo with a one-command install script and a scary “IS RUSSIA IN YOUR ROUTER?” landing page owns this niche.

Example: 27-year-old sysadmin in Bucharest, Romania builds “DNSGuard” as an open-source project, gets 2,000 GitHub stars in 2 weeks from the news cycle, adds a “pro” tier ($3/month) that monitors multiple locations and sends Telegram alerts. 400 paying users by month 2.

Timeline: Weekend to build the MVP. First 500 stars within 10 days if you post it on r/netsec and Hacker News while the news is still hot. Revenue starts week 3. Fades when the news cycle moves on — but the GitHub credibility is permanent.

TP-Link just became radioactive. NPR literally published a guide telling Americans to replace their TP-Link routers. You know what that means? Thousands of perfectly functional routers about to hit eBay, Facebook Marketplace, and trash cans.

Buy them for $5-10 each. Flash them with OpenWrt (free, open-source router firmware that actually gets security updates). Resell them as “security-hardened routers” for $35-50. You’re literally taking e-waste and turning it into a premium product.

Bonus angle: buy the enterprise-ish MikroTik models people are panic-selling. MikroTik hardware is actually excellent — it’s the firmware people don’t update. Flash with OpenWrt or RouterOS latest, sell to small businesses for $80-120.

Example: 19-year-old in Lagos, Nigeria buys 30 panic-sold TP-Link Archer C7s off a local buy/sell group at ₦4,000 each (~$5), flashes OpenWrt, tests them, resells on Jiji.ng at ₦25,000 (~$30) with “secure router, firmware updated, no Russian backdoor” in the listing. Clears ₦630,000 (~$750) in profit within 3 weeks.

Timeline: First batch flipped within 1 week. Peak supply window is 2-4 weeks after the news breaks (that’s NOW). After 6 weeks the panic-sellers dry up and prices normalize.

Here’s the grey-hat play. Shodan and Censys let you scan for TP-Link routers with exposed admin panels. You can check (without logging in — just reading the publicly visible DNS settings) whether a router’s DNS has been redirected to known malicious servers.

Build a free “check your router” website. User enters their public IP. Your backend checks Shodan’s API for their router model and exposed settings. You tell them if they’re potentially compromised. The site is free — you monetize with affiliate links to replacement routers (the new ones with auto-update) and VPN services.

The key insight: the list of malicious DNS servers used by FrostArmada is public (it’s in the NCSC advisory). Matching against it is trivial. But normal people can’t read security advisories. You’re the translator.

Example: 24-year-old web dev in Medellín, Colombia builds “AmIHacked.router” in a weekend using Shodan’s free API tier, posts it on Reddit when the story peaks, gets 50,000 visitors in 48 hours. NordVPN affiliate clicks alone generate $1,200 in the first month.

Timeline: Site live in 2 days. Traffic spike within 1 week of launch (tie it to the news cycle). Affiliate revenue starts trickling in by week 2. Dies down after 2 months unless you pivot to a broader “home network security” scanner.

Every company that just read this news is about to panic-buy phishing awareness training. But here’s the angle nobody’s thinking about: the FrostArmada attack wasn’t email phishing — it was DNS-level phishing. Traditional phishing training doesn’t cover this at all.

Create a 15-slide presentation deck: “Why Your Phishing Training Won’t Stop the Next FrostArmada.” Sell it to the companies already buying phishing training. You’re not competing with the training vendors — you’re selling the ADDON they don’t have.

Include a simple checklist: how to verify DNS settings, how to spot a redirected login page (certificate warnings), how to check if your router firmware is current. Package it as a $200-500 “DNS Security Awareness Module” and pitch it to IT managers at small/mid companies who are currently freaking out.

Example: 30-year-old former IT helpdesk worker in Warsaw, Poland creates the deck using Canva, cold-emails 200 small businesses in his LinkedIn network with the subject line “Your phishing training has a blind spot — here’s proof.” Lands 8 clients at €300 each in the first month. €2,400 from a slide deck.

Timeline: Deck built in 1 day. First cold emails out by day 3. First paying client within 2 weeks. Market saturates in ~3 months as bigger security vendors add DNS modules to their own training.