Dutch Police Arrest Suspect in AFC Ajax Hack That Exposed 300,000 Fan Accounts
Dutch police arrested a 35-year-old man for hacking AFC Ajax multiple times in early 2026, exploiting vulnerabilities that exposed hundreds of thousands of fan accounts and allowed manipulation of stadium bans and tickets.
The Dutch National Police arrested a 35-year-old man on May 26, 2026, suspected of hacking the professional football club AFC Ajax earlier this year. The suspect, arrested in the municipality of Buren, is believed to have unlawfully intruded into Ajax's computer systems on multiple occasions, according to a police press release.
AFC Ajax disclosed the incident in late March, revealing that the attacker exploited vulnerabilities in its IT systems to access data belonging to a few hundred individuals. However, further investigation by Dutch media outlet RTL uncovered a much broader impact: the same security flaw allowed broad access to fan data via APIs and shared keys. The hacker demonstrated how they could reassign a VIP season ticket in seconds, manipulate 538 supporter stadium bans, reassign 42,000 season tickets, and view details on more than 300,000 accounts.
The vulnerabilities also enabled the attacker to modify stadium bans imposed on fewer than 20 individuals and transfer purchased tickets to others. The Dutch football club has since patched the exploited vulnerabilities and notified the Dutch Data Protection Authority and the police of the incident.
The arrest follows a criminal investigation launched after Ajax reported the breach. The suspect is now facing charges of computer trespassing. This incident highlights the growing threat to sports organizations, which hold vast amounts of personal and financial data on fans and members.
In related law enforcement actions, the Dutch National Police also arrested two teenage boys in September 2025 for spying for Russia using a WiFi sniffer device near Europol and Eurojust offices. More recently, financial crime investigators (FIOD) arrested two men and seized 800 servers linked to a web hosting company that enabled cyberattacks and disinformation campaigns.
The Ajax hack serves as a reminder that even well-known organizations must continuously assess and patch vulnerabilities to protect sensitive user data. The arrest demonstrates the commitment of Dutch authorities to pursue cybercriminals targeting critical infrastructure and high-profile entities.