Back

Dutch Authorities Dismantle 17 Million Device Botnet in Major Cybercrime Operation

Severity: High (Score: 70.2)

Sources: Risky.Biz, News.Risky.Biz, Interestingengineering, Bleepingcomputer, nltimes.nl

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: botnet, dutch, down, police, take, million, devices

Severity indicators: ot, botnet

Summary

Dutch police, in collaboration with the National Cyber Security Centre (NCSC), have dismantled a massive botnet comprising over 17 million infected devices. The operation involved seizing more than 200 servers located in the Netherlands that were used to control the botnet's infrastructure. The botnet was reportedly linked to the Asocks residential proxy service, which has been associated with various cybercriminal activities, including phishing and DDoS attacks. Authorities received a tip from a cybersecurity researcher, prompting the investigation. The infected devices included computers, smartphones, tablets, and IoT devices. The NCSC has warned that residential proxy networks pose a significant threat to digital security, complicating the detection of malicious activities. Users are advised to secure their devices by changing default passwords and keeping software updated. The botnet's takedown is part of a broader effort to combat cybercrime, with several similar operations reported in recent months. Key Points: • Dutch police dismantled a botnet of 17 million devices linked to cybercrime. • Over 200 servers were seized, and the botnet was associated with the Asocks proxy service. • Authorities emphasize the risk posed by residential proxy networks in cybercrime.

Detailed Analysis

**Impact** At least 17 million devices worldwide—including computers, smartphones, tablets, routers, and IoT hardware—were compromised and used in the botnet. The infected devices were leveraged for phishing, spam distribution, and distributed denial-of-service (DDoS) attacks, affecting multiple sectors reliant on internet services. The botnet’s infrastructure was hosted on over 200 servers located in the Netherlands, with potential operational disruptions for hosting providers and targeted organizations globally. No specific data breaches or thefts were reported, but the botnet facilitated large-scale cybercrime activities. **Technical Details** The botnet operated as a residential proxy network, routing malicious traffic through legitimate consumer devices to mask attack origins. It exploited poorly secured consumer-grade devices, often with default credentials and unpatched vulnerabilities, to enroll them as proxy nodes. The infrastructure consisted of approximately 200 servers seized from a Dutch hosting provider. The botnet is linked to the Asocks residential proxy service, which uses a Go-based proxy library embedded in Android apps. Attack techniques included phishing, spam campaigns, DDoS attacks, and online fraud. No specific CVEs or malware hashes were disclosed. **Recommended Response** Defenders should immediately ensure all consumer and enterprise devices have updated firmware and software to patch known vulnerabilities. Change default passwords on routers and IoT devices to strong, unique credentials and disable unnecessary remote administration interfaces. Enable multi-factor authentication (MFA) where possible and restrict installation of apps to trusted sources only. Monitor network traffic for unusual proxy activity and suspicious outbound connections indicative of residential proxy abuse. No specific IOCs were provided; organizations should focus on behavioral detection and device hygiene.

Source articles (8)

  • Risky Bulletin: Dutch police take down 17m device botnet — Risky.Biz · 2026-05-29
    Dutch police take down a botnet of 17 million devices, US military staff have been tracked with ad-tech location data, a Google engineer is arrested for insider trading on Polymarket, and Gogs and the…
  • Risky Bulletin: Dutch police take down giant botnet of 17 million devices — News.Risky.Biz · 2026-05-29
    Dutch authorities have conducted one of the largest-ever malware disruptions and took down a botnet that infected more than 17 million devices across the world. The botnet was made up of computers, ta…
  • Dutch police dismantle massive botnet controlling 17 million infected devices — Cybernews · 2026-05-29
    A proxy botnet of 17 million devices has been taken offline following a successful operation by the Dutch National Police and the National Cyber ​​Security Centre (NCSC). The hackers made it seem as i…
  • Dutch cops wrest 17M devices from mystery botnet's clutches — Theregister · 2026-05-29
    Hosting provider pulled the plug after police traced 200 servers to the Netherlands Dutch police say they dismantled a large botnet this week comprising at least 17 million infected devices. After bei…
  • Dutch police disrupts botnet composed of 17 million devices — Feeds2.Feedburner · 2026-05-29
    The Dutch National Police and the country’s National Cyber Security Center (NCSC) have taken offline 200 servers controlling a botnet of 17 million devices, the law enforcement agency announced on Thu…
  • Dutch govt disrupts malware botnet with 17 million infected devices — Bleepingcomputer · 2026-05-29
    Dutch authorities have taken offline a massive botnet of 17 million devices and seized more than 200 servers at a local provider that supported the operation. The action was carried out following an i…
  • Massive cyberattack botnet powered by 17 million devices dismantled in Dutch raid — Interestingengineering · 2026-05-29
    Dutch authorities dismantled a massive botnet that controlled more than 17 million infected devices in one of the largest cybercrime disruptions in recent years. The operation involved the Dutch Natio…
  • Ncsc Dutch Police Disrupt Global Botnet Controlled Via Netherlands Based Servers — nltimes.nl · 2026-05-29

Timeline

  • 2026-05-29 — Dutch police take down massive botnet: Authorities dismantled a botnet controlling over 17 million devices, seizing 200 servers in the Netherlands.
  • 2026-05-29 — NCSC issues warning about residential proxies: The NCSC published a blog post highlighting the risks associated with residential proxy networks used for malicious purposes.
  • 2026-05-29 — Investigation initiated after researcher tip-off: The investigation into the botnet began after a cybersecurity researcher alerted the NCSC about suspicious activities.

Related entities

  • Botnet (Attack Type)
  • Brute Force (Attack Type)
  • Credential Stuffing (Attack Type)
  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Daemontools (Company)
  • TanStack (Company)
  • Amadeus (Company)
  • Carnival (Company)
  • Superfortune (Company)
  • Wiley Rein (Company)
  • Ipidea (Company)
  • SocksEscort (Company)
  • Gogs (Company)
  • Nx Console (Tool)
  • Npm (Tool)
  • Proxylib (Tool)
  • Canada (Country)
  • France (Country)
  • Greece (Country)
  • Iran (Country)
  • Netherlands (Country)
  • Spain (Country)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • abcnews.com (Domain)
  • databreaches.net (Domain)
  • doublepulsar.com (Domain)
  • provider.in (Domain)
  • youtube.in (Domain)
  • Aisuru/Kimwolf (Malware)
  • Asocks (Malware)
  • FirstVPN (Malware)
  • RapperBot (Malware)
  • VenomRAT (Malware)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1499 - Endpoint Denial of Service (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Go (Mitre Attack)
  • Android (Platform)
  • Casdoor IAM (Platform)
  • Java (Platform)
  • Maven (Platform)
  • PyPI (Platform)
  • WordPress (Platform)
  • The Gentlemen (Ransomware Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed