Dutch Police Takedown Hits 17 Million-Device Botnet Linked to Proxy Abuse
Dutch police and the Netherlands’ National Cyber Security Center disrupted a botnet spanning roughly 17 million infected devices by taking offline about 200 servers hosted in the Netherlands. Authorities said the network included compromised computers, mobile phones, IoT devices, and routers, and that the investigation began after a security researcher alerted NCSC-NL. While officials did not publicly name the botnet, reporting tied the infrastructure to Asocks, a commercial residential and mobile proxy service, and to prior research on covert proxy enrollment through the PROXYLIB library and LumiApps SDK ecosystem.
The takedown highlights growing abuse of residential proxy networks, which can mask malicious traffic behind trusted consumer IP addresses and support operations including DDoS attacks, spam, credential stuffing, brute-force attacks, click fraud, SMS pumping, phishing, online fraud, and malware delivery. The action follows broader Dutch enforcement against malicious infrastructure, including the seizure of more than 800 servers tied to THE.Hosting, a Russian-linked bulletproof hosting network associated with scanning, botnet recruitment, cryptomining, credential theft, and exploitation of exposed services; researchers said that operation had limited effect because much of the network’s routed infrastructure remained active across multiple countries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Dutch police and NCSC disrupt botnet controlling 17 million devices
Dutch National Police and the Netherlands' NCSC disrupted a botnet by taking offline 200 servers in the Netherlands that controlled roughly 17 million infected devices. The investigation began after the NCSC received a report from a security researcher, and reporting linked the infrastructure to the Asocks proxy network.
Researchers report THE.Hosting scanning continued after the Dutch seizure
Roughly a week after the May 18 action, ELLIO reported that scanning from AS209847 continued at normal daily levels despite some IP ranges being withdrawn from routing. The activity included probing for databases, industrial control system protocols, CVE-2017-17215, and WinRM.
Dutch authorities seize 800+ THE.Hosting servers and arrest two operators
On 2026-05-18, Dutch authorities seized more than 800 servers tied to THE.Hosting and arrested two people associated with the bulletproof hosting network. Researchers linked THE.Hosting to a Russian-linked infrastructure lineage previously operating as Stark Industries Solution and PQ Hosting Plus S.R.L.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
Dutch authorities disrupt massive botnet of 17 million devices | brief | SC Media
scworld.com
Open sourceВласти Нидерландов отключили ботнет, заразивший 17 млн устройств - Хакер
xakep.ru
Open sourceDutch Police and NCSC dismantle 17-million-device botnet running on 200 servers seized from local hosting provider : r/netsec
reddit.com
Open sourceDutch Authorities Dismantle Botnet Linked to 17 Million Infected Devices
thehackernews.com
Open sourceDutch police disrupts botnet composed of 17 million devices - Help Net Security
helpnetsecurity.com
Open sourceGezamenlijke actie politie en NCSC legt groot botnetwerk plat | NCSC
ncsc.nl
Open sourceDutch Raid Fails to Dent Russian Bulletproof Host
darkreading.com
Open sourceA week after Dutch FIOD seized 800+ servers, the hosting network's ASN (AS209847) is still scanning at its normal daily rate : r/netsec
reddit.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation Lightning Takedown of SocksEscort Residential Proxy Botnet
An international law-enforcement operation dubbed **Operation Lightning** disrupted **SocksEscort**, a paid “residential proxy” service that routed criminal traffic through compromised home/small-business routers and IoT devices to provide anonymity for fraud and other cybercrime. Authorities from the US and multiple European countries (including Austria, France, and the Netherlands), supported by **Europol** and **Eurojust** and assisted by private-sector partners **Lumen’s Black Lotus Labs** and the **Shadowserver Foundation**, reported the botnet had leveraged exploited vulnerabilities in edge devices and was powered by **AVRecon** (Linux) malware. Officials said SocksEscort advertised access to roughly **369,000 IP addresses** since 2020, with Europol stating the infrastructure compromised **369,000+** routers/IoT devices across **163 countries** and offered customers tens of thousands of proxies; reporting also noted that, as of February 2026, the service listed about **8,000 infected routers**, including roughly **2,500 in the United States**. During the coordinated action, authorities **seized 34 domains and 23 servers** across **seven countries**, replaced the service’s website with a seizure notice, and the US froze approximately **$3.5 million in cryptocurrency** tied to the operation; officials also cited the service’s payment platform receiving about **$5.8 million** from customers. SocksEscort was described as enabling a wide range of downstream criminal activity—including large-scale fraud, account takeovers, identity theft, business email compromise, password spraying, and, per Europol, facilitation of **ransomware**, **DDoS**, and distribution of **CSAM**—with US reporting citing specific victim losses (including a **$1M** cryptocurrency theft and additional six-figure fraud impacts). Investigators indicated the seized infrastructure and customer data (reported as roughly **124,000 users**) will be used to pursue follow-on investigations into both operators and customers of the proxy service.
Mar 24, 2026
Authorities Disrupt Four IoT Botnets Behind 30 Tbps DDoS Attacks
U.S., Canadian, and German authorities disrupted the command-and-control infrastructure of four major IoT botnets — **Aisuru, KimWolf, JackSkid, and Mossad** — that collectively compromised more than **three million** internet-connected devices worldwide. Investigators said the botnets, built largely from vulnerable **DVRs, IP cameras, web cameras, and enterprise Wi‑Fi routers**, were used in hundreds of thousands of distributed denial-of-service attacks, including operations targeting **U.S. Department of Defense** systems, other high-value networks, and critical infrastructure. Officials said the malware networks were capable of generating traffic above **30 Tbps**, with one attack reaching roughly **31.4 Tbps**, placing them among the largest DDoS threats recorded. The operators allegedly ran the infrastructure as a **DDoS-for-hire** service and also used it for extortion, threatening victims with sustained attacks unless they paid. The U.S. action, led by the Defense Criminal Investigative Service with support from the FBI Anchorage Field Office, included seizure warrants for domains and virtual servers, while Germany’s **BKA** and Canada’s **RCMP** carried out parallel enforcement steps. Private-sector partners including **Akamai, AWS, Cloudflare, Team Cymru, and The Shadowserver Foundation** supported the disruption. Authorities said the takedown degraded the botnets’ ability to operate, but warned that the underlying risk remains because millions of infected or insecure devices are still online with weak credentials or outdated firmware.
Mar 25, 2026
FBI Dismantles 911 S5 Residential Proxy Botnet and Arrests Alleged Operator
U.S. authorities disrupted the **911 S5** residential proxy service, a botnet-backed platform that allegedly compromised millions of Windows devices and sold their IP addresses as proxies to cybercriminals. The FBI and international partners seized infrastructure tied to the service, while prosecutors charged and arrested the alleged administrator, identified as Chinese national YunHe Wang. According to investigators, the service enabled fraud, bomb threats, child exploitation, harassment, and large-scale financial crime by letting users route malicious traffic through unsuspecting victims’ home internet connections. The FBI’s IC3 warned that infected devices were commonly enrolled through VPN or pirated software bundles and urged users to scan for malware, remove suspicious applications, and reinstall operating systems if needed. The operation follows a broader U.S. strategy of court-authorized botnet disruption previously used against state-linked infrastructure, including the 2018 takedown of the **APT28** router botnet, underscoring continued law-enforcement use of technical and legal measures to seize command infrastructure and cut off criminal proxy networks.
May 25, 2026