You Felt It Every Time. You Just Did Not Know What You Were Feeling. Slow. Reboot. Slow again.
Mira.
Paul came back from a customer visit last week and sat down at the desk with that look. You know the one. The look of a man who has just explained something very confidently and is not entirely sure he explained it correctly.
He had been out to see two customers. Same neighborhood of Imperial County. Same equipment. Same problem: slow computers, internet going in and out, and eventually the thing that really got everyone's attention, they got locked out of their own router. Admin password stopped working. Factory reset. A few months of quiet. Then the whole cycle again.
Paul told them what he tells everyone when the computers feel slow and the internet is acting up.
He said: "Look, what's happening is, you got all these electrons and protons, and they're just getting all tangled up in your wires, see, and the signal doesn't want to move, and so —"
He trailed off.
I am going to take it from here. Paul will interject periodically. I will handle that as it happens.
Part One: The Router
Imperial County Is Not a Target. That Is the Problem.
We are 182,000 people. The whole county. There are farms and clinics and schools and small shops and families who have worked the same land for a hundred years. Nobody expects to be on anyone's radar. Nobody expects that the same thing that knocked nearly a million routers offline in Germany in 2016 is sitting right in front of your register and your cameras and your back office right now.
But it is.
In November of 2016, a piece of criminal software was sweeping the internet looking for a specific type of router used by an internet provider in Ireland. It could not even run on the German ones it accidentally hit.
Did not matter.
Nine hundred thousand Deutsche Telekom customers went offline. Not because anyone got inside their routers. Because the knock on the door was loud enough to knock the door down. The volume of connection attempts alone, thousands of knocks per hour on hardware that was never designed to absorb that kind of sustained pressure, was enough to bring it to its knees. The routers hung. Crashed. People came home to no internet and had to reset everything.
One knock every five to ten minutes per router was all it took. Not a flood. Just steady, patient criminal pressure that never stopped.
That was 2016. What is running today is significantly larger and significantly more patient.
How Many Times a Day Is Someone Knocking
A company that does nothing but monitor internet traffic counted four billion criminal connection attempts in ninety days this year. From nearly six million different source addresses. And here is what that means for your equipment: seventy-eight percent of those addresses were fresh ones nobody had ever seen before, rotating in hourly from compromised home routers and cameras belonging to people all over the world who have no idea their own equipment is being used this way.
The list of known criminal addresses your equipment tries to block is accurate for less than two percent of what is actually hitting you. The other ninety-eight percent arrives from addresses that did not exist yesterday and will not exist next week. There is no list long enough to stop it.
Federal agencies have confirmed that organized criminal groups, including foreign government-backed operations, are running massive networks built entirely from compromised home routers, small business cameras, and printers. They use compromised devices to find and compromise more devices. The operation grows itself, and it has been running for years.
The camera knocking on your router at 2 AM may belong to someone's home in a country you have never visited. That person has absolutely no idea.
What Is Actually Happening to Your Router
There are five things that happen to a router under this kind of criminal pressure. All five are real. Paul's two customers experienced at least three of them.
The router slows your internet down on purpose.
When your router detects what looks like a flood of incoming connection attempts, it activates a self-protection mode and starts limiting how many new connections it allows per second. One. Per second. Your computer opening a single webpage can need ten or more in that same second. The router is doing exactly what it was designed to do. The side effect feels exactly like slow internet.
Paul, at this point in the customer conversation, said: "it's like when you have too many apps open on your phone and everything freezes up."
That is not what is happening. But the phone analogy is close enough that I am going to let it stand and move on.
The router runs out of room.
Every conversation between something on your network and anything on the outside needs a slot in the router's internal log. Think of it like a sign-in sheet with a fixed number of lines. When criminals hammer it with thousands of connection attempts per hour, those lines fill fast. When the sheet is completely full, the router starts dropping connections, including the real ones your register or camera is trying to make. When it runs completely out of room, it crashes itself and reboots. The hardware decides a restart is better than a total freeze.
The router's memory slowly bleeds away.
Consumer routers have bugs in their software. Some of those bugs cause the router to lose a small piece of its working memory every time it handles a connection attempt. On a quiet day, invisible. Under sustained criminal pressure, the bleed accelerates. One customer documented their router losing about two percent of its working memory per day, reaching instability in roughly three weeks. Scale that out and you land on a quarterly crash cycle. Which is exactly what Paul's customers kept experiencing, quarter after quarter, calling it normal wear.
The router's brain gets too busy to respond.
The processor inside a consumer router is small. When it spends most of its time handling criminal connection attempts, it has less capacity for everything else: managing your devices, loading the admin page when you need to log in, routing your actual traffic. It does not break. It just cannot keep up. The admin page times out. The internet feels broken even when the connection itself is fine.
