Dutch Police, in collaboration with the National Cyber Security Centre of the Netherlands (NCSC-NL), announced on May 28, 2026 that they had taken down infrastructure for a large botnet controlling at least 17 million devices worldwide. Authorities seized 200 servers at a Netherlands hosting provider and directed the provider to take the network offline for criminal use.
Read NCSC-NL:
https://www.ncsc.nl/
What Authorities Found
Following a report from a security researcher, investigators discovered servers in the Netherlands routing command-and-control traffic for a global botnet built from consumer devices — computers, routers, tablets, smartphones, and IoT cameras — without owners’ knowledge.
The NCSC links the operation to risks from residential proxy networks: traffic routed through home IP addresses is harder for defenders to block than data-center IPs, making fraud, credential stuffing, and phishing campaigns more effective.
Dutch authorities did not name the service in the official press release. NL Times, BleepingComputer, and Ars Technica reported the botnet was linked to ASOCKS, a commercial residential-proxy provider — a connection not independently confirmed in the government announcement.
Broader Context
This takedown follows:
- FIOD seizures tied to a sanctioned Russian web-hosting company (separate May 2026 action)
- Prior research tying proxy malware (Proxylib) to ASOCKS marketing endpoints and Google Play apps that enrolled devices without clear consent
- NCSC-NL guidance on voluntary vs. covert residential proxy programs
Even after server seizures, reporting suggests the commercial ASOCKS website remained reachable days later — takedowns disrupt infrastructure but rarely eliminate operators immediately.
Why U.S. and Texas Defenders Should Care
Residential proxies power:
- Credential stuffing against law-firm and bank login portals
- Phishing campaigns that appear to originate from legitimate home ISPs
- Scraping and fraud targeting e-commerce and ticketing sites
- Follow-on malware delivery obscured by “clean” IP reputation
Texas hospitality, retail, and professional services firms that rely on IP blocklists and geo-fencing should assume a share of “residential” traffic is compromised IoT and mobile devices — not real customers.
Protect Home and Business Devices
- Remove sideloaded apps and revoke unknown browser extensions.
- Update router firmware; change default admin passwords.
- Segment IoT cameras and smart TVs from business VLANs.
- Monitor outbound proxy traffic on corporate networks.
- Review NCSC-NL residential proxy guidance when evaluating threat-intel feeds.
Independent Cybersecurity Audit
We audited ncsc.nl on June 22, 2026 as the issuing authority’s public domain:
| Organization (Domain) | Overall | Risk Level |
|---|---|---|
| NCSC-NL (ncsc.nl) | 82% | Good |
Audit link: ncsc.nl audit
Related trackers
- NCSC Fortinet VPN alert
- Ransomware threat landscape
- FBI IC3 alerts
- World Cup streaming scams
- Monitoring guide
- All trackers
Protect your organization.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for network segmentation and IoT hardening reviews.
Sources: NCSC-NL · NL Times — botnet takedown · Ars Technica · EmailMeNow audit — ncsc.nl