Back to news
Cybersecurity Alert
June 22, 2026 by EmailMeNow IT Consulting

Dutch Authorities Dismantle 17-Million-Device Botnet Hosted in the Netherlands

Dutch Police and NCSC-NL seized 200 servers controlling a residential-proxy botnet of at least 17 million devices on May 28, 2026. Media link the infrastructure to ASOCKS. ncsc.nl audits at 82%.

Source: NCSC-NL / NL Times

BotnetNetherlandsResidential ProxyMalwareCybersecurity
Dutch police and NCSC dismantle 17 million device botnet

Video explainer

Dutch Police, in collaboration with the National Cyber Security Centre of the Netherlands (NCSC-NL), announced on May 28, 2026 that they had taken down infrastructure for a large botnet controlling at least 17 million devices worldwide. Authorities seized 200 servers at a Netherlands hosting provider and directed the provider to take the network offline for criminal use.

Read NCSC-NL:
https://www.ncsc.nl/

What Authorities Found

Following a report from a security researcher, investigators discovered servers in the Netherlands routing command-and-control traffic for a global botnet built from consumer devices — computers, routers, tablets, smartphones, and IoT cameras — without owners’ knowledge.

The NCSC links the operation to risks from residential proxy networks: traffic routed through home IP addresses is harder for defenders to block than data-center IPs, making fraud, credential stuffing, and phishing campaigns more effective.

Dutch authorities did not name the service in the official press release. NL Times, BleepingComputer, and Ars Technica reported the botnet was linked to ASOCKS, a commercial residential-proxy provider — a connection not independently confirmed in the government announcement.

Broader Context

This takedown follows:

  • FIOD seizures tied to a sanctioned Russian web-hosting company (separate May 2026 action)
  • Prior research tying proxy malware (Proxylib) to ASOCKS marketing endpoints and Google Play apps that enrolled devices without clear consent
  • NCSC-NL guidance on voluntary vs. covert residential proxy programs

Even after server seizures, reporting suggests the commercial ASOCKS website remained reachable days later — takedowns disrupt infrastructure but rarely eliminate operators immediately.

Why U.S. and Texas Defenders Should Care

Residential proxies power:

  • Credential stuffing against law-firm and bank login portals
  • Phishing campaigns that appear to originate from legitimate home ISPs
  • Scraping and fraud targeting e-commerce and ticketing sites
  • Follow-on malware delivery obscured by “clean” IP reputation

Texas hospitality, retail, and professional services firms that rely on IP blocklists and geo-fencing should assume a share of “residential” traffic is compromised IoT and mobile devices — not real customers.

Protect Home and Business Devices

  1. Remove sideloaded apps and revoke unknown browser extensions.
  2. Update router firmware; change default admin passwords.
  3. Segment IoT cameras and smart TVs from business VLANs.
  4. Monitor outbound proxy traffic on corporate networks.
  5. Review NCSC-NL residential proxy guidance when evaluating threat-intel feeds.

Independent Cybersecurity Audit

We audited ncsc.nl on June 22, 2026 as the issuing authority’s public domain:

Organization (Domain)OverallRisk Level
NCSC-NL (ncsc.nl)82%Good

Audit link: ncsc.nl audit


Protect your organization.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for network segmentation and IoT hardening reviews.


Sources: NCSC-NL · NL Times — botnet takedown · Ars Technica · EmailMeNow audit — ncsc.nl