Internet Archaeology: A Decade of Defaced Routers?

This report examines ~330 Ubiquiti devices exhibiting persistent “HACKED-ROUTER-HELP” defacement banners (variants dating to 2016), links likely causes to default/weak/reused credentials and exploitation of an arbitrary file upload vulnerability associated with the MF worm/CVE-2015-9266, and maps affected hosts by service, country, and ASN; it also notes a 75% reduction in visible defacements from Jan 2022–Aug 2025 but highlights that several hundred potentially long-lived compromises—primarily on consumer/residential ISPs—remain.