The Dutch Police, together with the National Cyber Security Centre (NCSC), announced the dismantling of one of the largest botnets in recent years — the network included at least 17 million infected devices, including computers, tablets, smartphones, and IoT equipment. The command-and-control infrastructure was hosted on more than 200 servers in the Netherlands. Owners of any internet-connected devices should check whether their firmware and passwords are up to date — the scale of the infection indicates that compromised devices may be located in any country in the world.
Operation details
According to the official NCSC statement, law enforcement agencies seized part of the servers from a hosting provider that supplied infrastructure for the botnet. After that, the provider independently disconnected the remaining part of the network, confirming that it had been used for criminal purposes.
The official NCSC statement does not name the botnet. However, according to reporting by NL Times, it is presumed to be the Asocks service — a platform offering residential proxies. It should be emphasized that this attribution is based on journalistic investigation rather than official confirmation by the Dutch authorities.
Residential proxies as a cybercrime tool
The dismantled botnet operated on a model that is becoming increasingly common: infected consumer devices were turned into nodes of a proxy network through which attackers routed malicious traffic. As researchers from Sekoia note, residential proxies in themselves have legitimate uses — from privacy protection to accessing geographically restricted resources. However, the shadow side of this ecosystem is built on selling access to compromised devices belonging to ordinary users.
The infection mechanism described by the NCSC is typical for such operations: attackers gain access to a device, install malware for remote control, after which the device is added to the network and used for criminal activity — from DDoS attacks to masking the origin of malicious traffic. The device owner, as a rule, is unaware of the compromise.
The NCSC has also published an expert article on the impact of residential proxies on digital security in the Netherlands, which indicates that the authorities are taking a systemic approach to this problem.
Scale and impact assessment
The figure of 17 million infected devices puts this botnet on a par with the largest known networks. For comparison: at its peak, the Emotet botnet controlled about 1.6 million devices, and 911 S5, which was dismantled in 2024, about 19 million. The wide range of device types — from smartphones to IoT equipment — points to the use of multiple infection vectors.
Particular concern is caused by the inclusion of IoT devices within the botnet perimeter. Routers, surveillance cameras, and other network equipment often operate with factory-default passwords and outdated firmware, making them ideal targets for mass infection. At the same time, the owners of such devices rarely check them for signs of compromise.
Protection recommendations
The NCSC has published a specific set of measures to reduce the risk of devices being incorporated into botnets:
- Operating system updates — keep OS versions up to date on all devices, including mobile ones
- Monitoring edge devices — ensure visibility and monitoring of routers, access points, and other networking equipment
- Changing default passwords — replace factory credentials on all devices, especially on IoT equipment
- Strong passwords and two-factor authentication — use complex, unique passwords and enable 2FA wherever possible
- Installing applications from trusted sources — download software only from official stores and repositories
- Wi-Fi protection — use WPA2 or WPA3 encryption for wireless networks
The dismantling of a botnet comprising 17 million devices is a significant achievement, but it also illustrates the scale of the problem: millions of devices worldwide remain vulnerable to being incorporated into similar networks. A priority action for organizations and home users is to audit all network-connected devices, update the firmware of routers and IoT equipment, and ensure that no device is operating with factory-default credentials.
