Dutch Police Dismantled Botnet Tied to 17 Million Devices

Dutch law enforcement and cybersecurity authorities carried out a botnet takedown that severed control over at least 17 million infected devices worldwide. The operation, conducted jointly by the Dutch National Police and the National Cyber Security Centre (NCSC), dismantled infrastructure that had quietly turned everyday phones, tablets, computers, and IoT devices into tools for cybercrime.

The action was announced on May 28, 2026. Police seized a number of servers from a Netherlands-based hosting provider, which then took the remaining infrastructure offline.

How the Botnet Operated

At the heart of this botnet takedown was a network of over 200 servers, all located in the Netherlands, that functioned as the backend controlling millions of compromised devices. Those devices were enrolled as residential proxy nodes, meaning they relayed third-party internet traffic through real consumer IP addresses.

That distinction matters. Residential proxies carry IP addresses assigned by regular internet service providers to ordinary households. Because security systems tend to trust household traffic more than data center traffic, malicious activity routed through these nodes is far harder to detect or block. As the NCSC noted, the people behind the infected devices had no knowledge their bandwidth was being sold.

The service linked to the takedown is Asocks, a Russia-based company that sold residential, mobile, and corporate proxy access via monthly subscriptions. Pricing ranged from $5 to $15 per month, with bulk discountsavailable. Dutch reporting identified Asocks as the operator, though authorities did not name the service in their official statements.

A Network Built on Infected Devices

The botnet's scale, 17 million devices, raises an obvious question: how did so many endpoints end up compromised? The answer involves several overlapping vectors.

In 2024, security researchers identified a campaign called PROXYLIB, which embedded a malicious Go-based code library inside Android apps distributed through Google Play. The library silently enrolled devices into a residential proxy network tied to Asocks. Researchers found 28 apps carrying this library, with as many as 190,000 devices enrolled through those apps alone. Google removed the apps following the disclosure, and Google Play Protect was updated to flag the threat.

Beyond malicious apps, devices can be compromised through unpatched software vulnerabilities, weak default credentials on routers and IoT hardware, or unsecured Wi-Fi networks. In many cases, the affected device continues to function normally while quietly routing third-party traffic in the background.

What Residential Proxy Botnets Are Used For

A botnet takedown of this type carries significance beyond the raw device count. Residential proxy networks serve as infrastructure for a wide range of criminal operations. The NCSC specifically highlighted their role in DDoS attacks, credential stuffing and brute-force campaigns, phishing operations, spam distribution, click fraud, and SMS pumping schemes.

Because the traffic originates from real consumer IP addresses, operators of these networks can bypass rate limits, evade geo-blocks, and avoid IP-based detection systems. For cybercriminals running large-scale automated attacks, access to millions of residential nodes is operationally valuable. Asocks offered access to proxy nodes across nearly every country, making geographic diversification straightforward.

Part of a Broader Pattern

This botnet takedown joins a series of similar operations in recent months. Authorities have disrupted several other residential proxy networks, including SocksEscort, IPIDEA, and the BADBOX 2.0 infrastructure, which at its peak had infected over one million devices. The repeated enforcement actions reflect a growing focus by law enforcement on the proxy ecosystem as a foundational layer of cybercriminal infrastructure.

The investigation that led to this operation began with a tip from a security researcher, who reported the network to the NCSC. Dutch police and the NCSC then jointly investigated, confirmed the botnet's scale and the Netherlands-based server infrastructure, and moved to dismantle it.

What Users and Organizations Can Do

The NCSC published defensive guidance alongside the announcement. Keeping operating systems, routers, and apps fully patched closes off many of the vulnerabilities attackers use to gain initial access. Using strong, unique passwords and enabling two-factor authentication limits the risk of credential-based compromise.

For IoT devices, routers, and other edge hardware, changing default credentials immediately after setup is critical. Many devices ship with known default usernames and passwords that attackers actively scan for. Securing Wi-Fi with WPA2 or WPA3 and only installing apps from verified, trusted sources further reduces exposure. Regularly reviewing which devices are connected to a network can surface unexpected or unauthorized endpoints before they become a problem.

The scale of this botnet, 17 million devices spanning multiple continents, shows how extensively compromised consumer hardware feeds criminal infrastructure. Most of those device owners never knew they were involved.