Dutch authorities announced they have foiled one of the largest cyberhacking breaches in history. Targeting more than 17 million consumer devices worldwide, ranging from computers and tablets to smartphones and security cameras, the hackers targeted their victims in a vast botnet system, enlisting them in a residential proxy service used to carry out large-scale cyberattacks. According to a press release announcing the enforcement action, Dutch investigators confiscated 200 servers located in the Netherlands and used to carry out the operation.
A botnet is a dangerous form of cyberattack that hijacks infected devices to carry out malicious activities. Typically, hackers infect victims’ devices with malware that allows them to control the devices remotely without the user noticing. Because they can control large numbers of devices, botnets are incredibly effective against distributed denial of service (DDoS) attacks, in which hackers overwhelm a server with an unmanageable amount of Internet traffic. They are also effective ways to conduct cyberattacks anonymously, distribute phishing and spam emails, and commit fraud. In this case, a report from Dutch newspaper NL Times states that cybercriminals infected devices with weak security protections to serve as nodes in a “residential proxy service.” Once infected, the devices were then used to redirect internet traffic to “launch large-scale cyberattacks”, without the victims’ knowledge. According to Dutch authorities, the network is now offline.
This action reflects the increasing prevalence of botnets and residential proxy networks in global hacking operations. In recent months, victims have seen everything from routers to Android-based streaming devices spied on for the benefit of hackers. It seems like it’s time to make your home router more secure.
Beat the botnet
The undercover operation began when a security researcher from the National Cybersecurity Center, a division of the Dutch Ministry of Justice and Security, was assigned to oversee the country’s cybersecurity wing. Once reported, surveillance authorities worked with Dutch police to investigate the matter, ultimately identifying and confiscating 200 domestic servers used to manage the botnet’s infrastructure. To date, little is known about the criminal enterprise’s tactics, as Dutch authorities have yet to comment on how the hackers infected 17 million devices with malware. Historically, botnets have spread through infected applications, software exploits, phishing campaigns, and brute force attacks.
The operation was connected to the Asocks residential proxy service. In 2024, cybersecurity firm HUMAN discovered that a botnet called Proxylib had infected approximately 190,000 devices and enrolled them in Asocks’ proxy service. Residential proxies use the IP address of private Internet users as a transit station for Internet traffic. Researchers linked the botnet that routed victims through Asocks’ proxy network to a now-banned VPN service and at least 28 Android apps. Although the company’s website lists a British telephone number and an address registered on the East African island of Seychelles, Western media have long linked Asocks to Russia, raising serious security concerns. According to its website, the company offers proxy services for as little as $5 per month.
Following the report, Ars Technica contacted Asocks, without success, for comment. Interestingly, the NCSC updated its report on residential proxies, which the agency released a day before announcing the botnet’s takedown, with a link to the attack announcement. In its updated blog post, the NCSC says the enforcement measures “demonstrate” how residential proxies pose “a threat to national and international cybersecurity.”
A growing threat
This dismantling illustrates the growing threats from botnets and residential proxy networks. According to the NCSC, this technique is “increasingly frequently deployed in digital attacks,” allowing hackers to orchestrate DDoS shutdowns, brute force attacks, phishing schemes, credential theft, SMS pumping, and malware distribution. Dutch authorities note that botnets and residential proxies present unique challenges because their hijacking of trusted IP addresses makes them harder to detect. This is not to say that residential proxies are inherently malicious, as they can be valuable tools for circumventing geographic Internet censorship. However, their increasing prevalence in cybercriminal operations is remarkable.
The Dutch police action is just one of several high-profile botnets that have been taken down by law enforcement in recent months. In March, for example, German, Canadian and U.S. agencies coordinated the takedown of two of the world’s largest botnet operations, dubbed “Aisuru” and “Kimwolf,” which German authorities said were executing high-volume DDoS attacks. According to the U.S. Attorney’s Office, botnets have hijacked more than three million devices. Earlier this year, Google took down the IPIDEA proxy network whose SDKs were used by the Kimwolf botnet. Two months later, the Dutch Ministry of Finance’s Tax Crime Unit (FIOD) seized more than 800 servers linked to a sanctioned illegal hosting service used to run botnet and malware scams.
Such actions are a reminder that we must protect ourselves against cyber threats. At a minimum, users should create tougher passwords, update software whenever possible, monitor network traffic, and ensure their Wi-Fi security settings include WPA2 or WPA3 protections. Avoid downloading apps from unofficial sources, avoid using residential proxy services when possible, and review application requirements to avoid being listed in proxy services without your consent. Traditional protections, like antivirus software, are also a plus.