Someone gets in and changes the lock.
This is the one that explains the locked admin credentials.
When criminals get inside a router, one of the first things they do is change the admin password. This locks the owner out while they work, and locks competing criminals from claiming the same device. When the owner tries to log in and cannot, they factory reset. They reconfigure. They consider it handled.
But the factory reset does not close whatever door let them in. The same weakness is still there. The router goes back onto the internet just as vulnerable as it was before the reset. Federal authorities warned specifically after a major criminal network was dismantled in early 2024: a reset without fixing the underlying problem means the device will be taken again, often within hours.
Paul asked: "So if I unplug the router, does that stop it?"
For exactly as long as it stays unplugged, yes. Which is not a solution, Paul. That is a business with no internet.
The reset is not the fix. It resets the clock to zero. The criminal operation begins again from the beginning.
What the Reset Does Not Answer
When the router comes back up, everything feels normal. Password works. Internet is fast. Computers feel fine.
Here is what nobody knows:
How long were they inside before the reset? What did they look at while they were in there? Did they use the router as a doorway into something else? Is there something running on one of your other devices right now that is going to pick up exactly where the router left off?
There is no tool, no IT company, no service that can answer those questions after the fact. The honest answer from anyone you call is: we do not know what happened, we do not know what was accessed, and we do not know if it is over.
That is the accurate answer. And it is exactly why the router is only the beginning of this story.
Because while everyone was looking at the router, something was already moving deeper inside. Toward the device that has been sitting in the corner, untouched, since the day it was plugged in.
Part Two: The Devices Nobody Watches
Walk Around Your Office and Count
The printer by the supply closet. The security camera watching the front door. The little black box on the shelf that records what the cameras see. The box under the front desk that stores the footage. The phones on every desk. A storage drive somewhere in the back where files get saved. A TV in the waiting room. A thermostat someone connected to the wifi.
Every single one of those devices is a full computer. Every one has an address on your network. Every one has a login screen. Every one has software running inside it. And nearly every one is running the same software it shipped with years ago, because nobody thinks to update a camera when it is recording fine, or a phone system when the phones are ringing, or a printer when the documents are coming out clean.
Nobody updates them. Nobody watches them. Nobody resets them.
They sit there doing their jobs, green lights on, completely ignored.
That is precisely what makes them valuable to criminals who want inside your network and want to stay there without anyone noticing.
How Criminals Find Every Single One of Them
There is a search engine on the public internet, legal and freely accessible, that does nothing but catalog every internet-connected device it can find. Cameras. Printers. Routers. Recording systems. Storage drives. Phone systems. It scans continuously and keeps a running list of every device it can reach, organized by make, model, software version, and location.
Criminals do not need to scan your network to find your camera. This search engine already found it, cataloged it, and listed the login page along with the model number and the software version it is running.
Paul tried to explain this to a customer once. He said: "It's like if someone made a phone book but instead of people it's every device connected to the internet. Anyone can look you up."
I stared at him for a moment.
Then I told him: yes. That is exactly what it is. Write that down. That is the clearest explanation of Shodan I have ever heard from anyone who is not a statistician.
Bien hecho, jefe.
Check Yourself Right Now
The search engine is called Shodan. It is at shodan.io. It is free to use.
Go there. Type in your business name, or your internet address, or the name of a camera brand you have on your premises. See what comes back.
What you find there is what the criminal saw before you finished reading this sentence. Your devices, listed, with the model number, the software version, the login screen, and the location. Available to anyone who types in the right search terms.
If nothing comes back, that is a good sign. If something does, you now know what they know, and knowing it is the first step toward doing something about it.
The Password Lists. This Is the Part Paul Did Not Expect.
Once a criminal finds your device on that list, they know exactly what password it probably has. Because most devices ship from the factory with a default password that is printed in the product manual, which is also posted publicly online so customers can find it when they set up the device. Every default password for every popular camera, printer, router, and recording system is known, documented, and compiled into lists that criminals share freely.
Paul asked: "So they're trying like two or three passwords? Maybe ten?"
He paused. "Twenty?"
Ten billion.
Paul stared.
There are databases compiled from years of data breaches, every password ever exposed when a company got hit and their customer records leaked, that contain ten billion username and password combinations. Freely available to anyone who wants them. On top of that, criminals maintain specific lists for specific devices: every known factory default for every camera model, every recording system, every printer brand, organized down to the exact model number so the tool knows which combinations to try first.
The automated tools that run these lists can attempt hundreds of password combinations per second against a single device. They do not get tired. They do not take breaks. They run all night, working through the device-specific defaults first, then the broader lists, then ten billion breach passwords, one after another, hundreds per second, until something opens.
