Key Takeaways:
- The FBI issued a FLASH notice on March 12, 2026, naming 18 specific router models from D-Link, Netgear, TP-Link, and Zyxel that were compromised by AVrecon malware and turned into criminal proxy servers.
- Hackers exploited known security flaws in these older, end-of-life routers to install malware, then sold access to approximately 369,000 compromised devices through a service called SocksEscort, which was used for banking fraud, identity theft, and other crimes.
- If your router is on this list, the FBI recommends replacing it immediately with a model that still receives security updates. Simply rebooting or factory resetting an infected router is not enough to fully resolve the problem.
Affiliate Disclosure: ModemGuides.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. When you purchase through links on this page, we may earn a small commission at no extra cost to you.
What Happened: The FBI AVrecon FLASH Notice Explained
On March 12, 2026, the FBI released a FLASH notice warning the public about a large-scale malware operation targeting home and small office routers. The malware, known as AVrecon, was used to hijack routers and turn them into what are called residential proxies.
In plain terms, this means hackers took control of everyday home routers and secretly rerouted criminal internet traffic through them. To anyone watching, the illegal activity appeared to come from a normal household internet connection rather than a criminal operation.
The compromised devices were sold through a criminal service called SocksEscort. According to the FBI, access to approximately 369,000 devices was sold through SocksEscort since 2020, and the service was used to commit ad fraud, banking fraud, romance scams, password attacks, and other cybercrimes across roughly 163 countries.
The good news is that a joint law enforcement operation involving the FBI, Europol, and agencies from France, Austria, and the Netherlands has since taken the SocksEscort service down. However, if your router is on the affected list, it remains vulnerable to future attacks because the underlying security flaws have not been patched.
The Complete List of 18 Affected Routers
The FBI's notice identified approximately 1,200 device models that were targeted in total. However, 18 routers were called out as the most frequently compromised. Here is the full list, organized by manufacturer.
D-Link (3 Models)
- D-Link DIR-818LW
- D-Link DIR-850L
- D-Link DIR-860L
Netgear (2 Models)
- Netgear DGN2200v4
- Netgear AC1900 R7000
TP-Link (4 Models)
- TP-Link Archer C20
- TP-Link TL-WR840N
- TP-Link TL-WR849N
- TP-Link TL-WR841N
Zyxel (9 Models)
- Zyxel EMG6726-B10A
- Zyxel PMG5617GA
- Zyxel VMG1312-B10D
- Zyxel VMG1312-T20B
- Zyxel VMG3925-B10A
- Zyxel VMG3925-B10C
- Zyxel VMG4825-B10A
- Zyxel VMG4927-B50A
- Zyxel VMG8825-T50K
The FBI also identified two Hikvision security cameras among the most commonly compromised devices, though this article focuses on the router models.
Important note: Even if your exact router model is not on this list, the FBI's notice stated that roughly 1,200 device models were targeted overall. Any router that is end-of-life (meaning the manufacturer has stopped releasing security updates) is at elevated risk.
How to Check if Your Router Is Affected
If you are not sure what router model you have, here is how to find out:
Check the label on the device. Most routers have a sticker on the bottom or back panel that lists the exact model number and manufacturer.
Log into your router's admin panel. Open a web browser and type 192.168.1.1 or 192.168.0.1 into the address bar. The login page or dashboard usually displays the model name and current firmware version. If you have never changed the login credentials, the default username and password are often printed on the same label as the model number.
Check your ISP account. If your internet service provider supplied your router, your account page or a past bill may list the equipment model.
Why These Routers Were Targeted
All 18 routers on this list share a common problem: they are older models that have reached end-of-life status with their manufacturers. This means they no longer receive firmware updates or security patches.
The FBI's notice explained that attackers used well-known security vulnerabilities, including remote code execution (RCE) and command injection flaws, to install AVrecon malware. These are weaknesses that allow a hacker to remotely run commands on your router without any physical access or your knowledge.
AVrecon malware specifically targets small office and home routers running on MIPS and ARM processors. Unlike a computer or phone, most routers do not have antivirus software or endpoint detection tools. This makes them easy targets, and infections are very difficult for the average user to detect.
Once the malware is installed, it opens a remote connection that gives the attacker persistent control of the device. Your internet may continue to work normally, which is exactly why most people never realize their router has been compromised.
