The FBI may be in your router

In early 2024, the FBI launched an operation to dismantle a sophisticated malware campaign targeting thousands of U.S.-based computers. The action, focused on malware known as PlugX, was part of the agency’s broader effort to thwart a Chinese-backed hacking group known as Volt Typhoon. The malware, which had infected over 4,200 devices, was stealthily installed and used for espionage, often tracking sensitive information from government networks and critical infrastructure. By January 2025, the FBI had executed a court-authorized operation to remotely delete the malware from infected systems, with no evidence that data was retained or seized.

But how did the FBI gain the legal authority to conduct such an operation? The answer lies in a little-known section of U.S. law, Federal Rule of Criminal Procedure 41(b)(6)(B), which allows for remote access searches and seizures under specific circumstances. This rule, first enacted in 2016, was expanded to cover scenarios where the location of illicit data has been concealed using advanced technological means. The intent was clear: to equip law enforcement with tools to fight back against cybercriminals who exploit the anonymity of the internet to launch global attacks from anywhere, often beyond U.S. jurisdiction.

Under this rule, federal agents can obtain a warrant for remote access to infected devices, allowing them to track, disable, or delete malware. The courts must authorize the action, ensuring that the operation is not carried out without oversight. In this case, the FBI worked through a Federal District Court to secure judicial approval for its actions. Though no personal data was seized, the operation raised crucial questions about privacy, security, and the potential for overreach by government agencies.

It is important to note that the FBI’s operation did not involve “hacking” individual computers. Instead, the agency remotely cleaned infected systems by deleting the malware and preventing reinfection, actions intended solely to protect national security interests. Critics, however, remain concerned. The operation proceeded without prior notification to the owners of the compromised devices. The government argues that immediate notification could have jeopardized the success of the mission, which required swift action to prevent further espionage. Yet, this lack of prior notice is a fundamental point of contention among privacy advocates, who argue that such powers can erode the boundaries of personal privacy.

This situation highlights a growing dilemma in the digital age: How do we balance security needs with the protection of civil liberties? On one hand, the FBI’s intervention prevented the further spread of harmful malware, potentially saving sensitive government and infrastructure data. On the other hand, it raises uncomfortable questions about the extent to which law enforcement can access and manipulate private devices without direct consent.

The tradeoff between privacy and security is not a new debate, but the advent of remote digital intrusions—whether carried out by cybercriminals or the government—pushes the boundaries of what we consider acceptable. Is it reasonable for the government to intervene in this way, provided it has obtained a warrant? Or does such an operation set a dangerous precedent for unchecked surveillance, where citizens’ privacy can be breached under the guise of national security?

With evolving technology and an increasing number of cyber threats, the U.S. government may find itself forced to expand these powers. While the FBI’s intervention in this case was deemed legally permissible, the question remains: Is this ok? Is this a reasonable tradeoff between privacy and security? How far will the slippery slope take us?

It is up to us to ensure that, in the fight against cyber threats, we do not lose sight of our fundamental rights.