FBI dismantles Russian espionage network operating in 23 U.S. states.

The United States Department of Justice and the FBI carried out a court-authorized technical operation to dismantle a network of compromised home routers controlled by Russian military intelligence in more than 23 states across the country, in what authorities named Operation Masquerade.

The action neutralized the espionage infrastructure of the Military Unit 26165 of the Main Intelligence Directorate of the Russian General Staff (GRU), also known as APT28, Fancy Bear, or Forest Blizzard, whose campaign had been active since at least 2024 in U.S. territory.

Since that year, GRU agents exploited known vulnerabilities in thousands of TP-Link routers installed in homes and small offices to manipulate their DNS configuration —the system that translates domain names into numerical addresses— and redirect users' queries to servers under Russian control.

The attack operated in two phases: first, they compromised as many devices as possible in a massive and indiscriminate manner; then they applied automated filters to identify connections of interest and activate active interception on selected targets. For these targets, the GRU's servers impersonated legitimate services such as Microsoft Outlook Web Access to capture passwords, authentication tokens, and emails without the victims noticing.

Microsoft, which collaborated with the FBI, identified more than 200 organizations and 5,000 affected devices. Lumen Technologies' Black Lotus Labs detected victims in the United States, Europe, Afghanistan, North Africa, Central America, and Southeast Asia, focusing on government agencies, foreign ministries, and security organizations.

The operation was led by the FBI Office in Boston, with support from the Philadelphia office, the Cyber Division, and the U.S. Attorney's Office for the Eastern District of Pennsylvania, where the court documents were declassified. The action also involved partners in 15 countries; the UK's National Cyber Security Centre and Germany issued coordinated alerts on the same day.

The FBI developed a series of commands sent directly to the compromised routers to collect evidence, restore the legitimate DNS configuration, and block unauthorized access from the GRU, without affecting the normal operation of the devices or gathering user content. Owners can revert the changes at any time through a factory reset.