What to Do If Your Router Is on the List
Replace the router. This is the FBI's primary recommendation. If your router is on the list above, or if it is any end-of-life model that no longer receives security updates, replace it with a current model that is actively supported by its manufacturer.
Do not rely solely on a reboot or factory reset. The FBI notes that rebooting can disrupt some active infections but will not prevent reinfection. A factory reset with a firmware update can help in some cases, but certain AVrecon variants can disable the factory reset function entirely. For end-of-life routers, even the latest available firmware will not fix the vulnerabilities that hackers exploit.
Disable remote management. If you must continue using an older router temporarily, log into the admin panel and disable any remote management or remote access features. This closes one of the most common entry points for this type of attack.
Monitor your network traffic. Unusual spikes in data usage, slow performance with no clear cause, or unfamiliar devices connected to your network can all be signs of a compromised router.
What Is a Residential Proxy and Why Should You Care
A residential proxy is when someone routes their internet traffic through your home router so their activity appears to come from your IP address. When criminals use your connection this way, any fraud, hacking attempts, or illegal transactions they carry out look like they originate from your household.
This is a serious concern for several reasons. Law enforcement investigations could trace criminal activity back to your IP address. Your internet service provider could flag or throttle your connection due to suspicious traffic. Your IP address could end up on blocklists, making it harder for you to access certain websites or services.
Best Replacement Routers for 2026
If your router is on the FBI's list, or if you are using any router that is more than five years old and no longer receiving updates, it is time to upgrade. The following routers all support Wi-Fi 6 or newer, receive regular automatic security updates, and come from manufacturers with strong track records for ongoing firmware support.
1. TP-Link Archer AX21 (Wi-Fi 6)
The Archer AX21 is one of the best budget-friendly Wi-Fi 6 routers available. It delivers dual-band speeds up to 1.8 Gbps, supports automatic firmware updates, and includes WPA3 encryption. An excellent choice for anyone replacing an older TP-Link router on the FBI's list without spending a lot.
2. TP-Link Archer AX55 (Wi-Fi 6)
A step up from the AX21, the Archer AX55 adds a USB 3.0 port, OneMesh support for future expansion, and TP-Link HomeShield security features. This is a solid mid-range option for households with 20 or more connected devices.
3. Netgear Nighthawk RAX50 (Wi-Fi 6)
For Netgear users replacing a compromised R7000 or DGN2200v4, the RAX50 is the natural upgrade. It offers dual-band Wi-Fi 6 speeds up to 5.4 Gbps, Netgear Armor cybersecurity (powered by Bitdefender), and automatic firmware updates. Netgear has significantly improved its security update cadence on current Nighthawk models.
4. ASUS RT-AX86U Pro (Wi-Fi 6)
ASUS is known for some of the most frequent and long-lasting firmware support in the router industry. The RT-AX86U Pro includes built-in AiProtection (powered by Trend Micro), a lifetime free security suite that actively blocks malicious connections. Dual-band with speeds up to 5.7 Gbps.
5. ASUS RT-AX58U (Wi-Fi 6)
A more affordable ASUS option that still includes AiProtection security, automatic updates, and parental controls. Dual-band speeds up to 3 Gbps make this a practical choice for medium-sized homes.
6. TP-Link Deco X55 Mesh System (Wi-Fi 6)
If your home has dead zones or you need coverage across a large area, a mesh system is the better choice over a single router. The Deco X55 covers up to 6,500 square feet (3-pack), supports WPA3, receives automatic updates, and includes TP-Link HomeShield built-in security scanning.
7. Netgear Orbi RBK752 Mesh System (Wi-Fi 6)
The Orbi RBK752 is a premium mesh system with a dedicated backhaul band to keep your main Wi-Fi channels clear. It includes Netgear Armor security with 30 days free (subscription after that) and delivers tri-band speeds up to 4.2 Gbps. Ideal for larger homes up to 5,000 square feet.
8. GL.iNet Flint 2 (GL-MT6000)
For users who want maximum control over their router security, the GL.iNet Flint 2 runs OpenWrt, an open-source firmware that receives frequent community-driven security patches. It includes a built-in AdGuard Home ad blocker, WireGuard VPN support, and Wi-Fi 6 speeds up to 6 Gbps. Best suited for users comfortable with slightly more advanced setup.
