Dutch Takedown of 17-Million-Device Botnet Exposes Scale of Residential Proxy Networks

Dutch police and the NCSC dismantled a botnet of over 17 million devices controlled by 200 Netherlands-based servers and linked to the Asocks residential proxy service. The operation followed a researcher tip and disrupted infrastructure used for cyberattacks, spam and fraud. Owners of compromised routers, phones and IoT gear remain at risk without updates. The case reveals the persistent scale of proxy-driven botnets.
Dutch Takedown of 17-Million-Device Botnet Exposes Scale of Residential Proxy Networks
Written by John Marshall

Authorities in the Netherlands have dismantled one of the largest botnets on record. The network spanned more than 17 million infected devices worldwide. It relied on 200 servers hosted inside the country to direct traffic and commands. The joint effort by Dutch police and the National Cyber Security Center ended abruptly after a security researcher flagged the operation. The provider pulled the plug once investigators showed the infrastructure served criminal ends.

Details emerged last week in an official announcement from the NCSC. The investigation traced the botnet to a Russia-based residential proxy service called Asocks. These proxies route internet traffic through ordinary consumer devices. They promise anonymity. Yet they often mask attacks that appear to originate from legitimate users. The NCSC had warned about this exact threat only a day earlier in a separate post on residential proxies and their impact on Dutch digital security.

Devices caught in the net included computers, tablets, smartphones, routers and smart-home products. Many owners never noticed. “Devices can become part of a botnet when they are accessible to malicious actors,” the NCSC stated. “After gaining access, attackers can install malware that allows the device to be controlled remotely. This enables the device to become part of a network used for cybercriminal activities.” The quote, drawn directly from the official release, underscores how quietly these infections spread.

But. The operation didn’t start with a raid. A researcher spotted the sprawling network first and reported it. Police seized several servers from a local hosting provider for forensic review. The provider then took the entire set offline. That swift action disrupted command flows and cut off the botnet’s operators. The move ranks among the more significant malware disruptions in recent memory given the sheer number of endpoints involved.

Links to Asocks surfaced quickly. Ars Technica reported the proxy service’s role and noted that questions sent to Asocks went unanswered. The company sells residential, mobile and corporate proxies for monthly fees between $5 and $15, with discounts for bulk purchases. Buyers gain access to real IP addresses that make scraping, fraud or distributed denial-of-service campaigns harder to block. And the traffic looks normal. It blends with everyday browsing from homes and offices.

Security firm HUMAN raised similar alarms in 2024. Its researchers connected a botnet called Proxylib to the same Asocks infrastructure. Evidence included infected IP addresses and port numbers appearing in Asocks proxy lists. Test requests to asocks.com also routed through compromised devices. At the time, 28 Android apps on Google Play had quietly enrolled as many as 190,000 devices into the network. Users rarely consented. Some apps buried the proxy behavior in fine print. Others omitted it entirely.

Exactly how the current botnet reached 17 million infections remains unclear. Vulnerabilities in routers and IoT gear offer one path. Malicious or poorly vetted apps provide another. Owners of outdated devices make easy targets. The NCSC advised immediate patching, strong unique passwords, two-factor authentication and caution with app downloads. It urged visibility into all edge devices on home networks. Change default router passwords. Use antivirus tools. Check connected gadgets regularly. Simple steps. Yet many skip them.

Recent coverage adds context to the scale. The Hacker News highlighted how the botnet enslaved computers, smartphones, tablets and IoT hardware to power attacks, spam and fraud. It stressed that residential proxies create a shadowy market where criminals buy access to someone else’s bandwidth and identity. Security Affairs echoed the tie to Asocks and noted the 2024 HUMAN findings on Proxylib. Both outlets drew from the same NCSC release and NL Times reporting.

TechRadar published an updated account on June 1 noting the 17-million-device count and the seizure of supporting servers. It reminded readers that devices join these networks without consent through malware. The article reinforced the NCSC’s call for basic hygiene. No new technical indicators appeared. Still, the volume of follow-on stories shows how the takedown resonated across the security community.

Residential proxies sit at the center of this story. They serve legitimate needs for researchers, marketers and travelers who must appear to browse from specific countries. But the ecosystem tilts toward abuse. Attackers route phishing pages, credential-stuffing attempts or scraping bots through thousands of residential IPs simultaneously. Defenders struggle to distinguish real users from rented ones. The Dutch action targeted the command layer inside the Netherlands. It did not reach every infected device. Many endpoints likely remain compromised until their owners update or replace them.

The operation highlights a persistent asymmetry. Operators build botnets at low cost by exploiting weak consumer gear. Law enforcement must coordinate across borders, providers and researchers to dismantle them. Success here came because the control servers sat in one jurisdiction and a tip arrived promptly. Other networks hide command infrastructure in multiple countries or use peer-to-peer designs that resist single-point takedowns.

So the 17-million-device figure startles. It dwarfs many headline-grabbing operations of the past decade. Yet the NCSC described it as one network among many. Weakly secured routers, cameras and phones continue to join similar armies. The expert blog linked from the announcement explains how residential proxies amplify attacks against Dutch organizations by making malicious traffic appear domestic.

Industry observers expect more such actions. Collaboration between researchers, national cyber centers and hosting providers proved decisive. The provider’s willingness to act once presented with evidence shortened the operation. In other cases, legal hurdles or offshore hosting stretch timelines for months. Here, speed mattered. Traffic that once flowed through those 200 servers now hits dead ends.

Owners of infected devices face little direct fallout beyond possible bandwidth drain or unexpected battery use. The real risk sits upstream. Criminals lose a major proxy resource. That loss may raise prices elsewhere or push operators toward fresh infections. For security teams, the episode serves as another data point on the volume of compromised consumer hardware available for rent. It also validates the NCSC’s focus on visibility and patching.

One security researcher set events in motion. Police and the NCSC followed through. A hosting provider flipped the switch. The botnet went dark. The sequence looks clean on paper. Reality involves months of monitoring, legal process and technical analysis before any server changed hands. The public sees only the announcement. Insiders recognize the coordination required to map 17 million endpoints back to 200 control nodes.

Questions linger. Who operated Asocks? Did they know the full extent of the malware behind their proxy pool? The lack of response to media inquiries suggests silence remains the default. Similar services have faced scrutiny before. Few shut down permanently. New ones appear. The market demand stays high.

For technology leaders and risk officers, the lesson repeats an old theme. Consumer devices form the backbone of many enterprise threats. A smart thermostat or unpatched router on a remote employee’s network can become an entry point or a proxy node. The Dutch case shows that large-scale compromise can persist for years until someone notices the traffic patterns or receives a tip. Detection at internet scale remains difficult. Response depends on jurisdiction, evidence and provider cooperation.

The takedown won’t eradicate residential proxy abuse. It does remove a significant slice of capacity. And it sends a signal. Hosting providers inside regulated markets face pressure to act when shown clear criminal use. Researchers who report findings can trigger real disruption. Users who follow basic security practices reduce the pool of available devices. Small moves compound.

Seventeen million. The number still echoes. It represents laptops left unpatched, phones with sideloaded apps, routers shipped with factory passwords. Each became a silent participant in someone else’s operation. The Dutch authorities turned the lights off on the command side. The devices themselves await their owners’ attention. That attention, applied at scale, would matter more than any single server seizure.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us