Massive 17 Million Device Botnet Successfully Dismantled by Dutch Authorities
- May 30
- 2 min read
Key Findings
Dutch authorities dismantled a botnet comprising at least 17 million infected devices across computers, tablets, and smartphones
Police seized over 200 servers hosted within the Netherlands that controlled the botnet infrastructure
The operation was linked to ASOCKS, a Russia-based residential proxy service used for criminal activities
A security researcher's report to the National Cyber Security Centre (NCSC) triggered the investigation
The botnet was taken offline after the hosting provider confirmed its use for criminal purposes
Background
Dutch law enforcement, working alongside the National Cyber Security Centre, took action against one of the largest botnets discovered in recent years. The investigation began when a security researcher reported the suspicious network activity to the NCSC, which then collaborated with police to conduct a full investigation. The discovery revealed the scale of the operation and the location of its command infrastructure within Dutch hosting facilities.
Connection to ASOCKS Proxy Service
The botnet was tied to ASOCKS, a residential proxy service based in Russia that provides anonymity tools to hide users' identities and locations online. While these services have legitimate uses, they are frequently abused by cybercriminals. The company operates by routing internet traffic through compromised consumer devices, making malicious activity appear to originate from normal residential users rather than obvious attack sources.
How Devices Were Infected
Compromised devices were covertly infected with malware through various methods. In 2024, security researchers at HUMAN Security discovered that 28 Android applications on Google Play secretly enrolled up to 190,000 devices into the proxy network without user knowledge or consent. Attackers typically exploit software vulnerabilities or weak security configurations to gain remote control of devices, turning them into unwitting participants in criminal operations.
Criminal Applications and Detection Challenges
Residential proxy botnets are used for multiple types of cybercrimes including DDoS attacks, phishing campaigns, web scraping, and botnet command-and-control operations. These services complicate detection and mitigation efforts because the malicious traffic appears legitimate and originates from normal internet users' devices. This makes it difficult for security teams and network administrators to identify and block the attacks.
Protective Measures
Users can reduce their risk of botnet infection by keeping systems and applications updated with the latest security patches, using strong passwords and enabling two-factor authentication, securing wireless networks with proper encryption, and avoiding suspicious downloads and links. Installing software only from trusted sources and regularly monitoring connected devices with security tools also helps prevent compromise. People should also uninstall apps they no longer use and carefully research applications before installation.
Sources
https://securityaffairs.com/192890/malware/botnet-of-17-million-devices-dismantled-in-the-netherlands.html
https://arstechnica.com/security/2026/05/botnet-of-more-than-17-million-devices-dismantled
https://www.reddit.com/r/cybersecurity/comments/1trdf28/botnet_of_more_than_17_million_devices_dismantled
https://www.helpnetsecurity.com/2026/05/29/dutch-police-disrupts-botnet-composed-of-17-million-devices

Comments