9. ASUS ZenWiFi XT8 Mesh System (Wi-Fi 6)
A premium mesh option from ASUS with AiProtection Pro, tri-band design, and coverage up to 5,500 square feet (2-pack). The ZenWiFi line is one of the few mesh systems that combines strong whole-home coverage with enterprise-grade security features at a consumer price point.
10. Motorola MH7603 Mesh System (Wi-Fi 6)
A reliable and affordable mesh system from Motorola. The MH7603 3-pack covers up to 4,500 square feet, supports WPA3 encryption, and delivers Wi-Fi 6 speeds up to 1.8 Gbps. A straightforward, easy-to-set-up option for anyone who wants to replace an older router and not worry about complex configuration.
What to Look for in a Secure Router
When choosing a replacement router, prioritize these security features:
Automatic firmware updates. This is the single most important feature. The routers on the FBI's list were exploited specifically because they stopped receiving patches. Choose a router that downloads and installs updates automatically so you do not have to remember to do it yourself.
WPA3 encryption. WPA3 is the latest Wi-Fi security standard and provides stronger protection against password-guessing attacks than the older WPA2 protocol.
Built-in threat detection. Several current routers include security suites like ASUS AiProtection, Netgear Armor, or TP-Link HomeShield. These features can detect and block suspicious connections before they reach your devices.
Active manufacturer support. Before buying, check the manufacturer's website to confirm the model is still actively supported and receiving updates. Avoid purchasing any router that is close to end-of-life status.
FAQ
How do I know if my router has been hacked by AVrecon malware?
AVrecon malware is very difficult to detect because it does not cause obvious symptoms. Your internet may work normally even while the router is compromised. Signs to watch for include unexplained spikes in data usage, slower than normal speeds with no clear reason, or unfamiliar devices appearing on your network. The most reliable step is to check if your router model is on the FBI's list. If it is, the safest course of action is to replace it.
Can I fix a router infected with AVrecon by rebooting it?
Rebooting may temporarily disrupt an active infection, but it will not protect you from reinfection. The FBI notes that a factory reset combined with a firmware update can help in some cases, but some variants of AVrecon can disable the factory reset function. For routers that are end-of-life and no longer receiving patches, even a factory reset cannot fix the security vulnerabilities that hackers exploit to install the malware in the first place.
Is my router safe if it is not on the FBI's list of 18 models?
Not necessarily. The FBI's notice stated that approximately 1,200 device models were targeted in total. The 18 routers named were simply the most frequently compromised. Any router that is end-of-life, running outdated firmware, or has remote management enabled is potentially at risk. If your router is more than five years old and no longer receiving manufacturer updates, replacing it is strongly recommended regardless of whether it appears on this specific list.
What is a residential proxy and why were my router targeted?
A residential proxy routes someone else's internet traffic through your home router so their activity appears to come from your IP address. Criminals specifically target home routers for this purpose because traffic from a residential IP address looks legitimate and is much less likely to be flagged or blocked by websites, banks, and security systems compared to traffic from a data center. Your router was not targeted because of anything you did. These attacks are automated and scan the internet for any vulnerable device.
Will a new router protect me from future malware attacks?
A new, actively supported router dramatically reduces your risk. Current models receive regular security patches that fix vulnerabilities before hackers can exploit them. However, no device is completely immune to all threats. To stay protected, make sure automatic updates are enabled, change the default admin password to something strong, disable remote management unless you specifically need it, and use WPA3 encryption for your Wi-Fi network.
Were any internet service provider (ISP) supplied routers on the FBI's list?
Some of the Zyxel models on the list, particularly the VMG series, are commonly distributed by ISPs as part of bundled internet service packages, especially in Europe and parts of Asia. If your ISP provided your router and it matches any model on the FBI's list, contact your ISP to request a replacement. Many ISPs will replace end-of-life equipment at no charge, particularly when a documented security threat has been identified by a federal agency.
Does the FBI AVrecon warning affect routers used only for Wi-Fi or also modem-router combos?
The warning applies to both standalone routers and combination modem-router (gateway) devices. Several of the Zyxel models on the list are VDSL2 modem-router gateways that combine internet modem and Wi-Fi router functions in a single device. Whether your device is a standalone router or a combination unit, the vulnerability is in the router's software, not the modem hardware. If your gateway device is on the list, you need to replace the entire unit.
