China’s Router Armies: How Beijing’s Hackers Weaponize Everyday Devices for Global Espionage

China-linked hackers hijack routers and IoT devices into botnets for espionage, as warned in a 10-nation advisory. Groups like Volt Typhoon and Salt Typhoon target U.S. telecoms and infrastructure, stealing data and prepositioning attacks.
China’s Router Armies: How Beijing’s Hackers Weaponize Everyday Devices for Global Espionage
Written by Maya Perez

China-linked hackers have turned millions of household routers, webcams, and smart devices into invisible armies of proxies, masking their intrusions into critical networks worldwide. A joint advisory from cybersecurity agencies across 10 nations, including the U.S. FBI, CISA, and the UK’s NCSC, lays bare this tactic on April 23, 2026. These covert networks—botnets in plain sight—enable data theft, persistent access, and potential sabotage, all while evading detection. And the scale? Massive. Groups like Volt Typhoon and Flax Typhoon share these infrastructures, prepositioning for disruptive attacks on everything from U.S. power grids to telecom backbones.

The advisory warns: “Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks.” It’s not hyperbole. Volt Typhoon, a PRC-backed crew, assembled its KV Botnet from end-of-life Cisco and Netgear routers, burrowing into American critical infrastructure for years. They aimed to disrupt during crises, like a Taiwan conflict. Flax Typhoon, tied to China’s Integrity Technology Group—a firm ostensibly in information security—ran Raptor Train, infecting over 260,000 devices globally in 2024 alone. Routers. Firewalls. Webcams. NAS boxes. All hijacked for espionage against U.S. military, government, and telecom targets, primarily stateside and in Taiwan, as detailed by The Register.

But these Typhoons don’t operate alone. Multiple China-nexus groups pool resources, using the same botnets. Why? Efficiency. Deniability. The networks evolve fast—new ones spin up, old ones get disrupted by law enforcement. A full catalog would obsolete overnight, the agencies note. Instead, they urge baselines: map edge traffic, filter threats dynamically, enforce MFA and zero-trust on remote access. High-risk outfits? Hunt anomalies with geographic profiling and machine learning.

Paul Chichester, NCSC operations director, called it a “deliberate shift” by China-based groups to dodge accountability, per Reuters. Covert networks hide malicious traffic in everyday IoT noise. Compromised SOHO gear becomes a launchpad for stealing secrets from critical sectors. Volt Typhoon lurked in U.S. communications, energy, transport, and water for five years, exploiting unpatched Cisco and Netgear kit, according to ComputerWeekly.

This fits a broader pattern. Salt Typhoon, another MSS-linked actor publicly known now, hammered U.S. telecoms in 2024-2025. They breached AT&T, Verizon, T-Mobile, and others—nine in total—siphoning call records from millions, including presidential candidates and officials. They tapped FBI wiretap systems via CALEA portals, turning America’s surveillance tools against itself. The FBI labeled a related DCSNet breach a “major cyber incident” earlier this year, with hackers accessing surveillance target lists. Beijing denies it all. But the damage? Persistent access to broadband cores, routers routing internet floods.

Citizen Lab’s fresh report exposes even deeper telecom meddling. State actors like Salt Typhoon and Liminal Panda exploit SS7 and Diameter signaling for location tracking and SMS interception. Infrastructure from operators in the UK, Israel, China, Thailand—dozens worldwide—gets hijacked. Attackers pose as legit providers, exfiltrate via sneaky SMS beacons. It’s global. Sophisticated. And ongoing, as outlined in Citizen Lab.

Responses mount. The FBI disrupted Raptor Train in September 2024 with Black Lotus Labs, and KV-Botnet earlier that year—though Volt Typhoon tried reviving it. U.S. sanctioned Integrity Technology Group in January 2025. Now, this multinational alert pushes proactive hunts. CISA and NCSC also flagged “Firestarter,” a Cisco backdoor surviving patches, linked to China-aligned spies targeting government nets (Cyberscoop). Reimage devices. Hard reboot.

Criminals piggyback too. FBI’s SocksEscort takedown last month hit a proxy service abusing routers for fraud. But state actors dominate. Their goal: strategic edge. Prepositioned malware in grids. Stolen intel from telcos. Espionage at scale.

Defenders scramble. Baseline VPN flows. IP allow-lists. Certificate checks. Yet unpatched IoT floods the field—end-of-life gear everywhere. China-nexus crews exploit it ruthlessly. Networks shut down, pop up anew. Law enforcement chips away. But the proxy armies grow.

Fragmented defenses won’t cut it. Organizations must treat every router as a potential Trojan. Map it. Monitor it. Patch what you can, segment the rest. The watchers became watched. Now everyone must watch their edges.

Subscribe for Updates

ChinaRevolutionUpdate Newsletter

The ChinaRevolutionUpdate Email Newsletter focuses on the latest technological innovations in China. It’s your go-to resource for understanding China's growing impact on global business and tech.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us