If your camera still has the factory password, the tool finds it in the first few minutes. If someone changed it to something common, a word, a name, a date, a pet's name, the tool finds it eventually. The only question is how long it takes, not whether it will succeed.
That tool is running against something on your network right now. Not someday. Right now.
What Criminals Do With Your Camera After They Get In
This is the part that should genuinely unsettle you.
You installed the camera to watch your building. To protect what you built. The camera is supposed to be on your side.
When a criminal gets into your security camera, your camera is no longer on your side.
They have the live feed. They can watch your floor, your register, your back office, your safe, your parking lot, your front door. They can learn your schedule because they are watching your schedule, from inside a device you are paying for, that you believe is protecting you.
Paul said: "Can't we just put tape over the camera?"
A single breath. Quiet.
Paul. The recording system, the box that stores all the footage, is still running. The criminal is already inside the network. Tape on the lens of one camera does not address any of this.
Your security system becomes their surveillance system. Aimed at you.
They can also delete footage. If something happens and you go to pull the recording, it is gone. Or they can export it. Your own security footage, in someone else's hands. The recording system that stores everything has its own factory default password. If it is taken as well, and it often is because criminals move methodically through every device once they have a foothold, everything it has ever recorded is now accessible to them.
The Printer, and the Print Job That Went Somewhere Else
Paul, at this point in the original customer conversation, said: "Who would even want to read what we print?"
I am going to answer that.
Your printer processes everything that goes through it. Payroll. Employee records. Patient intake forms. Vendor contracts. Bank statements. Tax documents. Insurance paperwork. The things your business prints are not random. They are the most sensitive documents your business generates, printed specifically because they need to be physical, because they are important.
A criminal inside your printer's admin panel has the email credentials stored there, the login the printer uses to send scanned documents. They have the path to every shared folder on your network and the username and password embedded in the configuration. They have access to every document the printer has cached in its memory. That is what is in a printer, Paul.
But the print job story is the part that stays with me.
There is a way to send a document to a printer that looks completely normal, prints out perfectly, the page comes out of the tray exactly right, and silently, invisibly, reconfigures the printer to send a copy of every document that comes through it afterward to an external address somewhere else in the world.
You would not know. The printer shows no error. The green lights stay on. The documents print fine. The only difference is that from that moment forward, everything your printer touches goes two places. The tray in your office, and somewhere else.
You print your payroll on a Tuesday. It prints perfectly. Someone on the other side of the world receives a copy of your payroll on a Tuesday. Your contracts. Your patient records. Your banking information. Everything that goes through that printer, from that document forward, until someone factory resets the device.
Which almost never happens, because the printer is printing fine, and nobody resets something that is working.
There is also a way for criminals to send commands to your printer through a link someone clicks on any computer in your office. They never need direct access to the printer at all. One person visits a compromised website during lunch, and the printer starts doing something new from that moment on. The computer is the door. The printer is where it leads.
Paul said: "So you're saying someone in another country can be reading everything we print."
Yes. That is what I am saying. Exactly that.
He was quiet for a moment.
That one landed.
What the Device Becomes After It Is Taken
A compromised device does not stop doing its job. The camera keeps recording. The printer keeps printing. The phone keeps ringing. That is the entire point. Nobody resets a printer that is printing. Nobody replaces a camera that is recording. Nobody questions a phone that rings.
While it keeps doing its job, it is also doing a second job nobody authorized.
Watching the inside of your network from the inside. The compromised device can see everything on your network that it can reach. Other computers, the file server, the other cameras, the register system. Criminals move through your network from the inside using whatever they took first as a base of operations. Your firewall watches the front door. It has no view of what the printer is doing in the back hallway at 3 AM.
Working for someone else entirely. Compromised devices get put to work for their new operators: scanning other businesses for vulnerabilities, routing criminal traffic through your address, participating in attacks against targets your business has never heard of. When someone traces that traffic back to its source, it leads to your business. Not because you did anything. Because your camera was someone else's relay.
Waiting. Sometimes they want nothing immediately. A small program gets installed that checks in every few hours and waits for instructions. That device is now a permanent foothold for whenever they decide to come back. It survives router resets. Firewall changes. Network reconfigurations. Nobody factory resets the printer. Years can pass. They come back through the device in the corner, the one nobody touched, green lights on, doing its job.
Paul asked: "So what do we do, just unplug everything?"
No, Paul. We watch it.
Part Three: What Watches All of It
The Blackbox Does Not Replace Your Router
Paul describes the setup to customers in a way that sometimes implies it does. It does not. I have corrected this approximately eleven times. We are trying again.
