1,500 Hacked Routers Drag AI Datacenters Into Spy War

Could the next fight over AI datacenters be shaped as much by fake accounts and compromised routers as by power prices and local politics?

That’s the uncomfortable question raised by a set of reports described by The Register Security: China-linked operators are allegedly rebuilding botnet capacity, using ChatGPT for covert influence content, and running fake consulting sites to solicit sensitive information from US targets. The reports don’t prove one coordinated master campaign. They do show a familiar pattern: technical access, narrative testing, and human recruitment running in parallel.

XOOMAR’s read: the AI infrastructure debate is now a useful target because it mixes real public concerns with strategic value. Electricity demand, household costs, datacenter buildout, and national security are already contested. Foreign influence operators don’t need to invent the argument. They only need to push on the loudest fault lines.

How much did the Volt Typhoon takedown really disrupt?

The FBI said in January 2024 that it killed Volt Typhoon’s KV-botnet, a covert network made up of hundreds of end-of-life routers and other internet-connected devices. At the time, that botnet had four clusters. The KV cluster was mainly used as a covert data transfer network, while the JDY cluster handled scanning and reconnaissance.

That matters because takedowns often remove infrastructure without removing the underlying supply of vulnerable devices. Lumen’s Black Lotus Labs now says the KV cluster became largely defunct after law enforcement action, but JDY remains active and has surged to more than 1,500 compromised routers and IoT devices.

“Analysis of this activity shows a clear focus on identifying vulnerable infrastructure shortly after public vulnerability disclosures, suggesting that reconnaissance output is rapidly operationalized by China-nexus advanced persistent threat (APT) actors,” Black Lotus Labs wrote.

The same report said this focus has appeared across sectors, with “the US military and associated entities as the most prominent.”

That is not random botnet noise. XOOMAR analysis: a cluster that survives disruption and keeps scanning after public vulnerability disclosures points to operational discipline. It also shows why routers, cameras, and edge devices remain attractive. They’re widely deployed, poorly monitored, and often left running long after support ends.

Why are old routers still such valuable intelligence infrastructure?

A compromised edge device is useful because it doesn’t look like a foreign intelligence platform. It looks like a router. Or a camera. Or a forgotten box in a small office.

That gives operators three advantages:

• Cover: Traffic can be proxied through ordinary-looking infrastructure.
• Reach: Compromised devices sit close to real users, businesses, and networks.
• Persistence: Owners often don’t know the device is exposed, unsupported, or already compromised.

The Register’s source material says the JDY cluster is being used for scanning and reconnaissance. It does not say every compromised device was used for destructive activity. But Volt Typhoon’s earlier use of covert device networks to burrow into critical US networks and preposition for future destructive attacks is the reason defenders treat this activity as more than nuisance malware.

For enterprises, the recommendation is direct: implement CISA and NCSC guidance for mitigating Volt Typhoon activity and defending against China-nexus covert networks of compromised devices.

Why did OpenAI accounts focus on AI power costs?

Because the debate already existed.

OpenAI said it banned ChatGPT accounts likely originating from China after they used its models to generate content for covert operations about American AI. One cluster generated social media content and images claiming datacenters and AI applications were increasing electricity demand and raising costs for ordinary Americans.

The operators asked ChatGPT for comic strips about a power grid operator’s capacity auction prices, based on reporting from a legitimate regional paper. They pushed comments that framed rising capacity prices as a consequence of peak electricity demand, with the new demand coming from datacenters and AI applications, and costs passed to households.

Those comments and images were then posted on X, likely using fake accounts, with links to real news stories about datacenters.

“This was not a case of an influence operation creating a debate,” Ben Nimmo, principal investigator on OpenAI’s Intelligence and Investigations team, told reporters. “The debate existed already. This was an influence operation from China trying to interfere in it. We didn't see any signs that they succeeded.”

That quote is the center of the story. The reported campaign failed to gain much authentic engagement. But failure does not make it irrelevant. It shows the narratives being tested: AI buildout, power demand, capacity prices, and household costs.

Why does failed influence still matter to AI infrastructure companies?

Because low engagement today doesn’t mean low risk tomorrow.

OpenAI said neither of the two China-origin clusters appeared to gain much authentic engagement. The second cluster used ChatGPT to write comments and draw political cartoons criticizing US tech policies and tariffs. Nimmo said the operators specified that the content should not include cartoons of Xi Jinping and should only include President Trump.

