The National Cyber Security Centre (NCSC) and 15 international partners issued a joint advisory. It warns that China-linked threat actors are hiding attacks behind networks of compromised everyday internet devices.
The advisory details a major tactical shift. Groups affiliated with Beijing now route activity through hundreds of thousands of compromised home routers and smart devices. That approach replaces dedicated attacker infrastructure.
Botnets Built From Compromised Home Devices
The document identifies a pattern across Volt Typhoon and Flax Typhoon operations. In each case, traffic passes through compromised small office and home office routers before reaching its target.
These covert networks help China-linked operators scan targets, deliver malware, and exfiltrate data. They also obscure the origin of each attack.
Raptor Train, one such network, infected more than 200,000 devices worldwide in 2024, according to the NCSC. The FBI attributed its management to Integrity Technology Group, a Beijing-based cybersecurity firm.
The United Kingdom sanctioned the company in December 2025 for reckless cyber activity against its allies.
Many of the compromised machines are end-of-life web cameras, video recorders, firewalls, and network storage devices. These no longer receive security patches from manufacturers. That leaves them easy targets for bulk exploitation.
Western Infrastructure Already Pre-Positioned
Volt Typhoon has used a separate covert network called the KV Botnet. The group established footholds on critical national infrastructure across the United States and allied countries.
Department of Justice filings referenced in the advisory support this finding. Energy grids, transport systems, and government networks are named as active targets.
Paul Chichester, NCSC Director of Operations, flagged a separate problem known as indicator of compromise extinction. Identifiers used to track attackers disappear almost as fast as researchers publish them.
The problem mirrors wider difficulties in tracking state-backed hacking campaigns across both critical infrastructure and financial sectors.
In recent years, we have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity in an attempt to avoid accountability,” Paul Chichester, NCSC Director of Operations.
The advisory urges organisations to baseline normal network traffic and adopt dynamic threat feeds. It also recommends tracking China-linked covert networks as advanced persistent threats in their own right.
2024 recorded more than $2 billion in digital-asset losses from cyber activity. The coming months will test whether defenders can keep pace. The adversary has made attribution itself the first victim.
