Dutch Police and NCSC dismantle 17-million-device botnet running on 200 servers seized from local hosting provider
On May 28, 2026, the Dutch National Police and National Cyber Security Center (NCSC) jointly dismantled a large-scale botnet comprising approximately 17 million compromised devices worldwide. The botnet infrastructure was hosted on about 200 servers physically located in the Netherlands, which were seized from a local hosting provider. The compromised devices included computers, smartphones, and tablets, and were reportedly used as part of a residential proxy service, likely the Asocks network. The hosting provider permanently took the botnet infrastructure offline following the seizure. The NCSC issued prevention guidance emphasizing prompt patching, multi-factor authentication, changing default credentials, securing Wi-Fi with WPA2/WPA3, and maintaining visibility over network devices. This takedown is part of a broader pattern of coordinated international law enforcement actions against proxy and botnet networks in 2026.
AI Analysis
Technical Summary
A massive botnet consisting of roughly 17 million compromised consumer devices was controlled via approximately 200 servers physically hosted in the Netherlands. The Dutch Police and NCSC acted on a tip from a security researcher, conducting a forensic investigation that led to the seizure of these servers from a local hosting provider. The botnet was used to operate a residential proxy service, likely the Asocks network, monetizing hijacked devices as exit nodes. Following the seizure, the hosting provider permanently shut down the botnet infrastructure. The NCSC provided specific mitigation guidance to prevent device compromise and botnet integration, including patching, enforcing MFA, replacing default passwords, and securing wireless networks. This operation aligns with other recent international takedowns of proxy and botnet networks targeting SOHO routers and consumer devices.
Potential Impact
The botnet compromised approximately 17 million devices globally, including computers, smartphones, and tablets, enabling cybercriminals to leverage these devices for illicit activities such as proxy services. The large scale of the botnet posed significant risks for abuse in cyberattacks, anonymization of malicious traffic, and potential further exploitation of compromised devices. The seizure of the 200 servers hosting the botnet infrastructure disrupted the criminal operation and removed a major threat actor's capability. The hosting provider's permanent shutdown of the infrastructure further mitigated ongoing risks. No direct information about exploitation of specific vulnerabilities or data breaches was provided.
Mitigation Recommendations
The Dutch NCSC recommends users and network administrators to promptly patch operating systems, routers, and applications to reduce compromise risk. Enforcing multi-factor authentication and replacing default hardware passwords are critical to prevent unauthorized access. Securing Wi-Fi networks with WPA2 or WPA3 encryption is advised to protect network traffic. Maintaining full visibility of all devices connected to the network perimeter helps detect anomalous activity. Users should only install software from trusted sources and use comprehensive antivirus or security solutions. Since the botnet infrastructure has been seized and taken offline, these measures serve to prevent future device compromise and botnet formation.
Dutch Police and NCSC dismantle 17-million-device botnet running on 200 servers seized from local hosting provider
Description
On May 28, 2026, the Dutch National Police and National Cyber Security Center (NCSC) jointly dismantled a large-scale botnet comprising approximately 17 million compromised devices worldwide. The botnet infrastructure was hosted on about 200 servers physically located in the Netherlands, which were seized from a local hosting provider. The compromised devices included computers, smartphones, and tablets, and were reportedly used as part of a residential proxy service, likely the Asocks network. The hosting provider permanently took the botnet infrastructure offline following the seizure. The NCSC issued prevention guidance emphasizing prompt patching, multi-factor authentication, changing default credentials, securing Wi-Fi with WPA2/WPA3, and maintaining visibility over network devices. This takedown is part of a broader pattern of coordinated international law enforcement actions against proxy and botnet networks in 2026.
Reddit Discussion
On May 28, 2026, the Dutch National Police and the National Cyber Security Center announced they had taken down a large-scale botnet that had compromised roughly 17 million devices globally - computers, smartphones, and tablets - all funneled through approximately 200 servers physically hosted inside the Netherlands.
The operation started with a tip from an independent security researcher who flagged the anomalous infrastructure to the NCSC. That led to a full forensic investigation before law enforcement moved in and seized servers directly from a local hosting provider. The provider subsequently pulled the remaining infrastructure permanently once the criminal use was confirmed.
Some reporting points to the Asocks network as the likely target - a residential proxy service that essentially monetized compromised consumer devices as exit nodes.
The NCSC published prevention guidance alongside the announcement, covering the usual fundamentals: patch operating systems and edge devices promptly, enforce MFA, replace default credentials, use WPA2/WPA3 on wireless networks, and maintain full visibility over devices on your perimeter.
This follows a broader pattern of coordinated takedowns this year. Operation Lightning dismantled SocksEscort in March, which ran on hijacked SOHO routers via the AVRecon botnet. Around the same period, Aisuru, KimWolf, JackSkid, and Mossad proxy networks were also taken offline, and the IPIDEA proxy network was disrupted in January.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A massive botnet consisting of roughly 17 million compromised consumer devices was controlled via approximately 200 servers physically hosted in the Netherlands. The Dutch Police and NCSC acted on a tip from a security researcher, conducting a forensic investigation that led to the seizure of these servers from a local hosting provider. The botnet was used to operate a residential proxy service, likely the Asocks network, monetizing hijacked devices as exit nodes. Following the seizure, the hosting provider permanently shut down the botnet infrastructure. The NCSC provided specific mitigation guidance to prevent device compromise and botnet integration, including patching, enforcing MFA, replacing default passwords, and securing wireless networks. This operation aligns with other recent international takedowns of proxy and botnet networks targeting SOHO routers and consumer devices.
Potential Impact
The botnet compromised approximately 17 million devices globally, including computers, smartphones, and tablets, enabling cybercriminals to leverage these devices for illicit activities such as proxy services. The large scale of the botnet posed significant risks for abuse in cyberattacks, anonymization of malicious traffic, and potential further exploitation of compromised devices. The seizure of the 200 servers hosting the botnet infrastructure disrupted the criminal operation and removed a major threat actor's capability. The hosting provider's permanent shutdown of the infrastructure further mitigated ongoing risks. No direct information about exploitation of specific vulnerabilities or data breaches was provided.
Mitigation Recommendations
The Dutch NCSC recommends users and network administrators to promptly patch operating systems, routers, and applications to reduce compromise risk. Enforcing multi-factor authentication and replacing default hardware passwords are critical to prevent unauthorized access. Securing Wi-Fi networks with WPA2 or WPA3 encryption is advised to protect network traffic. Maintaining full visibility of all devices connected to the network perimeter helps detect anomalous activity. Users should only install software from trusted sources and use comprehensive antivirus or security solutions. Since the botnet infrastructure has been seized and taken offline, these measures serve to prevent future device compromise and botnet formation.
Technical Details
- Source Type
- Subreddit
- ExploitDev+pwned+hacking
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:botnet","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["botnet"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a1db45de29bf47b5016f852
Added to database: 6/1/2026, 4:33:33 PM
Last enriched: 6/1/2026, 4:33:44 PM
Last updated: 6/1/2026, 7:03:19 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.