Lumen's Black Lotus Labs tracked the JDY reconnaissance cluster climbing past 1,500 compromised routers and IoT devices, surviving the 2024 FBI takedown that gutted the KV cluster. The hardware angle matters: this is a botnet built almost entirely on the end-of-life networking gear sitting in homelabs and small offices, and the same week OpenAI banned Chinese accounts pushing a narrative that AI datacenters are spiking your power bill.
Three separate disclosures landed on the same Wednesday, and they connect in a way that should bother anyone who runs their own infrastructure. Lumen's Black Lotus Labs reported a resurgence of the JDY cluster tied to Volt Typhoon. OpenAI banned a batch of ChatGPT accounts running influence operations. And the US Justice Department seized 13 fake consulting websites used to bribe security-clearance holders. The thread running through all of it is that the cheap, forgotten, end-of-life hardware in your network closet is the entry point.
Let me start with the part that actually involves boxes you can rack and measure, because that is the part most homelab people can do something about.
The botnet is your old router, specifically
Volt Typhoon's KV-botnet got taken apart by the FBI in January 2024. That network was organized into four clusters. The KV cluster handled covert data transfer, the JDY cluster handled scanning and reconnaissance. The takedown targeted hundreds of end-of-life routers and internet-connected devices, and it largely killed the KV cluster.
JDY did not die. Black Lotus Labs now counts more than 1,500 compromised routers and IoT devices in the rebuilt JDY cluster. The detail that matters for hardware people is the target profile: these are end-of-life devices, gear the manufacturer stopped patching, the SOHO routers and IP cameras and small-business firewalls that nobody power-cycles, nobody firmware-checks, and nobody decommissions because they still pass packets.
The operational pattern is what makes this efficient. Black Lotus Labs found a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures. In plain terms: a CVE drops for some EOL router model, and the scanning output gets operationalized fast by China-nexus APT actors. The US military and associated entities were the most prominent targets across the observed sectors.
Here is why this is a homelab problem and not just a Pentagon problem. The botnet does not need your hardware to be valuable. It needs your hardware to be forgettable. A residential or small-business IP block hosting a compromised router is exactly the kind of clean, low-suspicion hop point these networks are built from. The covert network exists so that traffic into a sensitive target looks like it came from an ordinary US ISP customer, not from an APT's own infrastructure. Your dusty ISP-supplied gateway running 2019 firmware is the perfect laundering node.
What to actually audit
If you run anything resembling a homelab, the practical takeaway is an inventory pass on the gear you stopped thinking about. A rough triage table:
| Device class | Risk driver | Action |
|---|---|---|
| ISP-supplied gateway/router | Vendor EOL, unpatchable firmware, exposed WAN services | Replace or put behind your own firewall, disable remote management |
| Old SOHO routers repurposed as APs | No firmware updates, default-on UPnP | Reflash with OpenWrt if supported, otherwise retire |
| IP cameras / NVRs | Hardcoded creds, exposed RTSP/HTTP, EOL | VLAN-isolate, block outbound, no internet exposure |
| Consumer NAS exposed to WAN | Forgotten port forwards | Audit forwards, move to VPN-only access |
The single highest-value move is checking what your edge devices are allowed to reach outbound. Botnet command-and-channels rely on the compromised device phoning home. A router that has no business initiating connections to arbitrary internet hosts should be constrained at the firewall, and on a homelab that is usually a few firewall rules and a VLAN, not a budget line. Both CISA and the UK's NCSC have published Volt Typhoon mitigation guidance, and Black Lotus Labs explicitly recommends enterprises follow it for defending against China-nexus covert device networks. The advice scales down to a home rack cleanly: kill management interfaces on the WAN, segment IoT, log outbound, and retire anything the vendor no longer patches.
There is a power-and-lifecycle argument hiding in here too. The reason these EOL devices stay online is that they sip a few watts and never visibly fail, so there is no trigger to replace them. The honest accounting is that a router with no security support is not a working device, it is a liability that happens to still draw 4 watts. If you measure everything, add unpatched firmware to the columns you measure.
The influence-op twist: blaming AI datacenters for your power bill
The second Wednesday report makes the timing almost funny. OpenAI said it banned ChatGPT accounts likely originating from China that used the company's own models to generate content for covert operations about American AI.
One cluster ran a narrative that datacenters and AI applications are driving up electricity demand and pushing power costs onto ordinary American households. The operators asked ChatGPT for comic strips about a regional power grid operator's capacity auction prices, sourced from a legitimate local paper, framed so that rising capacity prices read as a direct consequence of datacenter and AI demand getting passed to households. They then posted the comments and images to X using what OpenAI believes were fake accounts, with links to real news stories about datacenters. OpenAI suspects the crew is a social-media team at a private Chinese tech company servicing provincial-level government clients.
Ben Nimmo, principal investigator on OpenAI's Intelligence and Investigations team, was blunt about the mechanics: "This was not a case of an influence operation creating a debate. The debate existed already. This was an influence operation from China trying to interfere in it. We didn't see any signs that they succeeded."
That framing is worth sitting with if you follow datacenter power debates, because the underlying technical question is real and worth arguing on the merits. Capacity auction prices in markets like PJM genuinely have climbed, and large compute loads genuinely do affect grid planning. The influence operation worked precisely because it grabbed a true, contested topic and tried to steer it. The lesson for a benchmark-minded reader is the same as always: go to the primary data. Capacity prices, interconnection queues, and load forecasts are public. You do not need a comic strip from a fake X account to tell you whether a datacenter is moving your regional clearing price.
The second banned cluster wrote comments and political cartoons criticizing US tech policy and tariffs, with prompts written in simplified Chinese over VPNs. The operators specified the cartoons should depict President Trump and explicitly should not depict Xi Jinping. Those same accounts also used ChatGPT to edit internal work reports and to help design social media monitoring systems, which echoes a February disclosure where OpenAI banned accounts tied to Chinese government entities trying to use the models to surveil individuals and social media accounts.
Neither campaign gained meaningful authentic engagement, per Nimmo. The value of the disclosure is what it reveals about intent and the narratives being tested, not about any actual sway.
When the malware fails, the bribery still works
The third leg is the low-tech fallback, and it is a useful reminder that not every compromise comes through a CVE. The DOJ obtained a warrant and seized 13 fake consulting company domains used to target US persons, including current and former security-clearance holders. The seized domains include centrikglobalconsulting.com, rightinfoconsult.com, finnaclevesperconsulting.com, cydfconsulting.com, pulsewaveglobal.com, catalystglobalsolutions.com, thehorizzen.com, geoindopacific.com, gpf-ina.org, safesec-group.com, thetruthinfo.com, vandercons.com, and gulfpeace.org.
Since November 2023, those sites and matching job postings on LinkedIn and other hiring platforms advertised "consulting" roles like Senior Analyst and International Affairs Consultant. DOJ alleges suspected PRC operatives used the listings to recruit applicants and pressure them into sharing confidential information from insider sources in violation of their duties, then paid them through accounts under fictitious names and in cryptocurrency to obscure the source. This matches the Five Eyes warnings about unusual LinkedIn approaches, and it persists for the obvious reason: it works.
The connective tissue across all three reports is opportunism at every layer of the stack. Unpatched hardware for the network foothold, commercial AI for the content mill, and an old-fashioned cash-for-secrets recruiting funnel for everything the first two cannot reach. The hardware layer is the one you personally control. You cannot patch the influence operation and you cannot un-tempt a clearance holder, but you can pull the EOL router that turns your IP address into someone else's launch point. That is a measurable, racked, power-budgeted task, and this week is a good week to do it.
Comments
Please log in or register to join the discussion