← BACK TO FEED
botnetresidential proxyASOCKScybercrimeNetherlands

Dutch Authorities Axe 17-Million-Device Botnet Tied to Russian Proxy Firm

Dutch authorities, in a joint operation between police and the National Cyber Security Center, dismantled a botnet comprising over 17 million devices managed by 200 servers, after a security researcher reported the network. The botnet has been linked to ASOCKS, a Russia-based residential proxy service reportedly used for criminal activities such as DDoS attacks, phishing, and hiding users' identities. The host infrastructure, based in the Netherlands, was seized and taken offline by the hosting provider.

Dutch police and the National Cyber Security Centre have taken down a botnet spanning over 17 million compromised devices, all funnelled through roughly 200 servers hosted in the Netherlands. The operation kicked off after a security researcher flagged the infrastructure to authorities, who then leaned on the hosting provider to pull the plug.

The NCSC confirmed that several botnet servers were seized for forensic investigation before the provider shut the whole thing down on the grounds it was being used for criminal activity. Terse, but accurate.

The botnet has been linked to ASOCKS, a Russian company selling residential proxy services. If you're unfamiliar with how these work: operators route traffic through ordinary people's devices, often without those people knowing, to make malicious activity look like it's coming from a regular home broadband connection. That makes it considerably harder to detect and block. The use cases include DDoS attacks, phishing campaigns, command-and-control infrastructure, and bulk web scraping.

The NCSC's own published guidance flagged the specific threat residential proxies pose to Dutch organisations, noting that attacks routed through Dutch residential IPs can blend almost seamlessly into normal traffic patterns. Not ideal when you're trying to distinguish genuine users from an attack wave.

The ASOCKS connection isn't new. Back in 2024, security firm Human tied a botnet called Proxylib to ASOCKS, based on two fairly damning data points: infected IP addresses showing up in ASOCKS proxy lists, and traffic from a test device routing out through asocks[.]com. Twenty-eight Google Play apps were found to have silently enrolled up to 190,000 Android devices into the network. Nobody asked. ASOCKS didn't respond to requests for comment then, and hasn't responded now either.

How 17 million devices ended up in this particular botnet isn't entirely clear. The usual routes apply: unpatched software vulnerabilities, dodgy apps, and the occasional app that technically discloses proxy enrolment somewhere deep in the small print that nobody reads.

The standard advice holds. Keep devices updated. Stop using software that no longer receives security patches. Think carefully before installing apps, and remove them when you're done with them. Boring? Yes. Effective? Also yes.