A group of Russian government hackers have hijacked thousands of home and small business routers around the world as part of an ongoing campaign aimed at redirecting victim’s internet traffic to steal their passwords and access tokens, security researchers and government authorities warned on Tuesday.

This is the latest tactic by the long-running Russian hacking group known as Fancy Bear, or APT 28, known for its high-profile hacks and spying operations, including the breach of the Democratic National Committee in 2016 and the destructive hack that hit satellite provider Viasat in 2022. Fancy Bear is widely believed to be part of Russia’s intelligence agency GRU.

The hacking group targeted unpatched routers made by MikroTik and TP-Link using previously disclosed vulnerabilities according to the U.K. government’s cybersecurity unit NCSC and Lumen’s research arm Black Lotus Labs, which released new details of the campaign Tuesday.

According to the researchers, the hackers were able to spy on large numbers of people over the course of several years by compromising their routers, many of which run outdated software, leaving them vulnerable to remote attacks without their owners’ knowledge.

The NCSC said that these operations are “likely opportunistic in nature, with the actor casting a wide net to reach many potential victims, before narrowing in on targets of intelligence interest as the attack develops.”

Per the researchers and government advisories, the Russian hackers hacked routers to modify the device’s settings so that the victim’s internet requests are surreptitiously passed to infrastructure run by the hackers. This allows the hackers to redirect victims to spoof websites under their control, then steal passwords and tokens that let the hackers log in to that victim’s online accounts without needing their two-factor authentication codes.

Black Lotus Labs said that Fancy Bear compromised at least 18,000 victims in around 120 countries, including government departments, law enforcement agencies, and email providers across North Africa, Central America, and Southeast Asia.

Techcrunch event

This Week Only: Up to $482 savings for Disrupt 2026

Offer ends April 10, 11:59 p.m. PT

Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to secure these savings.

This Week Only: Up to $482 savings for Disrupt 2026

Offer ends April 10, 11:59 p.m. PT

San Francisco, CA

October 13-15, 2026

Microsoft, which also released details of the campaign on Tuesday, said in a blog post that its researchers identified over 200 organizations and 5,000 consumer devices affected by these hacking operations, including at least three government organizations in Africa.

The FBI is expected to announce the takedown of several domains used in this campaign by the hackers. Lumen said it was part of a coalition, including the FBI, that disrupted the botnet and took it offline.

A spokesperson for the FBI did not respond to requests for comment prior to publication.

On Tuesday afternoon, the U.S. Justice Department announced that it neutralized the compromised routers located on U.S. soil, thanks to a court authorization. The DOJ said that the FBI “developed a series of commands to send to compromised routers,” to collect evidence, reset settings, and prevent hackers from breaking back in.

Updated to include information from DOJ’s announcement.

Topics

APT28, Black Lotus Labs, cybersecurity, espionage, hacking, Microsoft, NCSC, Routers, russia, Security

Lorenzo Franceschi-Bicchierai

Senior Reporter, Cybersecurity

Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.

You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.

View Bio

April 30

San Francisco, CA

StrictlyVC kicks off the year in SF. Get in the room for unfiltered fireside chats with industry leaders, insider VC insights, and high-value connections that actually move the needle. Tickets are limited.

Russian government hackers broke into thousands of home routers to steal passwords