Skip to main content
Emerging Threats

Dutch Police Apprehends Suspect in Ajax Football Club Hack

Dutch police officer stands outside residential home with hint of computer in background.

"On the morning of Tuesday, May 26, the police arrested a 35‑year‑old man from the municipality of Buren for computer trespassing at the Amsterdam football club Ajax. The man is suspected of deliberately unlawful intrusion into Ajax's computer systems several times," the police said.

The arrest in Buren and the police narrative

The Dutch National Police confirmed the May 26 arrest of a 35‑year‑old man in Buren, saying he is suspected of repeatedly breaking into AFC Ajax's computer systems. According to the press release, the arrest followed a criminal investigation launched after the club informed police that someone had "granted himself access to the football club's computer systems" in early 2026.

What the attacker reportedly did and Ajax's public disclosure

AFC Ajax disclosed the incident in late March, saying an attacker had exploited vulnerabilities in its IT systems to access data belonging to a few hundred individuals. The club told authorities and took technical measures: it has since patched the vulnerabilities that were exploited and notified the Dutch Data Protection Authority as well as the police, the source reports.

How the vulnerability translated into practical effects on tickets and bans

The intrusion did more than view data: the vulnerability reportedly allowed altering stadium bans and moving tickets between accounts. The police statement and reporting together describe a spectrum of impacts. In one account the flaw permitted modifying stadium bans imposed on fewer than 20 individuals and transferring purchased tickets to others. An RTL report cited in the coverage expanded that picture, saying the same security weakness — via APIs and shared keys — enabled broad access to fan data and demonstrated rapid reassignment of a VIP season ticket.

RTL's account further asserted that the attacker demonstrated they could manipulate 538 supporter stadium bans, 42,000 season tickets, and view details on more than 300,000 accounts. Those figures, as reported, show the potential scale the security flaw exposed within Ajax's systems before the vulnerability was patched.

The criminal case and the investigative sequence

According to police, once notified by Ajax the criminal investigation department opened an inquiry in which the suspect "came into the picture." The May 26 arrest is presented as a development in that ongoing investigation; the police characterized the alleged activity as "deliberately unlawful intrusion" occurring multiple times. The source does not list charges filed at the time of the announcement or further procedural steps beyond the arrest.

Related Dutch cyber enforcement actions

The coverage situates the Ajax arrest amid other recent Dutch cyber enforcement moves. In September 2025, the Dutch National Police arrested two teenage boys suspected of spying for Russia using a Wi‑Fi sniffer device near the Europol and Eurojust offices and the Canadian embassy. More recently, financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company alleged to have enabled cyberattacks, interference operations, and disinformation campaigns. Those separate operations were reported alongside the Ajax story, reflecting multiple active investigations into cyber incidents and related infrastructure.

What this means for technologists, regulators, and Ajax fans

  • Technologists and security teams: The reporting highlights a class of failures tied to exposed APIs and shared keys. The article quotes a broader industry note that "Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold." That observation underscores a narrow test scope and suggests the need to validate detection and configuration controls in addition to attack paths.
  • Regulators and law enforcement: Ajax notified the Dutch Data Protection Authority and the police; the criminal investigation department opened an inquiry and effected an arrest. Those steps indicate regulatory notification and criminal investigation channels were activated and remain the mechanism for response and oversight in this case.
  • Ajax fans and ticket holders: Reported impacts included the potential for ticket transfers and altered stadium bans. The club's patching and notifications aim to limit further unauthorized access, but RTL's reported figures — including potential access to hundreds of thousands of account records and thousands of season tickets — flag why supporters should expect follow‑up communication from the club or authorities about whether their individual data or entitlements were affected.

The arrest on May 26 is a concrete development in an investigation that began after Ajax disclosed intrusions in early 2026 and patched the exploited flaws. Police and the club have acted; the criminal investigation remains ongoing, and regulators were notified. The public record compiled in the reporting documents both a localized technical failure and a broader pattern of Dutch cyber enforcement activity in recent months.

Original story