Dutch authorities dismantle botnet linked to more than 17 million devices

Large proxy-linked botnet taken offline in the Netherlands

Authorities in the Netherlands say they have dismantled a botnet comprising more than 17 million devices and managed by 200 servers, making it one of the more striking infrastructure takedowns reported this year. The operation involved Dutch police, the National Cyber Security Center, and a hosting provider that took the network offline after investigators concluded it was being used for criminal purposes.

The scale alone makes the action notable. A botnet of this size can provide a powerful foundation for cybercrime, whether through anonymized traffic routing, denial-of-service operations, phishing support, or large-scale abuse of online services. In this case, reporting tied the network to residential proxy activity, a sector that can blur the line between seemingly ordinary consumer traffic and malicious operations.

Why residential proxy abuse is so difficult to counter

Residential proxy services route internet traffic through third-party devices, making that traffic appear to come from ordinary home or mobile connections. That makes detection harder than it is with data-center infrastructure, because the traffic can resemble normal user behavior rather than obviously automated activity.

Authorities and security researchers have warned for years that residential proxies can be used for both legitimate and abusive purposes. The more troubling cases involve devices enrolled without meaningful user consent or through compromise, creating a pool of endpoints that can mask cybercrime behind trusted-looking IP addresses.

That appears to be part of the concern in the Dutch case. The National Cyber Security Center warned separately that residential proxies can make mitigation much harder because attacks can be launched through local-looking traffic patterns that are difficult to distinguish from ordinary use.

How the takedown unfolded

According to the supplied source text, the action began after a security researcher reported the network to authorities. Police then seized botnet servers at a hosting provider for investigation, and the provider took the botnet offline. That sequence highlights how modern cyber-enforcement increasingly depends on cooperation between independent researchers, state agencies, and infrastructure companies.

The host infrastructure was located in the Netherlands, which gave local authorities a concrete operational lever. In many global botnet cases, law enforcement may understand the threat but lack jurisdiction over the command infrastructure. Here, at least part of the network’s critical control layer was accessible enough to disrupt directly.

Links to a broader proxy ecosystem

Reporting cited in the source material connected the botnet to ASOCKS, a Russia-based company known for residential proxy services, though Ars Technica noted that it could not independently confirm that link. That distinction matters. The operational tie may be plausible and consistent with prior security research, but it remains presented in the reporting as a reported connection rather than an independently verified fact.

What is clearer is the larger pattern. In 2024, security firm Human linked a botnet called Proxylib to the same proxy network and said mobile apps in Google Play had enrolled as many as 190,000 devices without user approval. That history suggests a recurring problem in which proxy infrastructure can draw capacity from vast pools of devices whose owners may not fully understand what their systems are being used for.

Why this matters now

Beyond the headline number, the takedown is a reminder that cybercrime infrastructure has become deeply embedded in everyday connectivity. A botnet spanning millions of devices is no longer only a matter of infected servers in obscure data centers. It can involve consumer phones, home connections, and software ecosystems that look ordinary on the surface.

For defenders, that means monitoring has to account for trusted-looking traffic. For app stores and software platforms, it reinforces the need to scrutinize applications that could quietly conscript devices into proxy or botnet activity. And for policymakers, it shows why residential proxy abuse is becoming a larger strategic cybersecurity issue rather than a niche technical problem.

• Dutch authorities say they dismantled a botnet involving more than 17 million devices and 200 servers.
• The network was reportedly linked to residential proxy activity, which can mask cybercrime behind normal-looking traffic.
• The case began with a researcher report and relied on cooperation between investigators and a hosting provider.

This article is based on reporting by Ars Technica. Read the original article.