Dutch Police Arrest Suspect in AFC Ajax Hack That Exposed 300,000 Fan Accounts
Dutch police arrested a 35-year-old man for hacking AFC Ajax multiple times in early 2026, exploiting vulnerabilities that exposed hundreds of thousands of fan accounts and allowed manipulation of stadium bans and tickets.

The Dutch National Police arrested a 35-year-old man on May 26, 2026, suspected of hacking the professional football club AFC Ajax earlier this year. The suspect, arrested in the municipality of Buren, is believed to have unlawfully intruded into Ajax's computer systems on multiple occasions, according to a police press release.
AFC Ajax disclosed the incident in late March, revealing that the attacker exploited vulnerabilities in its IT systems to access data belonging to a few hundred individuals. However, further investigation by Dutch media outlet RTL uncovered a much broader impact: the same security flaw allowed broad access to fan data via APIs and shared keys. The hacker demonstrated how they could reassign a VIP season ticket in seconds, manipulate 538 supporter stadium bans, reassign 42,000 season tickets, and view details on more than 300,000 accounts.
The vulnerabilities also enabled the attacker to modify stadium bans imposed on fewer than 20 individuals and transfer purchased tickets to others. The Dutch football club has since patched the exploited vulnerabilities and notified the Dutch Data Protection Authority and the police of the incident.
The arrest follows a criminal investigation launched after Ajax reported the breach. The suspect is now facing charges of computer trespassing. This incident highlights the growing threat to sports organizations, which hold vast amounts of personal and financial data on fans and members.
In related law enforcement actions, the Dutch National Police also arrested two teenage boys in September 2025 for spying for Russia using a WiFi sniffer device near Europol and Eurojust offices. More recently, financial crime investigators (FIOD) arrested two men and seized 800 servers linked to a web hosting company that enabled cyberattacks and disinformation campaigns.
The Ajax hack serves as a reminder that even well-known organizations must continuously assess and patch vulnerabilities to protect sensitive user data. The arrest demonstrates the commitment of Dutch authorities to pursue cybercriminals targeting critical infrastructure and high-profile entities.
The arrest of a 35-year-old suspect in Buren follows a March breach in which an unpatched vulnerability exposed email addresses of hundreds of individuals and limited personal data of stadium-ban subjects, with Dutch broadcaster RTL reporting the incident may have affected over 300,000 registered supporters and 42,000 season tickets. Police seized multiple digital storage devices during the search, though they have not disclosed the suspect's identity or a possible motive. Ajax stated it has since patched the vulnerability and launched an internal investigation.
The Help Net Security report adds that the suspect, a 35-year-old man from the municipality of Buren, was arrested on the morning of Tuesday, May 26, and faces charges of intentionally and unlawfully entering Ajax's computer systems multiple times. The investigation was triggered after the club detected unauthorized access, leading to the arrest. This confirms the suspect's age and location, and specifies the exact arrest date, which was not detailed in earlier coverage.