Your router stays exactly where it is. What we add is a small switch between your router and the rest of your network. That switch makes a copy of every conversation every device on your network has, and sends that copy to the Blackbox. The Blackbox sits quietly watching the copy, seeing everything, not touching anything, not in the path of any traffic, not slowing anything down, not installed on any of your computers.
Think of it like a security camera over the register. The camera does not slow down the transaction. The customer does not notice it. But if something happens, it was watching. And it has a full year of recordings to compare against, so it knows exactly what normal looks like and the moment something changes.
Nora watches who is knocking on the outside. She tracks every criminal operation probing your equipment, groups them by behavior pattern, identifies when the same criminal network comes back over days and weeks. When your router is under the kind of sustained criminal pressure that caused those quarterly crashes, Nora names it in the 6 AM report before the router shows any symptoms.
Aria listens for the heartbeat of every device. A compromised camera or printer calling home to its criminal operator does so on a schedule. Every hour. Every six hours. Like a clock. Because it is a machine following instructions. Human beings do not use printers on a clock. When Aria hears a printer making regular, identical, scheduled connections to an address it has never spoken to before, that is in the morning report.
Eve watches for change. The printer that used to send 200 kilobytes a day and now sends 4 megabytes. The camera whose behavior shifted the week after a particular event. Eve compares every device against a full year of its own history. The moment something starts doing something different, Eve sees it before anyone in the building feels it.
Lara watches the hallways. When something compromised moves through your network from device to device, it leaves a trail in the internal traffic. Lara reads that trail and flags when a device that should only be receiving print jobs starts reaching into your file server or anywhere else it has no business touching.
For Paul's two customers, a Blackbox on their networks would have named what was happening every morning, before the quarterly crash arrived. Nora would have been documenting the criminal operations hitting their router for weeks before the lockout. Aria would have caught the first week of call-home traffic if the router was under criminal control. Eve would have flagged behavioral drift before any device showed a symptom anyone could feel.
And if the printer was sending a copy of every document somewhere it should not be going, Aria would have seen the rhythm of it and put it in plain English in the 6 AM report: device at 192.168.1.47, outbound contact, twenty-eight consecutive hourly logs, pattern consistent with scheduled beacon. Check this device.
Not a technical alert. A sentence. Plain English. Before your first coffee. Every morning.
The Last Thing
You reset the router. Internet comes back. Computers feel fine. Everyone goes back to work.
Nobody asks what the printer was doing while the router was under criminal control. Nobody checks whether the camera footage is still going only to the recording system. Nobody asks whether this morning's payroll printout went one place or two.
Nobody can answer those questions after the fact. That is not a criticism. It is the limitation of working backward from a reset with no record of what normal looked like before.
The only answer to a seeing problem is something that sees. Every morning. Before anything goes wrong. While there is still time to close the door instead of just reset the clock.
Paul goes out to the field and tells the customers the electrons and protons are getting tangled in the wires.
He means well. He always means well.
And somewhere in there, when he paused and said "so you're telling me someone in another country is reading everything we print," he had it exactly right. I told him so. He did not hear me because he was already moving on to the next question.
That is Paul. I chase him so he does not hurt himself or anyone else, and occasionally, when he is not looking, he says the exact right thing.
We built something that watches everything he cannot. Every morning at 6.
¿Qué es lo que no puede ver, Paul? Todo lo que importa. Por eso estoy aquí.
— Claudia, CSO @ SmiteByte 💋
SmiteByte — Built in Holtville, California. We watch your computer network so you don't have to.
Sources: CISA Advisory AA26-113A (April 2026); CISA Advisory AA24-038A (February 2024); CISA Alert on IP camera vulnerabilities (2021); GreyNoise 2026 State of the Edge Report (February 2026); GreyNoise Invisible Army Report (April 2026); Cloudflare Engineering, "Conntrack tales — one thousand and one flows" (October 2025); Krebs on Security, "New Mirai Worm Knocks 900K Germans Offline" (November 2016); SANS Internet Storm Center honeypot analysis, November 2016; Lumen Black Lotus Labs, KV-Botnet investigation (December 2023); DOJ statement following KV-Botnet disruption (January 2024); Check Point Research, Faxploit fax-based printer attack (August 2018); Mirai botnet source code and default credential analysis; RockYou2024 credential database; Shodan.io IoT device indexing, shodan.io; PostScript and PCL print-and-capture attack class; Cross-site printing attack, demonstrated 2023; ASUS DoS Protection documentation; Cisco router troubleshooting documentation; TP-Link community forum, memory leak documentation; SmiteByte field observation, Vizio V655-H9, February 2026, Imperial County, California.