[bombcar]

Imagine there’s a router on the WAN.

Now imagine that router does things to your packets.

If they’re not encrypted how do you know?

[pcdoodle]

You mean the clients router being compromised or somewhere past that?

[__d]

If you're able to intercept traffic anywhere in the path between the two parties, interception and hijacking is trivial. So yes, client LAN, server LAN, transit link, or any router on the path. And there's a bunch of routers, switches, etc, on that path, all of which have firmware that can be exploited ...

If you're not able to directly intercept the traffic, you can generally spoof the source address, but getting a copy of the return packets (other than on the client's local network) is also possible if you can inject a bogus route, for instance.

The only reason this doesn't happen a lot more than it does is that most valuable stuff uses TLS/SSL.

[bombcar]

Anywhere in between. Do a trace route to hacker news or something - it’ll be 10-20 hops, only two of which are the local routers at the endpoints.