Dutch Police Dismantle Asocks Botnet: 17 Million Devices Freed

Dutch authorities have dismantled the Asocks botnet (a large-scale network of compromised devices used as a criminal proxy service) that controlled approximately 17 million infected devices worldwide, in a joint operation by the Cybercrime Team of the Police Unit The Hague and the Dutch National Cyber Security Centre (NCSC). The infrastructure — 200 servers based entirely within the Netherlands — was used to route phishing campaigns, launch DDoS attacks (Distributed Denial-of-Service — coordinated floods of traffic designed to knock websites or services offline), and commit online fraud at scale, all while the actual criminal traffic appeared to originate from ordinary consumer devices around the globe.

// 01 Asocks Botnet: Technical Details

The Asocks network operated as a residential proxy service — a type of criminal infrastructure that infects legitimate consumer devices (home computers, routers, smartphones, tablets, smart security cameras) with malware, then rents access to those infected devices to paying criminals. Because traffic routed through an Asocks exit node appears to originate from a real home user's IP address rather than a data center, it evades IP-reputation blocklists and makes attribution significantly harder.

The botnet comprised compromised devices across multiple categories:

• Computers running Windows and macOS
• Home routers — frequently targeted because they run 24/7, rarely receive firmware updates, and are accessible from the internet
• Smartphones and tablets with outdated operating systems
• IoT (Internet of Things) devices including smart security cameras, which often ship with hardcoded credentials or unpatched firmware

All 200 servers managing and coordinating the botnet were physically located at a single hosting provider in the Netherlands. This centralization — unusual for large botnets, which typically distribute infrastructure across multiple jurisdictions to complicate takedowns — ultimately allowed Dutch authorities to execute a clean and decisive disruption. The hosting provider shut down the botnet after law enforcement revealed it was being used for criminal activity.

The case originated from a tip by an independent security researcher who reported the botnet's Netherlands-based infrastructure to the NCSC, which then passed the intelligence to the Police Unit The Hague Cybercrime Team. This researcher-to-NCSC-to-police pipeline represents a best-practice model for public-private threat intelligence sharing.

// 02 Exploitation Status and Threat Landscape

Residential proxy botnets have become a critical enabler of modern cybercrime precisely because they turn IP-reputation defenses — which block known data-center ranges — into ineffective controls. When phishing emails originate from a residential IP in a legitimate ISP's address space, spam filters give them far higher deliverability. When DDoS traffic comes from 17 million household IPs rather than a data center, volumetric blocklists cannot stop it without also blocking real users.

The Asocks service followed a business model increasingly common in the criminal underground:

• Build or purchase malware that silently infects consumer devices and enrolls them in the proxy network
• Sell access to the resulting proxy pool — often via a slick web interface with pricing per GB of traffic
• Accept cryptocurrency payments to anonymize proceeds

Criminal clients of Asocks-type services include:

• Ransomware operators performing reconnaissance and staging infrastructure
• Credential stuffing groups cycling through stolen username/password lists against banking and e-commerce sites
• State-sponsored APT (Advanced Persistent Threat) actors using residential proxies to mask the true origin of their operations

No arrests have been publicly announced in connection with this specific takedown. Dutch authorities stated the investigation is ongoing.

// 03 Who Is Affected

Device owners whose machines were enrolled in the botnet without their knowledge experienced:

• Degraded internet performance as outbound bandwidth was consumed by criminal proxy traffic
• Potential logging of their IP addresses in victim organizations' server logs — meaning innocent homeowners could appear as the source of DDoS attacks or phishing
• Residual malware infection that may persist after the botnet infrastructure is dismantled

Organizations victimized by Asocks-routed attacks — including DDoS targets, phishing victims, and fraud victims — were affected across all geographies. The Netherlands-hosted infrastructure served clients worldwide.

The hosting industry is the third affected party: the hosting provider that unknowingly housed the 200 botnet servers is now likely conducting a broader audit of other customers. Bulletproof hosting providers that knowingly harbor criminal infrastructure are a persistent problem for law enforcement; this case involved a legitimate provider that was deceived.

// 04 What You Should Do Right Now

• Check whether your home router or IoT devices were part of this botnet. Your ISP may send notifications, or you may notice unusual outbound traffic patterns. Log into your router's admin interface and check active connections and firmware version.
• Update all router and IoT device firmware immediately. Default credentials and unpatched firmware are the primary infection vectors. If your device no longer receives firmware updates, consider replacing it.
• Change default credentials on all networked devices. The single most effective measure against botnet infection is replacing factory-default passwords with strong, unique credentials.
• For enterprise security teams: if your IP reputation monitoring flags residential IPs as attack sources, do not automatically block entire ISP ranges — this denies service to innocent users. Instead, apply rate-limiting and behavioral analysis to residential IP traffic.
• Review your DDoS mitigation posture. Residential proxy botnets of this scale are sufficient to overwhelm organizations relying solely on IP blocklisting. Behavioral traffic analysis and challenge-response mechanisms (CAPTCHA, JS challenges) remain effective against proxy-routed DDoS.
• Monitor NCSC and CISA advisories for technical indicators of compromise (IOCs) related to the Asocks malware family. Dutch authorities typically publish IOCs following major takedowns.

// 05 Background: Understanding the Risk

Residential proxy botnets occupy a specific niche in the criminal ecosystem that distinguishes them from traditional botnets. A conventional botnet — like the Russian Mirai variants that have been dismantled repeatedly — typically uses the infected devices themselves as DDoS attack sources. Residential proxy botnets do something more insidious: they make the infected devices look like paying customers accessing the internet normally, while routing criminal traffic through them invisibly.

The Asocks takedown follows a pattern of successful Dutch law enforcement actions against cybercriminal infrastructure. The Netherlands hosts a significant portion of the world's internet infrastructure, making it both an attractive location for legitimate businesses and a target for criminals seeking to exploit that connectivity. The Dutch Police's High Tech Crime Unit (THTC) has been responsible for several landmark takedowns, including the 2021 dismantling of the VPNLab.net bulletproof VPN service, the Hansa dark market takedown in 2017, and a series of DDoS-for-hire service disruptions.

What makes this takedown particularly notable is the scale — 17 million devices — and the efficiency of the operation. By targeting the centralized Netherlands-based server infrastructure rather than attempting to clean millions of individual victim devices, Dutch authorities neutered the entire network in a single coordinated action. The infected devices remain infected, but without a functioning command-and-control (C2 — the server that tells botnet members what to do) infrastructure, they cannot receive criminal instructions.

Device owners should still run a thorough malware scan and firmware update, as the underlying infection may be used to re-enroll devices in a successor botnet.

// 06 Conclusion

The Asocks residential proxy botnet operated for an extended period by routing criminal DDoS, phishing, and fraud traffic through 17 million unwitting victims' devices, with all 200 command-and-control servers concentrated in the Netherlands. Dutch police and NCSC's decisive action — seizing the infrastructure and working with the hosting provider to shut it down — has disrupted a significant piece of global cybercriminal infrastructure. Device owners should update firmware and change default credentials; security teams should review their defenses against residential-IP-sourced attacks, which blocklist-based approaches cannot adequately address.