Dutch Authorities Shut Down Criminal Network That Had Secretly Hijacked 17 Million Devices Worldwide
The Hague, Friday, 29 May 2026.
Dutch police and cybersecurity authorities dismantled the Asocks botnet on 28 May 2026, cutting off criminal control over 17 million compromised consumer devices globally — all routed through just 200 servers based in the Netherlands.
A Tip That Brought Down a Criminal Empire
The chain of events that led to one of the most significant botnet takedowns of 2026 began with a single report from an independent security researcher to the Dutch National Cyber Security Centre (NCSC) [1][3]. That tip set in motion a joint investigation between the NCSC and the Cybercrime Team of the Police Unit The Hague — a collaboration that would ultimately expose a sprawling criminal infrastructure hiding in plain sight on Dutch soil [1][2]. The botnet in question was known as Asocks, a network that had been flagged as far back as two years prior by a cybersecurity company, which had identified it as marketing itself as the ‘most stable residential proxy network’ available to paying clients [4]. The fact that it took a tip from a lone researcher — rather than a routine detection — to trigger the investigation speaks to the scale of the challenge authorities face in monitoring and policing the darker corners of the internet [GPT].
What Is the Asocks Botnet and How Did It Work?
At its core, the Asocks botnet was a so-called residential proxy service — a type of criminal infrastructure that works by covertly infecting poorly secured consumer devices with malware, then using those compromised devices to route internet traffic on behalf of paying customers [1][2]. Those customers, in turn, could be cybercriminals seeking to mask their activities behind the legitimate IP addresses of ordinary households [4]. The botnet comprised at least 17 million compromised consumer devices worldwide, including computers, routers, tablets, smartphones, smart security cameras, and other internet-connected devices [1][2][3]. What made Asocks particularly insidious was that the owners of those 17 million devices had no knowledge whatsoever that their hardware was being exploited [1][2]. According to the Dutch police, botnet networks of this type are used for a wide range of illegal activities, including launching cyberattacks, sending spam and phishing emails, committing online fraud, and overwhelming websites with traffic in denial-of-service attacks [2].
The Netherlands as Ground Zero for Criminal Infrastructure
One of the most striking findings of the investigation was that all 200 servers used to control the Asocks botnet’s entire global infrastructure were physically located in the Netherlands [1][2][3]. The Netherlands is one of the world’s most densely connected internet hubs, home to the Amsterdam Internet Exchange (AMS-IX), one of the largest internet exchange points on the planet [GPT]. That connectivity, while a major asset for legitimate commerce and digital innovation, also makes the country an attractive base for criminal cyber infrastructure [GPT]. The Police Unit The Hague responded by confiscating multiple servers from a Dutch hosting provider for forensic examination [1][2][3]. Once the hosting provider was informed of the criminal use being made of its infrastructure, it proceeded to take the entire botnet offline [1][2][3][4]. The action effectively severed the command-and-control capability of the Asocks network, rendering it inoperable on 28 May 2026 [1][2].
Why This Takedown Matters — and What Comes Next
The dismantling of the Asocks botnet is a meaningful demonstration of what coordinated institutional action can achieve against large-scale cybercrime infrastructure [GPT]. The fact that 200 servers were sufficient to direct the activity of 17.000 million infected devices underlines how efficiently criminal operators can leverage relatively modest hardware to exert massive global reach [1][2][3]. For consumers and businesses alike, the takedown also serves as a timely reminder of how everyday connected devices — home routers, smartphones, smart cameras — can be silently conscripted into criminal networks without the owner ever suspecting a thing [1][2]. The NCSC and Dutch police have issued clear guidance to help people protect themselves: change default passwords on all connected devices immediately, secure Wi-Fi networks using WPA2 or WPA3 encryption, install all software and operating system updates as soon as they become available, use strong and unique passwords combined with two-factor authentication wherever possible, install apps and software only from trusted sources, and regularly audit which devices are connected to a home network [2]. Cybersecurity professionals and innovation specialists will note that this operation reinforces the growing consensus that security-by-design must become a non-negotiable standard for consumer IoT products, rather than an afterthought patched on after deployment [GPT]. The Asocks case also signals that Dutch authorities are increasingly willing and capable of acting as enforcers of global cyber order — a role that, given the Netherlands’ position as a critical node in global internet infrastructure, carries significant weight well beyond its borders [1][2][3].