Dutch authorities have dismantled a botnet that had recruited 17 million devices into criminal infrastructure without their owners’ knowledge. The operation targeted ASOCKS, a residential proxy service that routed malicious traffic through compromised routers, phones, tablets and cameras to make it appear legitimate. Law enforcement seized 200 servers used to host the botnet’s infrastructure, according to reporting by BleepingComputer and Ars Technica.
The devices involved were not high-value corporate targets. They were ordinary consumer hardware running outdated firmware or default passwords, quietly conscripted into a network that cybercriminals rented out to conduct DDoS attacks and phishing campaigns. The owners had no idea their home router was part of it.
Why Residential Proxies Make This Harder to Stop Than a Standard Botnet
Most botnet infrastructure is detectable because it runs through data centres with known IP ranges that security teams can block. Residential proxies work differently. Traffic exits through a genuine home or small-business internet connection, carrying a residential IP address that looks identical to a real user visiting a website or logging into a service. Dutch authorities confirmed in their statement that this is precisely what made ASOCKS effective, “Residential proxies make malicious traffic appear legitimate, complicating efforts to detect and block malicious activity.”
That is not a new observation, but ASOCKS industrialised it at a scale that made the service commercially viable for high-volume operations. A DDoS attack launched through 17 million residential IPs looks very different to a defender than one originating from a rented server farm. Rate-limiting, IP reputation blocklists, and geo-blocking all become less effective when the attack traffic is distributed across millions of legitimate-looking endpoints.
Phishing campaigns routed through residential proxies gain the same advantage. Email delivery infrastructure flagged for spam can be swapped out for clean residential IPs. Links embedded in phishing messages resolve through addresses that reputation services have no reason to distrust.
200 Servers Down, but the Recruitment Problem Remains
Seizing 200 servers disrupts command-and-control and prevents operators from tasking the existing device pool. It does not patch the 17 million devices that were infected. Each one remains vulnerable to recruitment by a successor service unless the underlying weaknesses are addressed, unpatched firmware, default credentials and no authentication on management interfaces.
The botnet compromised routers, phones, tablets and cameras. That is a description of roughly every connected device in a European home. No CVEs have been disclosed in connection with the ASOCKS investigation which suggests the primary recruitment method was not a novel exploit but the same combination of default passwords and outdated software that has fuelled botnet growth for a decade.
The residential proxy market did not begin and end with ASOCKS. Takedowns of services like this have historically produced successor operations within weeks, sometimes operated by overlapping personnel. Law enforcement operations of this kind matter but treating the dismantling of one service as a resolution rather than an interruption would be premature.
Check Your Hardware Before Someone Else Uses It
If your organization manages a network with consumer-grade routers or IoT devices at the edge including remote worker home equipment, three steps apply now:
- Apply all available firmware updates to routers, cameras, and connected devices. Manufacturers including ASUS, TP-Link, and Netgear have all issued patches in the past 12 months addressing remote code execution and credential bypass flaws that botnets actively exploit.
- Replace default credentials. Every device shipped with a username of “admin” and a password printed on the back of the box is a default recruitment target. Change both on setup.
- Disable remote management interfaces that are not actively needed. Most home routers ship with remote administration disabled by default; verify yours matches that configuration.
Organisations running security awareness programmes should add a module on home router hygiene for staff working remotely. Corporate endpoint protection does not extend to the router sitting between an employee’s laptop and the internet.
References
- Dutch govt disrupts malware botnet with 17 million infected devices
- Botnet of more than 17 million devices dismantled
- Botnet of 17 Million Devices Dismantled in the Netherlands
This post is also available in:
Svenska
Related News
Russian Intelligence Is Targeting Swedish Defense Industry to Beat Sanctions
Russia's intelligence services are running a coordinated campaign to acquire Western technology through fake companies, cyberattacks, and recruited intermediaries, and Sweden's defence industry is explicitly…
June 1, 2026 
Daemon Tools Hackers Used Valid Certificates to Hide Backdoor for Month
Chinese-speaking attackers compromised Daemon Tools software installers and went undetected for nearly a month. The supply chain attack began on April 8, 2026, with trojanized…
May 7, 2026 
