What’s an operational relay box, and how does that affect your corporate cybersecurity? Attackers are finding new ways to cover their tracks, making life harder for defenders in the cybersecurity field. Much of what we know about these evolving tactics comes from the 2025 cybersecurity report by Schwarz Digits, which highlights that one of the more sophisticated methods gaining traction is the use of Operational Relay Boxes, or ORBs. These are not physical devices, but rather a network of compromised consumer-grade technology, including IoT devices, home routers, and Wi-Fi systems. Attackers leverage this network to create a complex web that anonymizes their traffic, making it incredibly difficult to trace cyber operations back to their source.
Also interesting: What Are Email Relays and How Does Mail Relaying Help You?
This evolution in attacker methodology comes at a time when the stakes have never been higher. Ransomware attacks surged by 33 percent worldwide between July 2023 and June 2024. The economic toll is staggering, with cybercrime causing damages of around 179 billion euros in Germany alone in 2024. As attackers refine their techniques with tools like ORBs, understanding how they work is the first step toward building a more resilient defense.
What are operational relay boxes, and how do they work?
At its core, an Operational Relay Box is a compromised device that acts as a hop point for an attacker’s internet traffic. Instead of launching an attack directly from their own servers, a threat actor routes their connection through a chain of these ORBs. Each “hop” further obscures the origin, making attribution a nightmare for digital forensics experts.
The power of ORBs lies in their numbers and diversity. Attackers target everyday devices that are often poorly secured and rarely monitored. Think about smart home hubs, security cameras, and the default router provided by your internet service provider. Many of these devices are vulnerable to weak default passwords, infrequent firmware updates, and known security vulnerabilities that remain unpatched.
Sophisticated threat actors have increasingly adopted commercial ORB networks. The nodes in these networks are often active for less than 31 days, making long-term tracking nearly impossible. By compromising a vast array of these systems globally, attackers build a disposable infrastructure that provides a significant layer of anonymity. It’s also noted that even intelligence agencies, such as the Five-Eyes Alliance, have been found to identify and co-opt vulnerable machines for their own networks, underscoring the strategic value of this technique.
The broader impact on the cybersecurity landscape
The use of ORBs is not happening in a vacuum. It is part of a larger, more complex threat ecosystem that is being supercharged by other technological and geopolitical trends. The rise of ORBs makes different forms of cybercrime more effective and harder to stop.
Fueling ransomware and multi-layered extortion
Ransomware remains a dominant threat, and ORBs make these campaigns more difficult to shut down. In the first half of 2024, a staggering 83 percent of German companies were victims of a ransomware attack. When attackers can hide their command-and-control servers behind a global network of compromised routers, their operations become more resilient. Even if one part of their infrastructure is taken down, they can quickly pivot to another, ensuring their malware campaigns continue uninterrupted. This was tragically illustrated in early 2025 by a ransomware attack on the Slovakian land registry, which caused nationwide disruptions to the real estate market.
The AI double-edged sword
Artificial intelligence is another critical factor. The Industry analysis points out that generative AI lowers the entry barriers for attackers, enabling them to launch large-scale, highly convincing phishing and social engineering attacks. By 2027, generative AI is expected to be involved in approximately 17 percent of all cyberattacks. When combined with the anonymity of ORBs, AI-driven attacks become even more potent. An attacker can use AI to craft thousands of unique phishing emails and then distribute them through an ORB network, making the campaign appear to come from countless different sources.
Read also: How to Check If Your Email or Password Has Been Compromised
On the flip side, AI is also a powerful defensive tool. Companies that use AI and automation for security save an average of $2.22 million per incident. AI can help detect anomalies and patterns that might indicate an ORB is being used, but it’s a constant cat-and-mouse game between offensive and defensive capabilities.
Exploiting supply chain and vendor weaknesses
The security of any organization is only as strong as its weakest link, and that weak link is often in the supply chain. Further data reveals that only every second smaller company regularly checks the cybersecurity of its suppliers. This oversight creates a massive attack surface. Attackers can compromise a less secure vendor and then use that access to pivot into their true target.
This problem is compounded by vendor lock-in and a lack of interoperability. The average company uses up to 83 different security products from 29 other providers. This complexity can create security gaps. When products fail to communicate effectively, it’s easier for sophisticated techniques, such as ORB-based attacks, to slip through the cracks. For example, Attackers targeted Sophos firewalls in “Operation Pacific Rim”, showing that even trusted security hardware can become a gateway for intruders.
Defending against an obscured threat
Combating threats hidden by Operational Relay Boxes requires a multi-faceted and proactive approach. Because these attacks leverage fundamental weaknesses in the global internet infrastructure, there is no single silver bullet.
First, organizations must adopt a Zero-Trust security model. This means assuming that no user or device is trustworthy by default, whether inside or outside the network. Continuous verification is essential. This mindset helps mitigate the risk of an attacker moving laterally through a network after gaining initial access via a compromised device.
Second, bolstering the security of all connected devices is paramount. This includes implementing strong password policies, ensuring timely firmware updates, and segmenting networks to isolate IoT devices from critical systems. For hardware and software manufacturers, the principles of Security-by-Design and Security-by-Default are non-negotiable. Building security into products from the start is far more effective than trying to add it on later.
By clicking play, you agree to YouTube's Terms of Service and Privacy Policy. Data may be shared with YouTube/Google.
Finally, enhanced threat intelligence and collaboration are key. Sharing information about new attack patterns, compromised IP addresses, and emerging techniques allows the security community to build a more comprehensive defense. Government and private sector cooperation is crucial for identifying and dismantling the networks that attackers use to develop their ORBs.
As cyber threats continue to evolve, so too must our defenses. These insights make it clear that attackers are becoming increasingly sophisticated, leveraging techniques such as Operational Relay Boxes to achieve their goals with greater anonymity. Staying ahead requires not just advanced technology but a strategic, informed, and collaborative approach to cybersecurity.
Photo credit: The feature image is symbolic and has been done by Julian Tay.
Source: The referenced report is gated by the authoring company, and users must enter their personal data to download the PDF. If you would like to go ahead, you can find the report linked in this LinkedIn post.
