"The investigation revealed that the botnet consisted of at least 17 million infected devices and that the 200 servers used to host the infrastructure were located in the Netherlands," the National Cyber Security Centre (NCSC) said.
How authorities disrupted the network
Dutch authorities—working in collaboration between the Police and the National Cyber Security Centre (NCSC)—took a large-scale botnet offline and seized more than 200 servers hosted at a local provider. The police specifically seized several botnet servers from a hosting provider for investigation purposes, and the hosting provider itself took the botnet offline because it was being used for criminal activities, the NCSC said.
What the takedown says about the botnet’s scale and capability
According to the NCSC, the compromised infrastructure controlled computers, tablets, and smartphones to carry out cyberattacks. The agency reported a minimum of 17 million infected devices in the botnet and located the approximately 200 supporting servers in the Netherlands. The notice reiterates common criminal uses of botnets: distributed denial-of-service (DDoS) attacks, malicious traffic proxying, and cryptocurrency mining.
The reported Asocks link and service details
Although authorities did not name the botnet in their statement, local media reported a connection to a service called Asocks. That service advertises itself as a "universal proxy service" and, according to the reporting cited by BleepingComputer, claims a pool of 7 million IP addresses across 150 locations and roughly 100,000 clients.
- Asocks’ advertised offerings include corporate, residential, and mobile proxies with monthly subscriptions listed between $5 and $15, and discounted pricing for bulk purchases.
- BleepingComputer contacted Asocks for comment on the allegations but had not received a response by publication time.
Device-owner protections the NCSC highlighted
The NCSC advised measures aimed at protecting networking devices from botnet infection: ensure default credentials are changed to something unique and strong, apply the latest firmware updates, and disable remote administration panels when they are not needed. The NCSC’s characterization of the operation suggests that owners of the devices used as part of the botnet did not knowingly participate in supporting cybercrime operations.
How technologists, hosting providers, and end users are affected
- Technologists and security teams: The incident underscores that large pools of compromised endpoints can be marshalled for attacks and for proxying traffic. Teams will need to validate whether endpoints in their networks exhibit signs of compromise and whether internal controls detect proxying or anomalous outbound connections tied to third-party proxy services.
- Hosting providers and platform operators: The hosting provider involved removed the malicious infrastructure after police action and seizure. Providers will be watching abuse reports closely and may need to act quickly to take down hosted infrastructure used for criminal activity and to cooperate with investigations.
- End users and device owners: The NCSC’s advice is aimed squarely at device owners—change default credentials, keep firmware up to date, and disable remote administration panels when not required—to reduce the risk of being conscripted into botnets that can be rented or sold as proxy services.
The Netherlands’ coordinated action removed a very large active botnet and placed supporting servers in police hands; the public record released by the NCSC leaves open practical follow-ups such as how affected device owners will be notified and what remediation steps will be taken at scale. BleepingComputer’s outreach to the named service had produced no reply by publication time, and investigators will be left to trace the customers and traffic flows that used the seized infrastructure.




