Dutch police and the NCSC have dismantled a 17-million-device botnet. The operation seized over 200 servers linked to a residential proxy service used for fraud.
On May 28, 2026, Dutch authorities announced the successful dismantling of a massive botnet network comprising at least 17 million compromised devices worldwide. The operation was a collaborative effort between the Dutch National Police, specifically the Police Unit The Hague, and the National Cyber Security Centre (NCSC-NL).
The Scope of the Operation
The investigation targeted a command-and-control infrastructure that utilized compromised hardware—including personal computers, smartphones, tablets, and IoT devices—to facilitate illicit activities. By turning these consumer devices into proxy nodes, cybercriminals were able to route malicious traffic, such as phishing campaigns, distributed denial-of-service (DDoS) attacks, and various forms of online fraud, through the IP addresses of unsuspecting victims.
Authorities identified over 200 servers physically hosted in the Netherlands that served as the core backend for this operation. The takedown was executed by seizing these servers directly from a local hosting provider. Upon confirming the criminal nature of the infrastructure, the provider assisted in taking the remainder of the network offline, effectively neutralizing the service.
Attribution and Technical Context
While official statements from the Dutch authorities did not name the specific service involved, industry reporting and local media have identified the infrastructure as Asocks, a residential proxy service. This type of network relies on proxyware—malicious code embedded in software—that turns legitimate consumer hardware into a conduit for criminal traffic without the device owner's knowledge or consent.
The operation was initiated following a tip provided by an unnamed security researcher, which led to the identification and subsequent seizure of the backend infrastructure.
Frequently Asked Questions
What devices were affected by this botnet?
The botnet compromised a wide range of consumer hardware, including computers, smartphones, tablets, routers, and various other Internet of Things (IoT) devices.
How was the proxy service used by criminals?
The infrastructure functioned as a residential proxy service, allowing malicious actors to hide their true origin by routing cyberattacks, such as phishing and DDoS, through the IP addresses of the 17 million infected devices.
What was the role of the Dutch hosting provider?
The hosting provider cooperated with the Dutch National Police by allowing the seizure of servers identified as part of the command-and-control infrastructure and subsequently taking the remaining nodes offline.