Level 23
The FBI has been tipped off about a novel cybercriminal operation in which a hacker managed not only to breach as many as 130,000 Asus routers, but is also scoring them as to how useful they might be for fraudsters.
This hacker’s selling access to those individual Asus devices—most of them based in the U.S.—for as little as a few dollars, so fraudsters can run their traffic through them, according to security researchers who told Forbes about their tip-off to the feds.
And the researchers tell Forbes he’s possibly “enriching” his offerings with separate databases, one containing personal information on 500,000 Americans, others full of stolen credit card details.
It’s all part of a novel scheme to give fraudsters a much better chance of pulling off identity thefts and using stolen credit cards without getting caught. If your router, personal data or credit card details are in the hacker’s growing piles of stolen data, it could mean you’re soon to become a victim.
How did the hacker find the routers?
The Asus routers were harvested when the Ava-Tools mastermind carried out mass scanning of the Web for those that contained a known vulnerability dating back to at least 2018, according to the researchers. Though patches are available for that vulnerability, the hacker relied on people not patching their systems and was then able to grab the IP addresses of at least 50,000 and up to 130,000 Asus devices. (Asus hadn’t responded to a request for comment at the time of publication.) From there, he exploited the routers to allow others to route their traffic through them, the White Ops analysts said.
Haines and Kujawski also believe that because he leaked some personal information in that backup, they know who’s behind a crime: a Moldovan-based male who may well be working with a security professional. They aren’t revealing his name or age to Forbes, for fear of ruining any investigation, though they did tip off the FBI.
The FBI hadn’t responded to a request for comment. It’s unclear if any investigation is under way. The site remains operational, and Haines thinks more is to come.
“We believe that he's setting up shop, like this is the start of everything,” Haines adds. “Every time we take a look. he's got more and more [data]. The website is being updated; the databases are updated.
Where’s the data being sold?
The data is being flogged over the website avatools[.]ru, which started operating in earnest in August last year and currently has around 100 active users, say Dina Haines and Cory Kujawski, who uncovered the illicit operation. Anyone visiting the site today will be greeted with a login page and a warning in Russian (translated by Google): “If you accidentally come in—run fools! You will be hacked.” Others who are interested in what’s inside are still welcome, though, the site reads.

On avatools[.]ru, access to tens or possibly hundreds of thousands of routers is on offer, according to Haines and Kujawski, intelligence analysts at cybersecurity company White Ops. They think the avatools[.]ru controller is selling the packages to fraudsters who want to use hacked routers to carry out fraudulent transactions via stolen credit card details.