← BACK TO FEED
botnetDDoSresidential proxiesNCSC-NLcybercrime

Dutch Police Take Down Botnet With 17 Million Infected Devices — And Nobody's Naming It

Dutch police dismantled a large botnet of at least 17 million infected devices after tracing 200 supporting servers to the Netherlands, with a hosting provider shutting down the infrastructure once it realised it was being used for criminal purposes. The botnet's name and exact use were not disclosed, though authorities noted such networks are typically used for phishing, DDoS attacks, and fraud. The takedown coincided with a broader warning from the Netherlands' NCSC about the rising misuse of residential proxy networks, even as a separate report showed cyberattacks on Dutch organisations had fallen to a nine-year low, largely attributed to increased adoption of multi-factor authentication.

Dutch police have dismantled a botnet this week that had conscripted at least 17 million devices into its ranks. The operation followed a tip from a researcher at the Netherlands' National Cyber Security Centre (NCSC-NL), which led investigators to 200 servers quietly running the botnet's infrastructure on Dutch soil.

Cybercrime units from The Hague Police seized several servers from a local hosting provider. Once the provider realised what it had been unknowingly facilitating, it pulled the plug on the rest. Job done, apparently.

What the botnet was actually used for remains frustratingly vague. Police offered the usual grab-bag of possibilities: phishing, DDoS, fraud. No specifics. More notably, neither the police nor NCSC-NL named the botnet, which is unusual for a takedown of this scale. They also stayed quiet on exactly which devices were caught up in it, though both mentioned the usual suspects — home routers, mobile phones, IoT hardware — and took the opportunity to remind everyone to change default passwords and stop sideloading dodgy apps.

The timing of the announcement wasn't coincidental. Just before the takedown went public, NCSC-NL published a blog post flagging what it called a "worrying trend" in the abuse of residential proxy networks. Worth clarifying the distinction: botnets are almost entirely malicious by nature, while residential proxy networks occupy a grayer legal space. You can find proxy network operators advertising openly online, typically under the banner of privacy tools.

The problem is that consumers often end up enrolled in these networks without any awareness of it. Their IP addresses get folded into infrastructure that criminals then use to mask the origin of attacks, whether that's DDoS traffic, phishing campaigns, brute-force login attempts, or bypassing fraud detection systems that flag logins from unexpected locations.

"The devices of unsuspecting users can become part of such proxy networks, often without their knowledge," NCSC-NL noted. "In this way, consumers are unknowingly part of cybercrime."

Somewhat at odds with all this doom, NCSC-NL simultaneously published its annual Cybercrime Monitor, which showed reported cyberattacks on Dutch organisations had dropped to their lowest level in nine years. In 2024, just four percent of organisations reported an external cyberattack, down sharply from eleven percent in 2016. The decline was consistent across small, medium, and large companies.

Phishing and spoofing remained the dominant threat category, affecting around 23 percent of organisations. DDoS, ransomware, data breaches, and business email compromise each clocked in at roughly one percent.

NCSC-NL credits much of the improvement to the wider rollout of multi-factor authentication. Adoption among larger organisations now sits at 87 percent, up from 71 percent in 2017. Smaller organisations showed even sharper growth, jumping from 29 percent to 79 percent over the same period.

So: one enormous unnamed botnet dismantled, residential proxies quietly spreading everywhere, and Dutch cyberattack stats somehow trending in the right direction. Pick your mood accordingly.