Back

Dutch Police Dismantle 17 Million Device Botnet in Major Cyber Operation

Severity: Medium (Score: 54.8)

Sources: Risky.Biz, Cybernews, News.Risky.Biz, Feeds2.Feedburner, Theregister

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: botnet, dutch, down, police, take, million, devices

Severity indicators: ot, botnet

Summary

Dutch police have successfully taken down a botnet consisting of over 17 million infected devices worldwide. The operation was initiated after a tip from a security researcher to the National Cyber Security Centre (NCSC-NL). Authorities seized 200 servers located in the Netherlands that were used to control the botnet, which was involved in sending spam, phishing, and conducting DDoS attacks. Although the specific name of the botnet was not disclosed, it is believed to be linked to the Asocks residential proxy service. The NCSC-NL had recently warned about the rise of residential proxy networks being misused for cybercrime. Users are advised to secure their devices by changing default passwords and keeping software updated. The takedown reflects ongoing efforts to combat large-scale cyber threats and highlights the risks associated with poorly secured consumer devices. Key Points: • Dutch police dismantled a botnet of over 17 million devices linked to cybercrime. • The operation was prompted by a tip from a security researcher to the NCSC-NL. • Authorities seized 200 servers used to control the botnet, which was involved in phishing and DDoS attacks.

Detailed Analysis

**Impact** At least 17 million devices worldwide were compromised, including consumer-grade routers, smartphones, tablets, and IoT hardware. The botnet was used for sending spam, phishing campaigns, DDoS attacks, and online fraud. The disruption primarily affects users of infected devices and organizations targeted by the botnet’s malicious activities. The takedown involved infrastructure located in the Netherlands, but the botnet’s global scale implies broad geographic impact across multiple sectors. **Technical Details** The botnet infrastructure consisted of over 200 servers seized from a Dutch hosting provider, which were used to control and grow the network. The malware included a Go-based proxy library (PROXYLIB) embedded in Android apps, turning infected devices into nodes of a residential proxy network linked to the Asocks service. The attack vector involved compromising poorly secured consumer devices, often through default credentials and unofficial app installations. No specific CVEs or additional malware families were detailed in the sources. **Recommended Response** Users should change default passwords on all networked devices, avoid installing apps from unofficial sources, and keep device software up to date. Organizations should monitor for unusual outbound traffic indicative of proxy or botnet activity and implement multi-factor authentication to reduce phishing risks. Security teams should track residential proxy usage patterns and block known proxy IP ranges where possible. No specific patches or IOCs were provided for direct blocking.

Source articles (7)

  • Risky Bulletin: Dutch police take down 17m device botnet — Risky.Biz · 2026-05-29
    Dutch police take down a botnet of 17 million devices, US military staff have been tracked with ad-tech location data, a Google engineer is arrested for insider trading on Polymarket, and Gogs and the…
  • Risky Bulletin: Dutch police take down giant botnet of 17 million devices — News.Risky.Biz · 2026-05-29
    Dutch authorities have conducted one of the largest-ever malware disruptions and took down a botnet that infected more than 17 million devices across the world. The botnet was made up of computers, ta…
  • Dutch police dismantle massive botnet controlling 17 million infected devices — Cybernews · 2026-05-29
    A proxy botnet of 17 million devices has been taken offline following a successful operation by the Dutch National Police and the National Cyber ​​Security Centre (NCSC). The hackers made it seem as i…
  • Dutch cops wrest 17M devices from mystery botnet's clutches — Theregister · 2026-05-29
    Hosting provider pulled the plug after police traced 200 servers to the Netherlands Dutch police say they dismantled a large botnet this week comprising at least 17 million infected devices. After bei…
  • Dutch police disrupts botnet composed of 17 million devices — Feeds2.Feedburner · 2026-05-29
    The Dutch National Police and the country’s National Cyber Security Center (NCSC) have taken offline 200 servers controlling a botnet of 17 million devices, the law enforcement agency announced on Thu…
  • Dutch govt disrupts malware botnet with 17 million infected devices — Bleepingcomputer · 2026-05-29
    Dutch authorities have taken offline a massive botnet of 17 million devices and seized more than 200 servers at a local provider that supported the operation. The action was carried out following an i…
  • Ncsc Dutch Police Disrupt Global Botnet Controlled Via Netherlands Based Servers — nltimes.nl · 2026-05-29

Timeline

  • 2026-05-29 — Dutch police take down large botnet: Police seized 200 servers in the Netherlands, dismantling a botnet of 17 million devices used for cybercrime.
  • 2026-05-29 — NCSC-NL issues warning on residential proxy networks: The NCSC-NL highlighted the rise of residential proxy networks being misused for malicious purposes just before the takedown announcement.

Related entities

  • Botnet (Attack Type)
  • Brute Force (Attack Type)
  • Credential Stuffing (Attack Type)
  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Daemontools (Company)
  • TanStack (Company)
  • Amadeus (Company)
  • Carnival (Company)
  • Superfortune (Company)
  • Wiley Rein (Company)
  • Ipidea (Company)
  • SocksEscort (Company)
  • Gogs (Company)
  • Nx Console (Tool)
  • Npm (Tool)
  • Proxylib (Tool)
  • Canada (Country)
  • France (Country)
  • Greece (Country)
  • Iran (Country)
  • Netherlands (Country)
  • Spain (Country)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • abcnews.com (Domain)
  • databreaches.net (Domain)
  • doublepulsar.com (Domain)
  • provider.in (Domain)
  • youtube.in (Domain)
  • Aisuru/Kimwolf (Malware)
  • Asocks (Malware)
  • FirstVPN (Malware)
  • RapperBot (Malware)
  • VenomRAT (Malware)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1499 - Endpoint Denial of Service (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Go (Mitre Attack)
  • Android (Platform)
  • Casdoor IAM (Platform)
  • Java (Platform)
  • Maven (Platform)
  • PyPI (Platform)
  • WordPress (Platform)
  • The Gentlemen (Ransomware Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed