cybercrime data breach Netherlands football API security

Dutch Police Nab Suspect Who Repeatedly Hacked Ajax Amsterdam's IT Systems

28 May 2026

Dutch police arrested a 35-year-old man from Buren on suspicion of repeatedly hacking into Ajax Amsterdam's computer systems in early 2026. The attacker exploited vulnerabilities in the club's IT infrastructure to access data on hundreds of individuals, modify stadium bans, and potentially manipulate over 42,000 season tickets and 300,000 fan accounts. Ajax has since patched the vulnerabilities and notified the Dutch Data Protection Authority and police.

Dutch police have arrested a 35-year-old man from the municipality of Buren on suspicion of hacking professional football club AFC Ajax multiple times earlier this year.

The arrest happened on the morning of 26 May. According to a police press release, the suspect is believed to have deliberately gained unauthorised access to Ajax's computer systems on several occasions in early 2026. Once Ajax became aware of the intrusions, the club informed police, who opened a criminal investigation that eventually led them to the Buren suspect.

Ajax had publicly acknowledged the breach back in late March, confirming that an attacker had exploited vulnerabilities in its IT infrastructure to access data belonging to several hundred individuals. The same flaws apparently allowed the attacker to modify stadium bans for fewer than 20 people and redirect purchased tickets to other accounts.

That was the sanitised version. An RTL investigation painted a considerably worse picture. The security weaknesses, which included exposed APIs and shared keys, gave the hacker sweeping access to fan data. A live demonstration reportedly showed how a VIP season ticket could be reassigned within seconds. More alarming still, the attacker had the technical ability to manipulate 538 supporter stadium bans, tamper with 42,000 season tickets, and view account details for over 300,000 fans.

Ajax has since patched the vulnerabilities and notified both the Dutch Data Protection Authority and the police, which is the legally correct thing to do and also, at this point, the bare minimum anyone should expect.

This is not the only notable cybercrime case the Dutch National Police has been dealing with lately. In September 2025, officers arrested two teenagers suspected of conducting surveillance for Russia using a WiFi sniffer near the Europol and Eurojust offices and the Canadian embassy in The Hague. More recently, Dutch financial crime investigators raided a web hosting operation, seizing 800 servers allegedly used to facilitate cyberattacks, influence operations, and disinformation campaigns.

The Ajax suspect is currently in custody pending further investigation.