Dutch authorities, in collaboration with the National Cyber Security Center, dismantled a botnet comprising over 17 million devices managed by 200 servers, linked to Russian proxy service provider ASOCKS.
<p>Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center.</p>
<p>The action, <a href="https://www.ncsc.nl/nieuws/gezamenlijke-actie-politie-en-ncsc-legt-groot-botnetwerk-plat">announced Thursday</a>, came about after a security researcher reported the sprawling network to authorities. The host infrastructure was located in the Netherlands.</p>
<h2>Used for criminal purposes</h2>
<p>“The police then seized several botnet servers from a hosting provider for investigation,” the NCSC said. “The botnet was taken offline by the provider because it was used for criminal purposes.”</p><p><a href="https://arstechnica.com/security/2026/05/botnet-of-more-than-17-million-devices-dismantled/">Read full article</a></p>
<p><a href="https://arstechnica.com/security/2026/05/botnet-of-more-than-17-million-devices-dismantled/#comments">Comments</a></p>
# Botnet of more than 17 million devices dismantled
Source: [https://arstechnica.com/security/2026/05/botnet-of-more-than-17-million-devices-dismantled/](https://arstechnica.com/security/2026/05/botnet-of-more-than-17-million-devices-dismantled/)
Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center\.
The action,[announced Thursday](https://www.ncsc.nl/nieuws/gezamenlijke-actie-politie-en-ncsc-legt-groot-botnetwerk-plat), came about after a security researcher reported the sprawling network to authorities\. The host infrastructure was located in the Netherlands\.
## Used for criminal purposes
“The police then seized several botnet servers from a hosting provider for investigation,” the NCSC said\. “The botnet was taken offline by the provider because it was used for criminal purposes\.”
According to a[report](https://nltimes.nl/2026/05/28/ncsc-dutch-police-disrupt-global-botnet-controlled-via-netherlands-based-servers)Thursday by the NL Times, the botnet was linked to ASOCKS, a Russia\-based company that provides residential proxy services\. These services cater to people and organizations who want to obscure their locations or identities by proxying their Internet traffic through third\-party devices\. Proxy services are often used for illicit or unethical purposes such as performing DDoS attacks, running botnet command\-and\-control servers, operating phishing operations, and scraping website content\.
Ars was unable to independently confirm the NL Times report, but the claim checks out\. Thursday’s NCSC post linked to a[separate post](https://www.ncsc.nl/expertblogs/residential-proxies-en-hun-grote-impact-op-de-digitale-veiligheid-in-nederland)that the nonprofit organization published a day earlier\. That post, in turn, was updated to add a link to Thursday’s post\. Wednesday’s post, headlined “Residential proxies and their major impact on digital security in the Netherlands,” warned: “Residential proxies are used to maintain anonymity and circumvent geographical restrictions\. In this way, a Dutch organization can be attacked with Dutch proxies that have similarities with ‘regular’ traffic, making cybercrime mitigation more difficult\.”
U.S., Canadian, and German authorities have dismantled four IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that compromised over three million devices and launched record-breaking DDoS attacks, including against the Department of Defense.
Dutch authorities arrested two co-owners of hosting companies for providing infrastructure used by Russia in cyberattacks and influence operations, seizing over 800 servers.
Police and international authorities dismantled a VPN service used by criminals, seizing servers and identifying users, after a years-long investigation.
Russian state-backed hackers (Forest Blizzard/APT28) used known vulnerabilities in old routers to hijack DNS settings and steal OAuth authentication tokens from Microsoft Office users, compromising over 200 organizations and 5,000 consumer devices without deploying malware.
KrebsOnSecurity reports that a Brazilian anti-DDoS firm, Huge Networks, was compromised and its infrastructure used to launch massive DDoS attacks against other Brazilian ISPs via a botnet of insecure routers and DNS servers.