Dutch Police and NCSC Disrupt 17 Million-Device Botnet Running Through Netherlands-Based Servers

By Ash K
Dutch Police and NCSC Disrupt 17 Million-Device Botnet Running Through Netherlands-Based Servers

A botnet with 17 million infected devices is not just a malware problem. It is an internet trust problem.

Dutch authorities have disrupted a massive global botnet after investigators traced 200 servers used to control the infrastructure back to the Netherlands. The operation was carried out by the Dutch National Police and the National Cyber Security Centre Netherlands, after a security researcher reported the network to the NCSC.

The scale is what makes this case stand out. The infected fleet reportedly included consumer devices such as computers, routers, tablets, smartphones, and smart devices, including security cameras. In practical terms, that means millions of ordinary home and edge devices were quietly turned into infrastructure for cybercrime.

What Happened

On May 28, 2026, the NCSC Netherlands said a joint operation with Dutch police had taken a major botnet offline. Investigators identified 200 servers used to host and control the botnet infrastructure, all located in the Netherlands.

The police seized several servers from a hosting provider for investigative purposes. The hosting provider then took the botnet offline after it was determined that the infrastructure was being used for criminal activity.

According to the NCSC, the botnet consisted of at least 17 million infected devices. Those devices were being remotely controlled to carry out cyberattacks, including activities commonly associated with botnets such as spam, phishing, online fraud, and distributed denial-of-service attacks.

Dutch authorities did not officially name the botnet in their public announcement. However, Dutch media outlet NL Times reported that the disrupted infrastructure was linked to Asocks, a commercial residential and mobile proxy service. BleepingComputer also reported the same alleged connection, while noting that Asocks had not responded to a request for comment at publication time.

Why This Stands Out

This was not a small command-and-control cluster hidden in some disposable cloud accounts. Dutch authorities identified 200 servers inside the Netherlands supporting a botnet of at least 17 million infected devices.

That ratio matters. A relatively concentrated backend was apparently supporting a globally distributed front end made up of compromised consumer and IoT devices. For defenders, that is a reminder that botnet scale often lives at the edge, while control infrastructure may still depend on conventional hosting providers, payment systems, domains, and service operators.

The more important angle is residential proxy abuse. Residential proxies route traffic through real consumer internet connections, making malicious activity appear as if it came from ordinary home users rather than obvious data centers or known VPN infrastructure.

That creates a defensive headache. A login attempt from a consumer broadband IP address may look more trustworthy than traffic from a cloud server. A DDoS wave using home networks can be harder to filter cleanly. A phishing or spam campaign sent through residential IPs may have a better chance of slipping past reputation-based controls.

Residential Proxies Are Becoming Attack Infrastructure

The NCSC published separate guidance on May 27, 2026, warning that residential proxies are increasingly being used in digital attacks. The agency described residential proxies as internet connections from consumer equipment, including routers and mobile devices, that can be used by third parties to make traffic appear as if it comes from legitimate users.

The NCSC listed several malicious use cases: DDoS attacks, phishing and spam, credential stuffing, brute-force attacks, click fraud, SMS pumping, malware distribution, and the use of stolen credentials from IP addresses that look normal to defensive systems.

That is why this takedown matters beyond the headline number. A 17 million-device botnet is dangerous not only because it can generate traffic volume, but because it can generate believable traffic. In modern fraud, account takeover, and abuse operations, looking ordinary is often the attacker’s most valuable capability.

Why Defenders Should Care

For enterprise defenders, this case should sharpen three priorities.

First, asset visibility cannot stop at laptops and servers. Routers, cameras, mobile devices, streaming boxes, unmanaged IoT hardware, and bring-your-own-device environments can all become part of proxy or botnet infrastructure if they are exposed, unpatched, or poorly controlled.

Second, IP reputation alone is not enough. Residential proxy networks deliberately exploit the trust given to consumer IP space. Security teams need behavioral detection: impossible travel, abnormal request rates, unusual device fingerprints, repeated authentication failures, suspicious session reuse, and traffic that looks human at the IP layer but automated at the application layer.

Third, outbound monitoring matters. Organizations often focus heavily on inbound attacks, but a compromised device inside a corporate or branch network can become a relay node. Unexpected proxy traffic, SOCKS connections, unusual tunneling behavior, unexplained bandwidth spikes, or IoT segments generating abnormal outbound traffic should trigger investigation.

The Bigger Picture

Botnet takedowns have become more operationally ambitious, but the market keeps adapting. In March 2026, U.S., German, and Canadian authorities disrupted infrastructure linked to multiple botnets that infected more than 3 million internet-connected devices globally. That operation included botnets used for DDoS attacks and residential proxy activity.

The Dutch case is larger by device count and shows how quickly consumer hardware can be converted into criminal infrastructure at global scale. Cheap IoT devices, outdated routers, weak default configurations, unsupported firmware, infected Android-based devices, and deceptive free apps all feed the same ecosystem.

The result is a cybercrime supply chain where compromised homes become anonymization infrastructure, fraud tooling, spam relays, attack launchpads, and traffic-laundering nodes. The victim may never see a ransom note or stolen file. Their device simply becomes someone else’s infrastructure.

NeuraCyb's Assessment

The Dutch operation is a meaningful disruption, but it should not be mistaken for the end of the problem. Residential proxy botnets are attractive because they turn ordinary internet users into camouflage. That makes them useful for everything from credential attacks to DDoS and fraud.

The defender takeaway is direct: treat unmanaged edge and consumer-grade devices as part of the attack surface, and treat “normal-looking” residential traffic with more skepticism when behavior does not match the user. The next major botnet may not look like a botnet at first glance. It may look like millions of regular households, quietly forwarding someone else’s crime.

References

NCSC Netherlands: Joint operation by Police and NCSC takes down major botnet

NCSC Netherlands: Residential proxies and their impact on digital security

NL Times: NCSC and Dutch police disrupt global botnet controlled via Netherlands-based servers

BleepingComputer: Dutch govt disrupts malware botnet with 17 million infected devices

Help Net Security: Dutch police disrupts botnet composed of 17 million devices

Reuters: US, Germany, Canada disrupt botnets that infected millions of devices

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.