Skip to main content
Cyber News & CTI Reports :: 2026-05-29 | Dutch govt disrupts malware botnet with 17 million infected devices
Contact Page | Privacy Policy

2026-05-29 | Dutch govt disrupts malware botnet with 17 million infected devices

1. AI Summary

Dutch police and the National Cyber Security Centre dismantled a botnet of 17 million compromised devices and seized over 200 servers used to host its command infrastructure. The botnet, linked to the proxy service Asocks, powered DDoS, proxy traffic and cryptocurrency mining attacks. Authorities emphasized changing default credentials, applying firmware updates and disabling remote admin panels to protect devices.

2. IOCs

IOC Type Value Description Relevant MITRE ATT&CK Techniques

3. MITRE ATT&CK

Code Title
T1071 Application Layer Protocol – used for C2 communications via proxy
T1589 Proxy – Asocks service used to route malicious traffic
T1496 Resource Hijacking – cryptocurrency mining on compromised devices
T1489 Inhibit System Recovery – enables denial‑of‑service attacks

4. Targets

Type Value
Country Netherlands
Sector consumer electronics

5. Article Details

6. Original text

Dutch authorities have taken offline a massive botnet of 17 million devices and seized more than 200 servers at a local provider that supported the operation. The action was carried out following an investigation from the Police in collaboration with the country's cybersecurity agency, the National Cyber ​​Security Centre (NCSC). According to the authorities, the seized servers controlled "computers, tablets, and smartphones to carry out cyberattacks." Botnets are networks of compromised devices used for illegal activities such as distributed denial-of-service (DDoS) attacks, malicious traffic proxying, or cryptocurrency mining. “The investigation revealed that the botnet consisted of at least 17 million infected devices and that the 200 servers used to host the infrastructure were located in the

Netherlands
,” the NCSC said . “ The police subsequently seized several botnet servers from a hosting provider for investigation purposes. The hosting provider took the botnet offline because it was being used for criminal activities.” Although the authorities did not name the botnet, local media reported that it was linked to a service called Asocks, which advertises itself as a “universal proxy service” with 7 million IP addresses, 150 locations, and 100,000 clients. The platform offers corporate, residential, and mobile proxies for monthly subscriptions between $5 and $15, with discounts for bulk purchases. Although such services often comprise IPs that voluntarily donate bandwidth by using a specialized client in exchange for a fee, NCSC’s action indicates that the owners of the devices that were part of the botnet did not knowingly participate in supporting cybercrime operations. BleepingComputer has contacted Asocks with a request for a comment on the allegations, but we have not received a response by publication time.

To protect networking devices from botnet infections, ensure the default credentials have been changed to something unique and strong, the latest firmware update has been applied, and remote administration panels are disabled when not needed. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now