Russian Hackers DNS Hijacking via Router Exploitation — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 26, 2026

Severity: HIGH | View Full Scam Details

Russian Hackers’ DNS Hijacking via Router Exploitation in India 2026: A High-Risk Phishing Scam

A new cybercrime wave is hitting Indian internet users in 2026, where Russian hackers exploit home and business routers to hijack DNS settings and steal sensitive data — a stealthy scam with potentially huge financial losses.

What Is the Russian Hackers DNS Hijacking via Router Exploitation?

In simple terms, DNS hijacking is when cybercriminals change your internet router’s Domain Name System (DNS) settings to redirect your web traffic to fake websites. This scam specifically involves Russian hackers who target vulnerable or outdated routers commonly used in Indian households and small businesses. Instead of traditional phishing emails, these attackers quietly infiltrate routers, often linked to Russian military intelligence.

The main targets are individuals and businesses using Microsoft Office apps heavily, as these applications can unknowingly download malware through manipulated web visits. The hackers scan the internet, searching for routers with weak or default passwords and outdated firmware—a scenario still common in many Indian homes and local offices. CERT-In (India’s Computer Emergency Response Team) has noted an increase in DNS hijacking cases since late 2025, prompting warnings for better router security.

Given India’s rapid digital growth with UPI payments, Aadhaar-linked services, and online banking, this scam poses a serious threat nationwide. RBI and the Ministry of Electronics and IT (MeitY) have issued alerts urging users to secure their networks, highlighting the scam’s growing presence in metropolitan and tier-2 cities alike.

How This Scam Works — Step by Step

1. Router Vulnerability Scanned: Hackers use automated tools to search for routers with outdated firmware or default admin passwords, commonly found in Indian homes and shops.

2. Silent DNS Setting Changes: Without your knowledge, attackers remotely log into your router’s admin panel and alter its DNS configuration.

3. Redirection to Fake Websites: When you type bank or payment app URLs (like those for SBI, Paytm, or Google Pay), the manipulated DNS leads you to phishing sites that look identical to the official ones.

4. Malware Push via Microsoft Office: If you open Microsoft Office documents received in emails or WhatsApp with these fake websites open, hidden malware downloads quickly infect your device.

5. Credentials and Data Theft: Entering UPI PINs, Aadhaar details, or login passwords on these fake pages sends your information directly to attackers.

6. Financial Fraud Begins: Using stolen data, hackers initiate fraudulent UPI transfers or SIM swaps to drain bank accounts.

Unlike typical phishing attacks that rely on suspicious emails, this method is stealthier—many victims won’t notice their internet acting slightly different until it’s too late.

Real Warning Signs to Watch For

• Sudden slow internet or unusual redirects when trying to access bank or payment apps.
• Browser warnings about insecure or untrusted websites despite entering correct URLs.
• Unexpected Microsoft Office pop-ups or documents requesting macro activation.
• Browser address bar showing misspelled or strange URLs resembling your bank or UPI app.
• Unable to log in to online banking despite correct credentials.
• Receiving OTPs or transaction alerts for payments you didn’t initiate.
• Router admin login passwords reverting to defaults or inaccessible to you.

What Happens to Victims

Victims often suffer heavy financial losses due to fraudulent UPI transactions and bank transfers. Since many attackers use SIM swap fraud alongside DNS hijacking, victims lose control over Aadhaar-linked mobile numbers essential for OTP verifications. Banks may struggle to reverse fraudulent UPI transactions if reported late, causing irreversible monetary damage.

Emotionally, victims experience severe stress and anxiety, especially small business owners who depend heavily on their digital infrastructure. Trust in digital payments and online services also declines, affecting India’s digital economy growth.

What RBI and CERT-In Say

The Reserve Bank of India emphasizes regular monitoring of financial transactions and warns against sharing OTPs or UPI PINs with anyone, no matter the source. RBI’s helpline (1860-180-2231) is available for fraud-related queries.

CERT-In advises all internet users to regularly update router firmware, change default passwords, and use strong unique passwords for device admin panels. CERT-In’s cybercrime helpline number is 1930. The Indian Cyber Crime Coordination Centre (I4C) also works alongside CERT-In for rapid response to such scams.

Both bodies stress the importance of:

• Avoiding clicking on unknown links or attachments.
• Verifying URLs carefully.
• Reporting suspicious cyber activities immediately.

How to Protect Yourself

1. Change Router Default Passwords: Immediately update your router’s admin credentials using strong alphanumeric passwords.

2. Update Firmware Regularly: Check your router manufacturer’s website or support pages for the latest firmware and install updates.

3. Disable Remote Management: Turn off remote access features on your router to prevent unauthorized logins.

4. Use Trusted DNS Services: Switch to secure DNS providers like Google DNS (8.8.8.8) or Cloudflare (1.1.1.1) in your router settings.

5. Avoid Clicking on Suspicious Office Documents: Be cautious with Microsoft Office attachments received via email or WhatsApp, especially from unknown contacts.

6. Monitor UPI and Bank Transactions: Regularly review all transaction alerts and report any discrepancies immediately to your bank.

7. Secure Your Aadhaar and Sim: Use the mAadhaar app’s lock features and avoid sharing OTPs or SIM details.

What to Do If You've Been Targeted

• Change your router password and update firmware immediately.
• Contact your bank without delay to block any suspected fraudulent transactions.
• Report the scam to the cybercrime portal at cybercrime.gov.in, providing all evidence (screenshots, transaction details, etc.).
• Call the 1930 CERT-In helpline and your bank’s fraud helpline for support.
• Request your mobile operator to block SIM swap attempts or change SIMs if required.
• File a First Information Report (FIR) at your local police station if fraud has occurred.

Frequently Asked Questions

Q: Can my regular antivirus protect me against DNS hijacking?
A: Antivirus software might detect malware after infection but does not prevent router-level DNS hijacking. Securing your router’s settings is essential.

Q: How do I know if my router is vulnerable?
A: If you never changed the router’s password or updated its firmware, it’s likely vulnerable. Check your router’s admin panel and update it immediately.

Q: What should I do if I receive suspicious Microsoft Office files?
A: Do not open or enable macros in files from unknown sources. Verify with the sender through a separate channel before opening attachments.

Stay alert and protect your digital life! Always verify suspicious messages and URLs at BharatSecure.app before clicking or sharing sensitive info. Your vigilance is the first line of defense against scams like this.