Dutch Police Dismantle ASOCKS Botnet Infecting 17 Million Devices

Dutch authorities have dismantled a criminal residential proxy botnet (a network of hijacked internet-connected devices rented out to cybercriminals to disguise malicious traffic as legitimate home user activity) that infected at least 17 million devices worldwide. The Dutch National Police and the Netherlands National Cyber Security Centre (NCSC-NL) announced the operation on May 28, 2026, confirming that approximately 200 command-and-control servers located at a Netherlands-based hosting provider were seized, leading to the botnet's collapse after the provider terminated the remaining infrastructure.

// 01 ASOCKS Botnet: Technical Details

The botnet is widely linked by security researchers to ASOCKS, a Russia-affiliated commercial proxy service that marketed access to millions of residential IP addresses — meaning real consumer devices, not data center servers — to paying customers who wished to hide their activity behind legitimate-looking home internet connections.

The primary technical instrument used to infect Android devices was PROXYLIB, a Go-language (Golang) library first identified by HUMAN Security's Satori threat intelligence team in 2023. PROXYLIB was embedded in a software development kit (SDK) called LumiApps, which was in turn incorporated into at least 28 Android applications available on Google Play, including free VPN apps, wallpaper apps, and utility tools. Apps embedding the SDK silently enrolled the victim's device as a proxy node in the ASOCKS network without disclosing this to users. Google removed the infected apps from the Play Store in February 2024 and updated Google Play Protect to detect the LumiApps SDK, but by that point the botnet had already expanded well beyond mobile devices to encompass home routers and IoT (Internet of Things — smart devices such as cameras, smart TVs, and home automation hardware) hardware exploited through default credentials and unpatched firmware.

The 17 million figure is the law enforcement tally of the full infected device pool discovered through forensic analysis of the seized servers. ASOCKS itself had advertised approximately 7 million IPs in its marketing materials — suggesting the true scale of the criminal network was more than double what the operators publicly claimed.

// 02 Exploitation Status and Threat Landscape

The ASOCKS botnet was a criminal-for-profit infrastructure service, not a state-directed espionage operation. Paying customers rented residential IP addresses through a subscription model and used them to conduct a wide range of attacks that benefit from appearing to originate from real home internet connections:

• DDoS attacks (Distributed Denial of Service — flooding a target with traffic from many sources simultaneously): Traffic routed through victim devices is nearly impossible to block without also blocking legitimate users from the same IP ranges.
• Phishing campaigns and spam: Email sent from residential IPs evades IP-reputation-based spam filters far more effectively than email from data center addresses.
• Credential stuffing (automated login attacks using stolen username/password combinations): Each attempt originates from a different residential IP, defeating rate-limiting and IP-blocking defenses.
• SMS pumping, click fraud, and ad abuse: Services that detect data center traffic but not residential IP traffic are fully exposed.

The residential proxy model is particularly dangerous because it weaponizes the devices of innocent people — home users and small businesses — against other innocent victims, while the criminal operator profits from both sides.

// 03 Who Was Affected

Infected devices spanned all categories of consumer internet hardware:

• Personal computers (Windows and Linux systems)
• Android smartphones and tablets (primarily through PROXYLIB-infected Play Store apps)
• Home and small office routers (exploited through default credentials and unpatched firmware)
• IoT smart devices (cameras, smart TVs, home automation hubs)

Geographic distribution was global. No specific countries or industries were singled out as primary targets — the botnet infected any reachable device that could be recruited as a proxy node. End users on infected devices typically experienced higher outbound network traffic, slower connection speeds, and unexpected data usage, but the PROXYLIB infection in particular was designed to be invisible.

// 04 What You Should Do Right Now

• Check for rogue Android apps. Review installed apps — especially any free VPN apps, wallpaper apps, or utility tools installed from unknown developers. Uninstall anything you do not recognize or no longer use.
• Run Google Play Protect. Open the Play Store app, go to Play Protect, and run a full scan. Play Protect has detected LumiApps-based variants since February 2024.
• Change router default credentials immediately. Log in to your home router admin panel (usually 192.168.0.1 or 192.168.1.1) and replace any factory default username/password with a strong, unique password.
• Update router and IoT firmware. Check your router manufacturer's website for the latest firmware update and apply it. Do the same for any smart cameras, smart TVs, or other connected devices.
• Check your IP address reputation. Visit ipinfo.io to see if your home IP is flagged as a known proxy or abuse IP. If it is, your device may be actively enrolled in a proxy network.
• Monitor network traffic. Unexpectedly high outbound traffic — especially overnight or when no one is actively using the internet — is a sign of a proxy agent running in the background. Your ISP's traffic monitoring tools or a network monitoring app can help identify this.

# On Linux — check for unexpected outbound connections
ss -tnp | grep ESTABLISHED

# On Linux — identify processes with unexpectedly high network I/O
nethogs -v 3

// 05 Background: Understanding the Risk

The ASOCKS takedown is significant not primarily for the server seizure but for what it exposes about the modern criminal proxy industry. Residential proxy services — legitimate and criminal alike — exist because defenders have built effective IP-reputation systems that identify and block traffic from known data center IP ranges. A DDoS attack or credential-stuffing campaign originating from a rented cloud server will be blocked within minutes. The same attack routed through millions of home internet connections is nearly invisible.

The criminal innovation here was supply-side: instead of purchasing residential proxy access legally (some legitimate proxy providers exist), ASOCKS built its own supply by secretly enrolling victim devices. The SDK-based Android infection vector (embedding PROXYLIB in otherwise functional apps) is particularly insidious because it infected devices without any visible symptom, required no user interaction beyond installing the app, and was distributed through Google's official app store with millions of daily users.

This is not ASOCKS's first brush with law enforcement attention. HUMAN Security published research in April 2024 directly linking the PROXYLIB SDK to ASOCKS infrastructure, prompting Google's takedown of 28 infected Play Store apps. That action disrupted part of the enrollment pipeline but did not dismantle the botnet's existing device pool or its command infrastructure — which is what the May 2026 Dutch Police operation targeted.

Important distinction: A separate Dutch operation on May 18, 2026, conducted by the FIOD (Fiscale Inlichtingen- en Opsporingsdienst — the Dutch fiscal intelligence and investigation service), seized over 800 servers from bulletproof hosting provider Stark Industries Solutions / MIRhosting and arrested two individuals. That operation targeted infrastructure used by pro-Russian hacktivist group NoName057(16) and is a distinct case from the ASOCKS botnet takedown. The two operations should not be conflated despite both involving Dutch authorities and Dutch hosting infrastructure in the same week.

As of May 31, 2026, the ASOCKS website remains reachable, suggesting the commercial operation was disrupted but not fully destroyed at the business layer. Dutch authorities confirmed the investigation is ongoing and no arrests have been made in connection with the ASOCKS botnet specifically.

// 06 Conclusion

The Dutch Police and NCSC's dismantling of the ASOCKS botnet is one of the largest residential proxy botnet takedowns on record, disrupting 17 million infected devices and 200 servers in a single operation. Home users should check their devices for rogue apps, update router firmware, and change default credentials. The investigation is ongoing, and with the ASOCKS website still reachable, further enforcement action targeting the operators is expected.