Authorities in the Netherlands moved swiftly this week against one of the largest collections of compromised machines uncovered in recent years. The joint effort by Dutch police and the National Cyber Security Centre dismantled infrastructure that controlled more than 17 million infected devices worldwide. Those devices fed a residential proxy network used for criminal activity.
The operation targeted 200 servers hosted inside the country. Police seized the hardware from a commercial provider. The provider then pulled the plug after confirming the servers supported illegal operations. No arrests have been announced. The focus stayed on the technical takedown.
A security researcher first spotted the sprawling network and reported it to the NCSC. That tip triggered the investigation. Officials quickly traced command-and-control resources back to Dutch soil. The scale stunned even seasoned investigators. Routers. Smartphones. Tablets. Internet-connected cameras. Ordinary consumer gear pressed into service without owners realizing.
The Scale and Mechanics of a Modern Proxy Botnet
These machines formed the backbone of Asocks, a Russia-based provider of residential proxies. Customers pay to route traffic through real consumer IP addresses. The setup masks origins. It makes malicious behavior look like ordinary Dutch household traffic. Attackers love it. Defenders hate it.
According to Ars Technica, the botnet enabled DDoS assaults, phishing campaigns, credential stuffing, and large-scale web scraping. It also supported other botnet command servers and fraud schemes. Residential proxies complicate mitigation. Traffic arrives from trusted networks rather than obvious data centers. Detection becomes far harder.
The NCSC had warned about this exact threat just a day earlier. Its post on residential proxies highlighted their growing role in Dutch digital security problems. Proxies let attackers bypass geographic blocks and appear local. A foreign threat suddenly carries a familiar IP. The timing of the two announcements was no coincidence. NCSC announcement.
But this wasn’t the first time Asocks drew scrutiny. In 2024, security firm Human Security linked a botnet called Proxylib directly to the service. Infected devices appeared in Asocks proxy lists. Requests to the company’s domain exited through test machines enrolled without clear consent. Twenty-eight Android apps on Google Play had quietly pulled in as many as 190,000 devices. The pattern looks familiar. Scale it up dramatically and you reach 17 million. Cybernews detailed the same proxy botnet’s role in phishing and credential attacks.
Infection methods vary. Some devices fall to unpatched vulnerabilities. Others get tricked through shady apps that bury proxy behavior in fine print or omit it entirely. A few users install proxyware deliberately for small payments, unaware of downstream criminal use. The result stays the same. Millions of endpoints become unwitting participants in a for-profit anonymity business.
Yet the Dutch action stands out for its speed and focus. Servers sat physically in the Netherlands. That gave local authorities clear jurisdiction. The Hague cybercrime unit moved in, seized equipment, and let the hosting provider finish the job. Clean. Efficient. And a reminder that infrastructure location still matters even in a borderless threat environment.
Compare this success to earlier 2026 operations. U.S., German, and Canadian forces dismantled four IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad—responsible for record DDoS volumes exceeding 3 million compromised devices. Those actions targeted attack platforms directly. The Dutch effort instead hit the proxy layer that often hides such attacks. Different vectors. Shared problem. Krebs on Security covered the earlier multinational strikes in detail.
Residential proxy networks have exploded in popularity among cybercriminals. They offer plausible deniability. They scale easily. And they turn everyday consumer neglect into enterprise-grade infrastructure. The opaque market doesn’t help. Many proxy sellers claim they vet customers. Evidence suggests otherwise. Previous disruptions of services like 5socks, Anyproxy, and SocksEscort showed the same pattern. Take one down. Others emerge.
So what does this latest takedown actually achieve? It disrupts one major node in a larger underground economy. The 17 million devices won’t vanish overnight. Many owners remain unaware their gear participated. Without clear notification mechanisms, compromised routers and cameras may stay vulnerable. The proxy service itself could reconstitute elsewhere. Yet the seizure sends a signal. Hosting providers face liability when criminal activity becomes obvious. Law enforcement will follow the servers.
Device makers share blame too. Default passwords. Unpatched firmware. No automatic updates. These create the raw material for botnets. IoT cameras and cheap routers remain favorite targets precisely because owners treat them as set-and-forget appliances. The NCSC urged stronger habits. Update operating systems and apps promptly. Use unique strong passwords with two-factor authentication. Download only from trusted sources. Install reputable antivirus and monitor network connections. Change router defaults immediately.
Simple steps. Often ignored. The gap between advice and behavior explains why botnets of this size persist. One researcher report triggered this action. How many similar networks operate undetected? The question lingers.
Industry watchers note the proxy botnet’s ties to Russia-based operators. Asocks did not respond to questions from reporters. Its business model relies on volume and discretion. Customers seeking anonymity for legitimate reasons share infrastructure with those launching attacks. The lines blur. Enforcement becomes messy.
But the Dutch operation proves progress is possible. Collaboration between a national cyber center and local police worked. A researcher tip proved valuable. A hosting provider cooperated once presented with evidence. These elements must combine more often if the internet of things is to become less of a liability.
The 17 million figure commands attention. It dwarfs many previous consumer-device botnets. It underscores how proxy services have matured into sophisticated criminal enterprises. And it highlights the persistent weakness in consumer cybersecurity. Devices ship vulnerable. Users stay unaware. Criminals profit.
Expect more actions like this one. Law enforcement agencies increasingly target the infrastructure layer rather than chasing individual operators. Servers first. Then the harder task of cleaning up millions of endpoints. The latter may prove the bigger challenge. But every server seized is one less tool in the proxy arsenal.
Owners of home networks should act now. Log into that router. Update the firmware. Change the password. Audit connected devices. The botnet may be dismantled. The conditions that created it remain. Vigilance matters more than ever.