Is your router patched? Maybe they hacked your router. Not sure why it would need to assign itself a new IP. Maybe there is a docker container running on the router?
I'm using a UDM Pro, and I had just recently patched. The only container running on the router is unifi-os itself. I keep repeating myself because I want to make sure I can't be missing something, but tcpdump on my desktop is showing the traffic which is why I'm assuming that it's my desktop that is compromised.