Dutch police and the National Cyber Security Centre (NCSC) have dismantled a botnet of at least 17 million infected devices – among them large numbers of routers, smartphones, and IoT hardware. The case is a textbook example of what poorly secured connected devices can become: commercially marketed attack infrastructure, available by monthly subscription.
Key Takeaways
- On May 28, 2026, Dutch police and the NCSC took down a botnet of at least 17 million infected devices that relied on more than 200 servers physically located in the Netherlands as its backend infrastructure.
- The network is linked to Asocks, a commercial residential proxy service that routed criminal internet traffic through compromised consumer devices – sold to subscribers for as little as $5 per month.
- The raid hit the infrastructure, not the service itself: the Asocks website remained accessible after the seizure, and every infected device worldwide stays compromised.
Your router, someone else’s exit node
The tip came from an independent security researcher who reported the network to the NCSC. Investigators traced more than 200 command-and-control servers – the machines that remotely orchestrate a botnet’s infected devices – back to a single hosting provider in the Netherlands. Police seized a subset of those servers for forensic analysis; the provider subsequently took the entire infrastructure offline after confirming it was being used for criminal purposes.
Dutch authorities did not name the botnet operator in their official statement. Dutch outlet NL Times first reported the connection to Asocks, a finding independently confirmed by BleepingComputer. Asocks markets itself as a provider of residential proxies – a type of service where internet traffic is routed through the IP addresses of real end-user devices, making it appear to originate from ordinary home connections rather than data centers. Subscriptions were listed on the Asocks website at $5 to $15 per month, with bulk discounts of five to fifteen percent for larger orders.
Why IoT devices are the raw material
Residential proxies are not inherently illegal. Legitimate use cases include accessing geo-restricted content or running regional price comparisons. The problem is what sits underneath: a large share of the devices enrolled in the Asocks network were compromised without their owners’ knowledge. According to the NCSC and NL Times, the infected fleet included computers, routers, tablets, smartphones, and internet-connected devices such as smart security cameras.
IoT hardware is disproportionately represented in botnets of this kind for straightforward reasons. Devices frequently ship with factory-default credentials that users never change, run firmware that goes unpatched for months or years, and receive no active monitoring once deployed. “Devices can become part of a botnet when they are accessible to malicious actors,” the NCSC notes in its statement. Once access is gained, malware is installed that enables remote control – typically without any visible sign to the device owner.
Asocks is not a new name in the security community. In early 2024, researchers at HUMAN’s Satori Threat Intelligence team published findings linking the service to a campaign called PROXYLIB: 28 free Android apps on the Google Play Store had been found silently installing Asocks proxyware via an SDK from a monetization service called LumiApps, enrolling users’ devices into the proxy network without consent. Google removed the apps and updated Google Play Protect to detect the offending libraries.
What the raid did – and didn’t – accomplish
The scale of the May 28 operation is notable. So are its limits. Reports indicate the Asocks website remained online after the server seizure. More significantly, the 17 million infected devices across 163 countries are still infected. The infrastructure was dismantled; the underlying problem was not.
That is not a criticism of the investigators so much as a reflection of how these takedowns structurally work. Seizing servers clears out a data center. It does not reach the compromised router sitting in a warehouse in Düsseldorf or the smart camera running default credentials on a factory floor in Łódź. As long as those devices stay infected, the potential for rapid re-infrastructure exists.
It is also worth noting the broader context: the Asocks takedown is the second major Dutch criminal-infrastructure operation in just over a week, following the May 22 seizure targeting bulletproof hosting provider Stark Industries. Residential proxy abuse is not a niche threat. The UK NCSC warned in April 2026 that China-linked threat actors are increasingly routing operations through exactly this kind of compromised consumer hardware to evade detection.
What IoT operators should do now
The NCSC published a concrete list of countermeasures alongside its announcement. Keep operating systems, router firmware, and app software up to date. Maintain active visibility of all edge devices – meaning every internet-facing endpoint on your network, from routers to cameras to industrial gateways. Use strong, unique passwords. Enable two-factor authentication wherever the device supports it. Change default credentials immediately on deployment. Secure Wi-Fi networks with WPA2 or WPA3 minimum.
For organizations running larger IoT deployments, the Asocks case points to something more structural: device lifecycle management and network segmentation are not optional features. Knowing the patch status of every field device is a baseline requirement, not a stretch goal. The supply of compromised endpoints available to operators of services like Asocks remains large precisely because that baseline is so rarely met.
User Review
( votes)
