We will not allow anyone to exploit our technology and networks
In January 2024, the FBI's Boston field office quietly reached into homes and small offices across America to reclaim something most people never knew had been taken from them. Russian military intelligence, operating through a web of hijacked home routers, had built an invisible infrastructure for espionage — using ordinary devices as cover for credential theft and spearphishing campaigns targeting both American and European networks. The court-authorized operation, code-named Dying Ember, severed that access and restored control to unknowing victims, offering a rare glimpse into the silent contest being waged beneath the surface of everyday digital life.
- Over a thousand home and small business routers across nearly every U.S. state had been silently commandeered by Russian GRU hackers, their owners completely unaware their networks were serving a foreign intelligence operation.
- The Moobot malware installed on Ubiquiti routers gave Russian military intelligence remote control and a cloak of anonymity, enabling coordinated spearphishing campaigns designed to harvest credentials from targeted individuals and organizations.
- FBI Director Chris Wray announced the disruption at the Munich Security Conference, framing Operation Dying Ember as a decisive counter-strike — one that not only expelled the GRU from the botnet but locked them out entirely.
- Working with international partners and private sector companies, the FBI executed a court-authorized intervention in January: malware removed, malicious data deleted, and network control quietly returned to the people who owned these devices.
- The operation's success raises an uncomfortable question that no single takedown can answer — if one manufacturer's routers were this thoroughly compromised, how many other vulnerabilities remain hidden across the vast landscape of connected devices.
In January, the FBI's Boston field office executed a quiet but consequential operation reaching into homes and small offices across nearly every American state. What they uncovered was a network of hijacked routers — the kind of devices most people never think about — that Russian military intelligence had turned into a global espionage platform.
Code-named Dying Ember, the operation targeted Ubiquiti routers infected with malware called Moobot, which gave Russia's GRU remote access and control over more than a thousand compromised devices in the U.S. and abroad. The victims had no idea their networks were being used as cover for spearphishing campaigns designed to steal credentials and private information from carefully selected targets.
FBI Director Chris Wray announced the disruption at the Munich Security Conference, describing how agents executed a court-authorized technical operation to expel the GRU from the botnet and lock them out. The January intervention removed the malware, deleted accumulated malicious data, and restored full network control to device owners — most of whom never knew they had been compromised.
Jodi Cohen, special agent in charge of the FBI Boston Field Office, called it an international effort made possible through close coordination with private sector partners, including device manufacturers. The operation, he said, should stand as a warning to adversaries that the U.S. would not tolerate the exploitation of its technology and networks.
Yet the disruption carried an unsettling undertone: if Russian intelligence had so thoroughly compromised routers from a single manufacturer at this scale, the question of how many similar vulnerabilities persist across the broader ecosystem of connected devices remains very much open.
In January, the FBI's Boston field office orchestrated a quiet but consequential operation that reached into homes and small offices across nearly every American state. What they found was a network of compromised routers—devices that most people never think about, tucked away in closets or mounted on walls—that had been hijacked by Russian government hackers to conduct espionage and steal credentials from unsuspecting victims.
The operation, code-named Dying Ember, targeted routers made by Ubiquiti Inc., a U.S.-based manufacturer. Russian military intelligence, known as the GRU, had infected these devices with malware called Moobot, which gave them remote access and control. Over a thousand routers across the country and around the world had been compromised this way. The victims had no idea their networks were being used as a staging ground for something far larger than themselves.
FBI Director Chris Wray announced the disruption at the Munich Security Conference on Thursday, framing it as a decisive blow against a persistent adversary. "We ran a court-authorized technical operation to kick the Russian GRU off well over a thousand home and small business routers, and lock the door behind them," Wray said in prepared remarks. The operation severed the GRU's access to a botnet they had been using to run cyber operations globally, targeting not just American networks but allies in Europe as well.
The routers had been weaponized for a specific purpose: launching vast spearphishing campaigns designed to trick people into revealing their credentials and private information. These weren't random attacks. They were part of a coordinated intelligence-gathering effort by a nation-state actor. The malware allowed the GRU to hide their tracks, to use these thousands of compromised devices as cover for their own operations.
What made Dying Ember different from typical cybersecurity responses was its scope and coordination. The FBI worked with international partners and the private sector to identify which routers had been compromised, then executed a court-authorized technical intervention. In January, they removed the malware from the infected devices, deleted the malicious data that had accumulated, and restored full network control back to the people who owned them. Most of those victims never knew they had been compromised in the first place.
Jodi Cohen, the special agent in charge of the FBI Boston Field Office, emphasized the significance of the operation in a statement. He called it an international effort that demonstrated the FBI's ability to identify and address threats to national security, both at home and abroad. He also underscored the importance of partnerships with the private sector—without cooperation from companies like Ubiquiti and others in the tech industry, an operation of this scale would have been impossible.
The message was deliberate. Cohen said the operation should serve as a warning to adversaries that the United States would not tolerate the exploitation of its technology and networks. But the broader implication was harder to ignore: if Russian intelligence had successfully compromised over a thousand routers from a single manufacturer, how many other vulnerabilities might exist in the broader ecosystem of connected devices? The operation closed one door, but it raised questions about how many others remained open.
Notable Quotes
We ran a court-authorized technical operation to kick the Russian GRU off well over a thousand home and small business routers, and lock the door behind them.— FBI Director Chris Wray
This operation should make it crystal clear to our adversaries that we will not allow anyone to exploit our technology and networks.— Jodi Cohen, Special Agent in Charge, FBI Boston Field Office
The Hearth Conversation Another angle on the story
Why target routers specifically? They seem like an odd choice for a nation-state actor.
Because routers are invisible. Most people buy them, plug them in, and forget they exist. They sit at the edge of a network, controlling all the traffic flowing in and out. If you control the router, you control everything connected to it—phones, computers, smart devices. And because they're rarely updated, they're vulnerable.
So the GRU was using these routers as a kind of mask?
Exactly. When they launched spearphishing campaigns or stole credentials, the traffic looked like it was coming from thousands of different locations across America. It made them harder to trace, harder to attribute. It gave them scale and deniability.
How did the FBI know which routers were compromised?
They worked with Ubiquiti and other partners in the tech industry who could see the malware signatures, the unusual traffic patterns. Once they identified the infected devices, they got a court order and executed the technical operation to remove the malware.
What happens to the people who owned these routers?
Most of them probably never knew anything happened. The FBI cleaned the routers, restored their control, and moved on. For the victims, it's a silent rescue—they get their networks back without ever realizing they'd been compromised.
Does this actually stop the GRU?
It stops this particular botnet, this particular operation. But it doesn't stop them from trying again with different routers, different manufacturers, different malware. It's a tactical victory, not a strategic one. The vulnerability remains.