Skip to main content
Emerging ThreatsMalware & Ransomware

Dutch Police Disrupt Major Botnet Linked to 17 Million Infected Devices

Dutch police officers inspect server equipment in a brightly-lit facility.

At least 17 million devices were enlisted in a single criminal botnet, Dutch authorities said — a scale that turned everyday smartphones, tablets, laptops and IoT gadgets into components of a global attack platform.

Dutch Politie and the National Cyber Security Center dismantle a massive botnet

The Dutch Politie and the National Cyber Security Center (NCSC) announced that they have dismantled a bot network that comprised at least 17 million infected devices. According to the NCSC, more than 200 servers based in the Netherlands served as the backend infrastructure for the platform. Police officials seized a subset of those servers from a hosting provider, and the provider subsequently took the botnet infrastructure offline after it had been used for criminal purposes.

Servers, hosting provider action, and what was taken offline

Authorities said the action focused on servers run by a hosting provider that supplied the platform’s backend. The NCSC statement describes a seizure of a subset of the servers; it also credits the hosting provider with taking the botnet offline after police identified criminal use. The announcement ties the operational success to those two linked steps: law enforcement seizure and the provider’s removal of infrastructure.

Asocks, PROXYLIB, and evidence of infected Android devices

The official statement stopped short of naming the botnet. Local news outlet NL Times, however, reported that the service involved was Asocks, a company that markets residential proxies. Separate research cited in the reporting traces a related line of activity: HUMAN’s Satori Threat Intelligence team identified a campaign labeled PROXYLIB in April 2024 that involved infected Android devices running proxyware from LumiApps and Asocks. Those details link the large-scale infection pattern to proxy‑style services delivered via compromised mobile devices.

How the proxy market and compromised devices intersect

Asocks’s publicly posted product information states the platform offers corporate, residential, and mobile proxies for monthly subscriptions priced between $5 and $15, with bulk discounts of 5–15% for purchases of 10 to 100 proxies. The NCSC commentary emphasizes that residential proxies can have legitimate uses — for example, accessing geographically restricted content — but that the ecosystem is “shadowy” when providers sell access to compromised devices. The NCSC summed the technical pathway plainly: “Devices can become part of a botnet when they are accessible to malicious actors. After gaining access, attackers can install malware that allows the device to be controlled remotely. This enables the device to become part of a network used for cybercriminal activities.”

What this means for security teams, procurement leaders, and everyday users

  • Security teams and technologists: Expect to hunt for indicators tied to proxyware on edge devices, especially Android endpoints; the PROXYLIB connection in April 2024 points to mobile proxy clients as a vector. Teams will need inventory and telemetry on routers and connected devices that could be enlisted as residential proxies.
  • Procurement and enterprise leaders: Offers like the Asocks pricing tiers — $5 to $15 per month and bulk discounts — underline how inexpensive and commoditized proxy access can be. Procurement reviews should probe the provenance of any proxy services used in business workflows to avoid buying access to compromised devices.
  • End users and device owners: The NCSC reiterated concrete defensive steps: keep operating systems up-to-date; maintain visibility of edge devices such as routers; use strong passwords and enable two‑factor authentication; install apps only from trusted sources; change default passwords; and secure Wi‑Fi with WPA2 or WPA3.

The takedown shows that coordinated action — seizure of infrastructure plus provider cooperation — can disrupt very large botnets. Yet the announcement also leaves a narrow, important fact visible: the NCSC did not explicitly name the botnet in its statement, while local reporting links the event to services such as Asocks and to prior technical work on PROXYLIB and proxyware from LumiApps and Asocks. That mix of law-enforcement action on servers and continuing questions about the supply and demand for residential proxies frames the next practical point of focus for defenders and regulators alike.

Original story