Operation masquerade: FBI remotely purges Russian spyware from thousands of U.S. routers

In a rare and high-stakes digital intervention, the FBI and the Department of Justice announced on April 7, 2026, that they had successfully executed a court-authorized operation to remotely neutralize a router hijacking campaign led by Russian hackers. The operation, dubbed "Operation Masquerade," targeted thousands of compromised small-office and home-office (SOHO) routers across at least 23 U.S. states.

The "AitM" Espionage Campaign

The disruption focused on a campaign orchestrated by Unit 26165 of Russia’s Main Intelligence Directorate (GRU), also known as APT28 or Fancy Bear. Since late 2024, the group has been exploiting a specific vulnerability (CVE-2023-50224) in TP-Link and MikroTik routers to conduct "Adversary-in-the-Middle" (AitM) attacks.

By gaining administrative access, the GRU was able to:

Hijack DNS settings: Consequently, the threat actors forced all web traffic from connected devices (laptops, phones, smart TVs) through Russian-controlled servers.

Spoof critical services: Serving fraudulent versions of services like Microsoft Outlook Web Access to harvest unencrypted passwords and authentication tokens.

Targeted surveillance: Filtering through a "wide pool" of global victims to identify and monitor high-value targets in the U.S. military, government, and critical infrastructure sectors.

A court-authorized "surgical strike"

Recognizing that many victims were unaware their hardware had been weaponized, the FBI obtained court permission to send specific commands directly to the compromised devices. Unlike a typical malware wipe, this operation was a surgical reset of the routers' internal configurations.

The FBI’s commands were designed to:

• Evict the intruder: Immediately terminate the GRU’s remote access.

• Restore legitimacy: Reset the malicious DNS and DHCP settings back to the users' original internet service provider (ISP) defaults.

• Preserve functionality: Extensive testing was conducted to ensure the remote patches would not disrupt the routers' normal operations or collect any personal content from the users.

The risks of "end-of-life" hardware

A primary factor in the success of the Russian campaign was the prevalence of "End-of-Life" (EoL) routers - devices that no longer receive security updates from their manufacturers. The FBI noted that while their operation removed the immediate threat, these devices remain structurally vulnerable.

"Operation Masquerade demonstrates the FBI's commitment to disrupting the Russian government's efforts to weaponize the devices in our homes," said Assistant Director Brett Leatherman of the FBI’s Cyber Division. "However, defending our networks requires everyone. If your router is no longer supported by the manufacturer, the most effective defense is to replace it."

Guidance for consumers

The FBI is currently working with ISPs to notify the owners of the affected routers. In the meantime, the DOJ has issued a "Public Service Announcement" urging all SOHO users to:

Factory reset: A manual hardware reset can reverse any unauthorized changes.

Update firmware: Ensure the latest security patches are installed immediately.

Disable remote management: Turn off interfaces that allow the router to be configured via the open internet.

This operation marks the second major router-based botnet disruption by the FBI in the last two years, highlighting a growing trend of state-sponsored actors targeting the "unmanaged" edge of the American internet.