Your home router may be serving as a secret weapon for international cybercriminals while you remain completely unaware, according to an urgent FBI warning that has exposed a massive national security vulnerability.
Key Takeaways
- The FBI has issued an urgent warning that outdated routers are being exploited by foreign threat actors using malware called “TheMoon”
- Compromised routers can be hijacked to create proxy networks that mask criminal activities, even while continuing to function normally
- Routers manufactured before 2010 are particularly vulnerable as they no longer receive security updates
- The FBI recommends replacing end-of-life routers from major brands like Netgear, Linksys, and TP-Link
- Disabling remote administration features and keeping firmware updated are essential protective measures
FBI Raises Alarm on Router Security Crisis
On May 7, 2025, the FBI’s Internet Crime Complaint Center (IC3) released a critical warning about the exploitation of outdated routers by sophisticated foreign-based threat actors. The warning comes after multiple reports of obsolete routers being breached using variants of TheMoon malware, which doesn’t require password access to infect devices. Instead, this malicious software scans for open ports and sends commands to vulnerable scripts, establishing a foothold that allows criminals to conduct operations anonymously through compromised home networks.
“Even if your router ‘works,’ it could be silently helping bad actors attack others online—or worse, giving them a foothold into your network,” warns the FBI.
The threat is particularly concerning because many Americans continue using outdated routers with a false sense of security. If your router was manufactured before 2010, it likely no longer receives critical security updates, leaving it extremely vulnerable to exploitation. What makes this situation more dangerous is that infected routers typically continue functioning normally, giving users no indication that their device has been compromised and is now being used for nefarious purposes.
How TheMoon Malware Creates Criminal Networks
The FBI has specifically identified a new variant of TheMoon malware targeting routers with remote administration enabled. This sophisticated attack vector allows cyber actors to install proxies on compromised devices, creating a criminal infrastructure that hides their true identities. These hijacked networks become valuable assets in the cybercrime marketplace, with platforms like Faceless and 5socks selling access to infected routers as “residential proxies” – essentially renting out your home network to criminals.
“TheMoon reroutes third-party traffic, masking hackers’ identities behind everyday home networks,” reports the FBI.
The compromise typically occurs through remote administration features that are exposed to the internet, allowing attackers to exploit firmware flaws without detection. Once established, these proxy networks can be used for a wide range of criminal activities, including data theft, launching distributed denial of service (DDoS) attacks, and concealing other malicious traffic. The speed and performance of your home network may also degrade as cybercriminals consume your bandwidth for their operations.
Your old router isn’t just outdated—it might be a silent accomplice.
FBI warns criminals are hijacking end-of-life routers to hide their tracks. Time to check your hardware.#CyberSecurity #FBI #InfoSec https://t.co/XOe5XXXRVg— Babak Nabiee (@BabakNabiee) May 7, 2025
Critical Protection Measures for Home and Business Networks
The FBI has identified specific router brands and models that are particularly vulnerable, including end-of-life (EOL) devices from Netgear, Linksys, TP-Link, D-Link, Belkin, Asus, Cisco, SonicWall, WatchGuard, and MikroTik. These outdated routers should be replaced immediately with modern alternatives that include advanced security features. Even routers that are still technically supported but aging may not remain safe for much longer as manufacturers eventually discontinue security patches.
“This is a good example of the expanding attack surface and additional threats introduced by third-party technology,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “Home routers need to be maintained just like other devices, but they are often overlooked. Hospital IT teams need to pay particular attention to remote workers connecting to their networks from home. This is also a good opportunity to remind remote staff to make sure their home equipment is up to date and patched as they connect to hospital networks.”
For immediate protection, disable remote management features on your router unless absolutely necessary. Regularly check for and install firmware updates to patch known vulnerabilities. Consider upgrading to modern firewalls with advanced threat protection capabilities such as intrusion prevention, DNS filtering, geo-blocking, deep packet inspection, and AI-powered threat detection. The stakes are high – not only is your personal data at risk, but your network could unknowingly become part of the infrastructure supporting international cybercrime operations.
“Cybercrime platforms like Faceless and 5socks sell access to these infected routers as ‘residential proxies,’ making them valuable assets in the digital underground,” according to the FBI.
