Blog

Router Sabotage Exposed: Clear Evidence of Targeted Attacks via TR-069 on Equibit Founder’s Network

  • Post last modified:May 11, 2026
  • Post comments:0 Comments

In the ongoing campaign of digital harassment and sabotage documented by Chris Horlacher, one of the most technical and intrusive episodes involves repeated compromises of his home routers in Mexico. These incidents directly affected Chris Horlacher’s ability to work, communicate securely, and access the internet—targeting only specific devices while sparing others on the same network.

This pattern aligns with advanced persistent threats, often linked to state-level or ISP-enabled capabilities.

Background: Part of a Broader Pattern

After fleeing Canada due to chronic digital intrusions and other events stemming from what he believed to be the lawsuits he just filed, Chris continued facing disruptions. VPN instability, selective device blocking, and unexplained connectivity issues prompted deeper investigation. Factory resets provided temporary relief, but problems returned rapidly—classic behavior of persistent malware or remote management exploits

The Attacks: Huawei HG8145V5V3 and ZTE F670L Routers

Key Anomalies Observed:

  • 1981 Timestamps: Multiple log entries show dates like 1981-01-01. This is a strong indicator of Real-Time Clock (RTC) reset or deliberate log tampering/manipulation, often seen when firmware is altered or during boot-level interference. Security analysis reports explicitly flag these as “Backdated logs to 1981 (RTC reset or tampering).”
  • Custom Firewall Rules & Selective Blocking: Firewall settings changed to “user defined.” Specific devices (Chris’s and his wife’s) lost internet access while others worked, consistent with targeted rules or a Remote Access Trojan (RAT).
  • Rapid Re-infection Post-Reset: Issues returned within hours, even on a replacement router from the ISP (Telmex).

From the ZTE Log (August 2025, post-reset):

2025-08-04T16:16:01Z [Error] |dnsmasq| bind interface socket failed 99
2025-08-04T16:16:01Z [Error] !!!!!![high Alert for send msg in POWERON]...
[Warning] RunPCB process[omci] Event[0x3e81]...

High-priority OMCI/GPON messages immediately after boot, IPv6 route injections before full WAN negotiation, and MultiAPD errors point to remote provisioning activity.

From Huawei Logs (July 2025):

Numerous 1981-01-01 entries alongside PPPoE renegotiations, deprecated SSL methods, and DHCP NAKs (potential MAC spoofing or rogue activity). Frequent PPPoE sessions suggest possible DoS or disruption attempts.

Expert Security Analysis

Independent analysis by a professional (using SIEM-style detection) on both routers confirmed:

  • TR-069/OMCI remote provisioning activity.
  • Backdated logs and tampering indicators.
  • Potential RAT presence and DoS patterns.
  • Recommendations: Replace/reflash router, disable TR-069, scan devices, and isolate vulnerable hardware (e.g., older Smart TV).

Huawei Router Analysis Report

Huawei_Router_Security_Analysis_Report_Detailed_FinalDownload

ZTE Router Analysis Report

ZTE_F670L_Security_Analysis_ReportDownload

TR-069 (CWMP) Vulnerabilities: This Broadband Forum protocol enables ISPs to remotely manage Customer Premises Equipment (CPE) like routers via an Auto-Configuration Server (ACS), often over port 7547. While intended for legitimate management, it is notoriously exploitable. Compromised ACS servers or weak implementations allow attackers full remote control, DNS redirection, firmware backdoors, and persistent access. It has been weaponized in botnets (e.g., Mirai variants) and enables exactly the selective targeting and re-infection seen here. Many ISPs do not allow users to fully disable it.

Video Evidence: Router Investigations

Watch Chris document the issues in real-time:

Part 1: Initial router access and strange behavior.

Part 2: Firewall changes, selective blocking, and admin interface interference.

Part 3: Factory reset, log downloads, and post-reset observations.

Part 4 (Short): Post-reset functionality vs. actual device connectivity failure.

Implications

These attacks go beyond typical criminal hacking. The precision (device-specific blocking), persistence across hardware swaps, use of ISP-managed protocols, and alignment with other documented sabotage (e.g., Microsoft OneDrive tampering, email spoofing, bank disruptions) point to sophisticated actors with significant resources—potentially leveraging intelligence or ISP cooperation.

Combined with the broader evidence in the Factum (honeypot hits from government networks, Keybase anomalies, etc.), this leaves little doubt that Chris Horlacher’s infrastructure was under targeted surveillance and disruption.

What You Can Do:

  • Demand transparency from ISPs on remote management (TR-069/OMCI).
  • Support calls for accountability in intelligence oversight.
  • Share this post—stories like this highlight risks to innovators and due process.

Full logs and analysis reports (Huawei and ZTE PDFs) are available for review upon request for credible researchers/journalists.

This is not paranoia. This is documented technical evidence of invasive digital warfare against a Canadian entrepreneur and litigant, across national boundaries, violating the property of a foreign ISP.

Stay tuned for more updates on the Equibit lawsuits against CSIS and related actors.

Tags: , , , , , , , ,

Leave a Reply