THOUSANDS of consumer routers were hacked in widespread operations believed to be conducted by Russia’s military, with 18,000 to 40,000 devices in 120 countries redirected to infrastructure used to harvest credentials. According to Black Lotus Labs, an arm of Lumen Technologies, the attackers controlled routers belonging to MikroTik and TP-Link to spy on networks as part of a campaign attributed to APT28.
The group used compromised, unpatched devices to change DNS lookups and propagate those changes to connected workstations via DHCP, enabling Man-in-the-Middle traffic and the capture of OAuth tokens and other credentials after users passed multifactor challenges. The operation began in May 2025 on a limited set of devices, and Britain’s National Cyber Security Centre issued an alert in August documenting related credential-stealing activity, with the group intensifying a campaign the following months.
Over a four-week period starting on 12 December 2025, Black Lotus observed more than 290,000 distinct IP addresses making DNS requests to the malicious resolver. The article advises users to check DNS settings and event logs for unrecognised changes and to replace end-of-life routers that no longer receive security updates.