Back to Blog Cybersecurity

FBI Warning: Your Home or Office Router May Be Working for Criminals Right Now

Jameson Smallwood · · 6 min read
FBI router security AVrecon SocksEscort malware residential proxy cybersecurity small business
Table of Contents

Most people never think about their router. It sits in a corner, blinks its lights, and moves internet traffic around the house or office. You set it up once and forget about it.

Criminals are counting on that.

The FBI Just Named 18 Routers That Were Hijacked

On March 12, 2026, the FBI issued a FLASH alert (20260312-001) identifying 18 widely used router models that were infected with malware called AVrecon and turned into tools for a criminal proxy network called SocksEscort.

Here’s the plain-English version: attackers found security holes in popular routers, installed malware on them remotely, and then sold access to those routers so other criminals could route their internet activity through your home or business network.

Your router. Your IP address. Their crimes.

The FBI estimates roughly 369,000 devices have been compromised and sold this way since 2020, spanning 163 countries — including thousands in the United States.

What Is a Residential Proxy and Why Should You Care?

When a criminal uses a residential proxy, their internet traffic appears to come from a regular home or office — not a suspicious data center or foreign server. That makes their activity dramatically harder to trace.

What are they using it for?

  • Credential stuffing — testing stolen passwords against banking and email sites
  • Ad fraud — generating fake clicks that cost advertisers billions
  • Bypassing geo-restrictions — accessing services from locations where they’re banned
  • Hiding cyberattacks — masking the true origin of hacking operations

If your router was compromised, law enforcement investigating these crimes might trace the activity back to your IP address — not the actual attacker’s.

The 18 Affected Router Models

The FBI specifically named these models as the most frequently compromised:

  • DIR-818LW
  • DIR-850L
  • DIR-860L

Netgear (2 models)

  • DGN2200v4
  • AC1900 R7000
  • Archer C20
  • TL-WR840N
  • TL-WR849N
  • TL-WR841N

Zyxel (9 models)

  • EMG6726-B10A
  • PMG5617GA
  • VMG1312-B10D
  • VMG1312-T20B
  • VMG3925-B10A
  • VMG3925-B10C
  • VMG4825-B10A
  • VMG4927-B50A
  • VMG8825-T50K

Important: These 18 were the most common targets, but the FBI notes that AVrecon targeted approximately 1,200 different device models across routers and IoT equipment from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel. If your router is old and hasn’t been updated in years, it may be vulnerable regardless of whether it appears on this list.

How AVrecon Works

AVrecon specifically targets routers running on MIPS and ARM processors — the chip architectures used in most consumer and small business routers. The attackers exploited known vulnerabilities, primarily remote code execution (RCE) and command injection flaws, to install the malware remotely.

Once installed, AVrecon gives attackers remote shell access to the device. The router then becomes a node in the SocksEscort network, silently forwarding traffic for paying criminal customers.

Here’s what makes this particularly dangerous: you probably wouldn’t notice. The malware doesn’t slow your internet to a crawl or cause obvious problems. Your router keeps working normally — it just also works for someone else.

SocksEscort Has Been Shut Down — But the Risk Hasn’t

In March 2026, a joint operation by the FBI, Europol, and law enforcement in Austria, the Netherlands, and France dismantled the SocksEscort service. Authorities seized 34 domains and 23 servers across seven countries and froze $3.5 million in cryptocurrency.

That’s good news. But it doesn’t mean your router is clean.

If your device was compromised, the malware may still be installed. And even though SocksEscort is down, the underlying vulnerabilities that allowed infection in the first place are still there — which means another operation could exploit the same devices.

What You Need to Do Right Now

1. Check if your router is on the list

Compare your router’s model number (usually printed on a label on the bottom or back of the device) against the 18 models above. But don’t stop there — if your router is more than 3-4 years old and hasn’t received a firmware update, treat it as potentially vulnerable.

2. Update your firmware immediately

Go to your router manufacturer’s support page and download the latest firmware for your specific model. This patches the known vulnerabilities that AVrecon exploits.

3. Disable remote administration

If you don’t actively manage your router from outside your network (most people don’t), turn off remote management/administration in your router’s settings. This closes the most common attack vector.

4. Reboot your router — but know it’s not enough

The FBI notes that rebooting can disrupt active infections but will not prevent reinfection if the underlying vulnerability isn’t patched. A reboot alone is not a fix.

5. Replace end-of-life devices

If your router model is no longer receiving security updates from the manufacturer, replace it. No amount of rebooting or configuration changes will protect a device that will never be patched.

This is the most important step. An unpatched router connected to the internet is not just outdated equipment — it’s an open door.

The Bigger Lesson for Businesses

If you’re a business owner, this isn’t just a home networking issue. Many small businesses use the same consumer-grade routers that appear on this list. Some have multiple locations with aging network equipment that no one has touched in years.

Consider this your audit trigger:

  • Inventory every network device at every location — routers, switches, access points, IoT devices
  • Check firmware versions against the latest available from each manufacturer
  • Replace anything that’s end-of-life — if the vendor has stopped issuing patches, the device is a liability
  • Establish a patching schedule — firmware updates for network equipment should be part of regular IT maintenance, not something that happens once and gets forgotten
  • Monitor your network traffic — unusual outbound connections or bandwidth usage can be early indicators of compromise

If you don’t have the internal resources to do this, that’s exactly what a managed IT provider handles. Keeping network infrastructure current, patched, and monitored is foundational to cybersecurity — not optional.

Old Infrastructure Doesn’t Just Get Outdated — It Gets Recruited

The SocksEscort operation ran for at least six years before it was shut down. During that time, hundreds of thousands of routers were quietly turned into criminal infrastructure while their owners had no idea.

The FBI’s warning is clear: if your network equipment is old, unpatched, or no longer supported, it isn’t just a performance problem. It’s a security problem — and it may already be someone else’s tool.

Check your routers. Update what you can. Replace what you can’t. And if you need help assessing your network, reach out for a free security assessment.

Sources: FBI FLASH 20260312-001, BGR, ModemGuides, CyberNews

Share:

Keep Reading

Related Articles

Cybersecurity

AI Deepfakes Are Defeating Facial Recognition — Why Fingerprint Biometrics Are Making a Comeback

AI deepfakes are bypassing software-based facial recognition at alarming rates. Learn why the industry is shifting back toward fingerprint biometrics and what Apple's Touch ID return signals for security.

March 19, 2026

Cybersecurity

Cybersecurity Checklist for Small Businesses: Protect What Matters

A practical cybersecurity checklist covering network security, endpoint protection, access controls, data protection, monitoring, training, and compliance for small businesses.

March 12, 2026

Cybersecurity

The Complete IT Security Audit Checklist for Your Business

A step-by-step IT security audit checklist to help businesses identify vulnerabilities, assess risks, and strengthen their cybersecurity posture across seven critical areas.

March 12, 2026

How Secure Is Your Business?

Get a free cybersecurity assessment and find out where your vulnerabilities are before someone else does.

Get Your Free Assessment