Allied cyber agencies warn of China-linked hidden hacker networks

China-linked hackers are increasingly hiding inside ordinary home routers and smart devices, turning everyday hardware into covert relay networks that allied cyber agencies say are far harder to detect, attribute and remove than a conventional intrusion. The new warning, released on April 23 during the second day of CYBERUK 2026 in Glasgow, targets organisations that rely on internet-connected edge devices and could find those devices quietly folded into attack infrastructure.

Britain’s National Cyber Security Centre issued the guidance with industry partners and 15 international partners from nine other countries, including the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand and Spain. Paul Chichester, the NCSC’s director of operations, said the agency had seen a deliberate shift by China-based cyber groups to use these networks to avoid accountability. The advisory says the networks are being leveraged at scale to steal sensitive data, maintain persistent access and reach critical sectors around the world, from government and communications to other sensitive infrastructure.

The warning also focuses on a technical problem that makes this campaign especially difficult to shut down: IOC extinction. The NCSC says indicators of compromise can disappear as quickly as they are discovered, which means defenders cannot rely only on static lists of known malicious addresses or signatures. The agency said the covert networks are often built from compromised everyday internet-connected edge devices such as home routers and smart devices, and that they are created and maintained externally by Chinese information security companies. The Chinese foreign ministry did not immediately respond to requests for comment.

The threat is not new, but the scale is growing. In September 2024, the Federal Bureau of Investigation, the National Security Agency and Australian cyber authorities warned that PRC-linked actors had compromised thousands of internet-connected devices, including SOHO routers, firewalls, NAS devices and IoT devices. That advisory said Integrity Technology Group controlled a botnet that had been active since mid-2021 and regularly held between tens and hundreds of thousands of compromised devices, reaching more than 260,000 by June 2024 across North America, South America, Europe, Africa, Southeast Asia and Australia.

A later CISA advisory in September 2025 said PRC state-sponsored actors were targeting telecommunications, government, transportation, lodging and military infrastructure worldwide, while also using compromised devices and trusted connections to pivot into other networks and often modify routers to maintain access. The agencies’ message now is clear: perimeter defenses are not enough. Organisations need to inventory exposed devices, tighten patching, monitor unusual outbound traffic and treat routers and smart devices as part of the attack surface, not as background equipment.