Dutch Police Dismantle Botnet of 17 Million Devices, Seize 200 Servers
Dutch police have dismantled a massive botnet comprising at least 17 million infected devices after seizing 200 servers from a hosting provider, following a tip from the National Cyber Security Centre (NCSC-NL).
Dutch police announced this week that they had dismantled a large botnet comprising at least 17 million infected devices. The investigation began after a tip-off from a researcher at the Netherlands' National Cyber Security Centre (NCSC-NL), which led cybercrime specialists at The Hague Police Unit to discover 200 servers underpinning the botnet's infrastructure, all located within the country. Officers seized several servers from a hosting provider for further analysis, and the provider subsequently shut down the botnet after realizing it was being used for 'criminal purposes.'
Botnets of this scale can be weaponized for a wide range of cybercrimes. While officials did not disclose the specific malicious activities this particular botnet was used for, police stated that typical abuse includes phishing, launching distributed denial-of-service (DDoS) attacks, and online fraud. The takedown represents a significant operational success for Dutch law enforcement, removing a vast network of compromised devices from the control of unknown threat actors.
Neither the police nor the NCSC-NL revealed the botnet's name—an unusual omission for takedowns of this kind—and also did not detail the exact types of devices enrolled in the network. However, both organizations pointed to poorly secured consumer-grade kit such as routers, mobile devices, and IoT hardware as common examples of devices that are easily compromised and absorbed into such criminal networks. They advised users to stop relying on default passwords for new hardware, avoid installing apps from unofficial sources, and keep all software up to date.
The announcement comes just as the NCSC-NL published a blog highlighting a worrying rise in residential proxy networks used for malicious purposes. Botnets and residential proxy networks share similarities, as both involve enrolling legitimate devices into a broader network, though typically for different reasons. While botnets are almost exclusively malicious, residential proxy networks are legal and advertised openly for privacy benefits. However, experts agree these networks are more often abused than used for good. Consumers often have their IP addresses enrolled into these networks without their knowledge, and cybercriminals use the proxies to hide the true source of malicious traffic, complicating incident response.
These proxy networks can be used for DDoS attacks, phishing, brute-force attacks, bypassing impossible travel checks, and malware distribution. 'The misuse of residential proxies makes it more difficult to map digital threats and attacks,' NCSC-NL wrote. 'Additionally, the devices of unsuspecting users can become part of such proxy networks, often without their knowledge. In this way, consumers are unknowingly part of cybercrime.'
Separately, the NCSC-NL published its annual Cybercrime Monitor report on Thursday, revealing that cyberattacks on Dutch companies had fallen to the lowest level in nine years. According to 2024 data, just four percent of organizations reported an external cyberattack, compared to 11 percent in 2016. The trend was noticeable across all company sizes. Phishing and spoofing remained the most common attack types, affecting 23 percent of organizations. Attacks involving DDoS, data breaches, business email compromise fraud, and ransomware were each reported by around one percent of organizations.
The NCSC-NL attributed the overall improvements to wider adoption of multi-factor authentication (MFA). The technology is now effectively universal across larger organizations, with 87 percent implementing it in 2025, up from 71 percent in 2017. For smaller organizations, uptake more than doubled to 79 percent from 29 percent eight years prior. The botnet takedown and the broader trend of declining reported attacks paint a complex picture: while Dutch defenders are improving their posture, the scale of criminal infrastructure continues to grow, requiring constant vigilance and international cooperation.
The botnet is linked to a proxy service called Asocks, which advertises 7 million IP addresses and 100,000 clients. The takedown involved seizing over 200 servers at a Dutch hosting provider, and authorities confirmed the devices were infected without owners' knowledge. BleepingComputer has reached out to Asocks for comment but has not received a response.
The botnet has been linked to Asocks, a commercial residential proxy service, according to Dutch news outlet NL Times. The NCSC published a detailed analysis of residential proxy abuse, noting that such networks use real, trusted IP addresses to evade detection and are often built by bundling proxy software with free applications or via malware. This takedown follows previous law enforcement actions against similar proxy services, including 5socks and Anyproxy in 2024 and SocksEscort earlier this year.