Every organization has a plan for its newest technology. Few have a plan for when that technology reaches the end of its useful life. At the FBI, we see the consequences of that and similar gaps in nearly every major cyber investigation we run.
End-of-life routers, firewalls, VPN gateways, and other edge devices sit at the boundary of your network, often still functioning well enough that no one thinks to replace them. But when a vendor stops issuing security patches, those devices become fixed targets. The vulnerabilities are known, the exploits are available, and the owners are not watching.
This week, as part of Operation Winter SHIELD, we are focusing on one of the ten key defenses the FBI recommends for every organization: track and retire end-of-life technology on a defined schedule.
Operation Moonlander: Twenty Years of Access, Built on Forgotten Hardware
In May 2025, the FBI dismantled a criminal proxy network called 5SOCKS in an operation we named Moonlander. Four operators, three Russian nationals and a Kazakhstani national, had been running this scheme for more than twenty years. They infected thousands of end-of-life wireless routers with a variant of TheMoon malware, then sold access to those compromised devices as proxy services. Over the life of the operation, it generated more than $46 million.
The routers they targeted were specific Linksys models manufactured around 2010 or earlier, long past the point where the vendor was releasing security patches. The kind of hardware that ends up in a closet or on a shelf, still plugged in, still connected, completely unmanaged. The malware does not require a password. It can bypass remote administration credentials. Once installed, it checks in with its command-and-control server every few minutes. The router owners had no idea. Their internet still worked. The router just also worked for someone else.
The FBI’s Oklahoma City Cyber Task Force led the investigation. Working with the Dutch National Police, the Royal Thai Police, and researchers at Lumen Technologies’ Black Lotus Labs, we seized the 5SOCKS and Anyproxy domains, dismantled the botnet infrastructure, and secured indictments against all four operators.
The business model was straightforward: bet that people and organizations would leave outdated, unsupported hardware plugged in and connected. For twenty years, that bet paid off.
Same Story, Different Adversaries
Criminals are not the only ones exploiting neglected edge devices. Chinese cyber actors have used the same types of vulnerabilities in end-of-life routers to build botnets that conceal intrusions into U.S. critical infrastructure. The FBI has disrupted multiple PRC-linked botnets built on compromised edge devices.
Russia’s GRU has followed a similar approach. In January 2024, the FBI conducted Operation Dying Ember, removing Russian military intelligence hackers from more than a thousand home and small business routers. The GRU did not build that botnet from scratch. Criminal actors had first installed Moobot malware on Ubiquiti Edge OS routers that still used publicly known default passwords. The GRU piggybacked on that criminal infrastructure and repurposed it into a global cyber espionage platform. The FBI removed the malicious files, modified firewall rules to lock the GRU out, and worked through internet service providers to notify affected router owners.
Different actors, different objectives, same underlying condition: edge devices no one was managing, monitoring, or maintaining.
CISA’s New Directive
On February 5, 2026, CISA issued Binding Operational Directive 26-02, requiring all federal civilian agencies to inventory, decommission, and replace end-of-support edge devices. The phased timeline gives agencies three months for initial inventory, twelve months to begin removing devices past end-of-support, and twenty-four months to establish continuous discovery so the cycle does not restart. CISA describes the threat as “substantial and constant.” That tracks with what we see in our cases.
The FBI joined CISA and the U.K.’s National Cyber Security Centre in co-releasing a joint fact sheet alongside the directive, urging all organizations to follow the same lifecycle management practices. The directive applies to federal networks. The threat does not observe the same boundaries. Every case in this post involved private sector infrastructure that adversaries turned into operational platforms.
What You Can Do This Week
BOD 26-02 lays out a structured lifecycle framework. The principles apply whether you run a federal agency, a regional hospital, or a ten-person business.
Inventory your edge. You cannot retire what you have not found. Identify every internet-facing device on your network and assign an owner to each one. CISA is giving federal agencies three months. Give yourself the same deadline.
Build an EOL forecast. Maintain a rolling 12-month end-of-life calendar, reviewed quarterly with asset owners and procurement. Vendor EOL announcements are your early warning system.
Replace or isolate, with a deadline. When a device reaches end-of-support, replace it. If operational constraints force a delay, isolate it behind compensating controls with a firm decommission date attached. “We’ll get to it” is not a compensating control.
Disable remote administration. Unless there is a documented business need, turn it off. TheMoon malware targets devices with remote administration enabled. The GRU exploited routers with default passwords and remote management exposed.
Reboot and update. Many botnets rely on malware that lives in volatile memory. A reboot can clear the infection, but without patching the underlying vulnerability or replacing the device, reinfection follows. Pair reboots with firmware updates when available. Replace devices when updates stop.
Establish continuous discovery. BOD 26-02 requires federal agencies to stand up an ongoing discovery process within twenty-four months. This is the most important requirement in the directive, because it prevents the inventory from going stale. Make edge device lifecycle a standing agenda item in your security program.
Report suspicious activity. If you suspect your router has been compromised, file a report with the FBI’s Internet Crime Complaint Center at ic3.gov and contact your local FBI field office. Your reporting helps us track these networks and protect others.
The Bigger Picture
CISA is setting the standard for federal networks. The FBI is showing, through real investigations and real disruptions, what happens when that standard is not met. End-of-life technology is one of the most predictable, preventable risks in cybersecurity. The U.S. Government has now made eliminating it a binding requirement for federal agencies and a co-signed recommendation for everyone else.
If your federal partners are being directed to remove unsupported edge devices from their networks, what is your plan?End-of-life does not mean end-of-risk. If a device is still connected, it is still a target. Track it, plan for it, and retire it on yourschedule, not the adversary’s.