Dutch Authorities Dismantle Massive 17-Million Device Botnet

Dutch police and the NCSC-NL have seized over 200 servers and neutralized a botnet comprising 17 million infected devices. While authorities have not officiall…

Dutch Authorities Dismantle Massive 17-Million Device Botnet

On May 29, 2026, the Dutch National Police and the NCSC-NL seized more than 200 servers from a hosting provider in the Netherlands, effectively disabling a botnet consisting of at least 17 million infected devices. The operation exposes the structural vulnerability of security defenses that rely on the reputation of residential IP addresses for trust.

Key Takeaways
  • Dutch police and the NCSC-NL seized over 200 servers from a Netherlands-based hosting provider, neutralizing a botnet of at least 17 million infected devices, including computers, tablets, smartphones, routers, and IoT hardware.
  • Authorities have not publicly disclosed the botnet's name—an unusual move for an operation of this scale. Local media outlets have linked the infrastructure to Asocks, a residential proxy service that advertised 7 million IP addresses, 150 locations, and 100,000 customers with subscriptions ranging from $5 to $15 per month.
  • The NCSC-NL published a blog post regarding the threat of residential proxies just one day prior to the takedown announcement; the initial lead for the investigation came from a cybersecurity researcher.
  • Previous research by HUMAN Security’s Satori team linked Asocks to PROXYLIB, following a documented model where devices are enrolled into proxy networks via the LumiApps SDK.
  • The Asocks website remained online following the takedown announcement; sources do not specify how much of the service's infrastructure operated outside of the 200 seized servers.

17 Million Devices and 200 Servers: The Operation's Scale

The investigation revealed that the botnet controlled "at least 17 million infected devices," according to the NCSC, as cited by BleepingComputer. The 200 servers used to host the infrastructure were located within the Netherlands. Police seized "several botnet servers from a hosting provider for investigative purposes," after which the provider chose to deactivate the botnet because it was being utilized for criminal activity.

The figure of 17 million endpoints significantly exceeds the typical size of DDoS botnets frequently seen in cyber news. Computers, tablets, smartphones, routers, and IoT devices were aggregated into a unified infrastructure. Sources do not specify the exact compromise vectors used to recruit devices for this specific botnet.

The seizure of over 200 servers from a single Dutch provider indicates a high geographic concentration of command-and-control (C2) infrastructure, rather than the distribution of the infected devices themselves. Documentation does not currently detail the specific routing architecture between the seized servers and the compromised residential IP addresses.

The Unnamed Botnet: Why Authorities Are Withholding a Moniker

An anomalous element of the operation is the decision by authorities not to disclose the botnet's name. The Register highlighted this as "unusual" for an action of this magnitude. No official explanation has been provided for this reticence.

From an investigative standpoint, withholding the name may preserve intelligence capabilities regarding surviving infrastructure. Legally, the name might be restricted by ongoing investigative procedures or international cooperation agreements. Sources have not confirmed these hypotheses.

Local media, specifically the NL Times (as cited by BleepingComputer, Help Net Security, and Risky Biz), has linked the botnet to Asocks. This connection has not been confirmed by authorities. Asocks advertised a pool of 7 million IP addresses, 150 locations, and 100,000 clients. According to Risky Biz, the service's website remained accessible after the takedown was announced.

The discrepancy between the 17 million devices cited in the botnet and the 7 million IP addresses advertised by Asocks—a factor of approximately 2.4—remains unexplained in current reports. The causes for this difference are not documented.

PROXYLIB and LumiApps: The Technical Enrollment Context

Research published by HUMAN Security’s Satori team in 2024 provides a technical precedent for how consumer devices are enrolled into proxy networks. According to the HUMAN Security model, PROXYLIB was integrated into the LumiApps SDK, which enrolled smartphones into residential proxy networks. HUMAN Security established with "high confidence" that Asocks and PROXYLIB are linked—potentially owned or operated by the same threat actor—through analysis of the bproxy.one domain archive.

"Because residential proxies use real, trusted IP addresses, malicious use of them is much harder to detect or block. Many security systems and websites trust traffic from residential proxy IPs more than traffic from data centers or anonymous VPNs." — NCSC-NL

The NCSC-NL published a blog post dedicated to residential proxies as a threat the day before the takedown announcement. The timing suggests a communication strategy designed to raise awareness of the technological context surrounding the operation.

Technical details regarding PROXYLIB and LumiApps stem from historical HUMAN Security research rather than cross-verification of this specific operation. Dutch authorities have not confirmed that this specific mechanism powered the 17-million-device botnet.

Defensive Implications

The Dutch operation carries significant defensive implications for organizations that rely on IP reputation to filter threats. The NCSC-NL emphasized that traffic from residential proxies enjoys higher trust levels than traffic from data centers or anonymous VPNs, making detection far more complex.

Organizations must recognize that distinguishing between legitimate traffic and traffic from devices compromised via residential proxies requires verification approaches that do not depend solely on IP reputation. The NCSC-NL noted that "the abuse of residential proxies makes it harder to map digital threats and attacks" and that "organizational resilience can come under pressure" as the scale of these attacks increases.

For individual users, the sources do not specify concrete actions beyond a general awareness that consumer devices can be enrolled into proxy networks without explicit consent.

Conclusion

The operation on May 29, 2026, represents one of the largest documented botnet takedowns in Europe, yet it leaves open questions regarding the full scope of the affected infrastructure. The absence of an official name, the persistence of the Asocks website, and the lack of official confirmation regarding the link suggest the investigation may be in a preliminary phase relative to a full judicial action.

The case illustrates the tension between operational effectiveness and informational transparency: seizing 200 servers and liberating 17 million devices is a measurable success, but identifying the operators, the technical mechanisms, and the surviving infrastructure requires more time. Sources do not document any specific arrests or charges related to this operation at this time.

Information has been verified against cited sources and is current as of the time of publication.

Sources