The accounts wrote prompts in simplified Chinese, used VPNs to access AI systems, and also used ChatGPT to edit work reports and help design social media monitoring systems. In February, OpenAI said it banned ChatGPT accounts believed to be linked to Chinese government entities attempting to use AI models to surveil individuals and social media accounts.

XOOMAR analysis: AI companies and datacenter operators should treat public trust as part of infrastructure risk. If foreign operators are testing narratives around electricity costs, then project sponsors need clearer local communication on power demand and cost exposure. Not because every critic is foreign-linked. Because legitimate concerns are easier to manipulate when official answers are vague.

This also connects to a wider AI control problem we’ve tracked in AI Agents Can Pay Each Other. Mastercard Wants the Toll: once AI systems act across economic workflows, abuse controls become business infrastructure, not a trust-and-safety side function.

Why target security-clearance holders through fake consulting jobs?

Because people remain the softest interface.

The US Justice Department said Wednesday that it obtained a warrant for and seized 13 fake consulting company websites allegedly used to target US persons, including current and former security-clearance holders with access to classified and sensitive government information. The domains included centrikglobalconsulting.com, rightinfoconsult.com, finnaclevesperconsulting.com, and others listed in the court documents.

Since November 2023, the sites and related job postings on social media, LinkedIn, and other hiring platforms advertised “consulting” jobs, including “Senior Analyst” and “International Affairs Consultant” roles.

Court documents allege suspected PRC operatives used the sites and listings to recruit applicants and bribe them for sensitive information.

“The conspirators have encouraged applicants and recruits to share confidential and sensitive information in violation of their official duties and of particular interest to the People's Republic of China (PRC) government,” according to the court documents.

The alleged payments used online accounts in fictitious names and cryptocurrency to hide identities and payment sources. The lesson is blunt: a polished job post can be part of an intelligence collection pipeline.

For individuals, basic compartmentalization matters. Separate identities, controlled contact points, and better inbox hygiene reduce exposure. Our guide to email alias services that stop spam before it finds you is relevant here because recruiting scams often begin with ordinary-looking outreach.

Which decisions now fall on CISOs, cloud firms, utilities, and residents?

Each group sees a different threat.

CISOs see stealth infrastructure, reconnaissance, and credential risk. Cloud providers and AI companies see trust risk around datacenter projects. Utilities see the politics of demand and capacity pricing becoming harder to explain when fake accounts amplify selective claims. Residents see a simpler question: who pays when AI infrastructure raises local cost concerns?

Government agencies face their own tradeoff. Botnet disruptions and foreign-influence warnings require enough public detail to drive action, but not so much that investigators burn methods or sources. That tension won’t disappear.

Hardware vendors also sit in the frame. The source material centers on end-of-life routers and IoT devices. XOOMAR analysis: if unsupported devices keep becoming hostile infrastructure, pressure will grow for longer update windows, secure-by-default settings, and clearer end-of-support handling.

Which evidence would show this is getting worse?

Three signals matter.

First, more reports that rebuilt botnet clusters are rapidly exploiting newly disclosed vulnerabilities. Second, influence campaigns that move beyond low-engagement posting and begin drawing authentic interaction around AI datacenter power costs. Third, more recruitment schemes that blend fake employers, social platforms, AI-generated material, and cryptocurrency payments.

For operators and investors, the practical response is not exotic. Replace end-of-life routers. Patch internet-facing devices. Disable unnecessary remote access. Segment networks. Monitor odd traffic from edge equipment. Demand stronger update policies from vendors.

For AI infrastructure sponsors, cyber resilience and community credibility now belong in the same rollout plan. Evidence that would weaken this thesis would be sustained disruption of China-linked covert device networks, fewer exposed end-of-life devices, and failed influence operations that remain isolated experiments. Evidence that would confirm it would be JDY-style resurgence paired with more attempts to hijack live AI infrastructure debates.

The Stakes

• Foreign influence efforts can amplify real disputes around AI datacenters without inventing new controversies.
• Botnet rebuilding suggests infrastructure takedowns may slow adversaries but not eliminate their access to vulnerable devices.
• The overlap of cyber operations, AI-generated content, and fake outreach raises risks for public debate and sensitive US targets.