The Netherlands police and the National Cyber Security Centre seized more than 200 servers used by a massive botnet that hijacked computers, smartphones and IoT gear. Experts explain how the network operated, why residential‑proxy services are attractive to criminals, and what organizations can do to stop their own devices from being conscripted.
)
The Dutch police, together with the National Cyber Security Centre (NCSC), announced the takedown of a botnet that had infected at least 17 million devices worldwide. More than 200 servers located in the Netherlands were seized, effectively pulling the command‑and‑control (C2) infrastructure offline. While the botnet’s public name was not disclosed, Dutch media linked it to Asocks, a residential‑proxy provider that markets “mobile, residential and corporate” proxies for a few dollars a month.
How the botnet was built
According to the NCSC, the compromised devices ranged from traditional PCs and tablets to Android phones and a variety of IoT gadgets such as smart cameras, routers and even industrial controllers. Once an attacker gained a foothold—typically through a vulnerable service, a weak default password, or a malicious app—the device received a lightweight loader that connected it to the C2 servers. From there the botnet could:
- Route traffic through the device to hide the attacker’s IP address (the classic proxy use case).
- Launch distributed‑denial‑of‑service (DDoS) attacks against arbitrary targets.
- Deliver additional payloads, including ransomware or credential‑stealing modules.
The operation mirrors the PROXYLIB campaign uncovered by HUMAN’s Satori Threat Intelligence in April 2024, which linked compromised Android phones to proxy‑ware sold by LumiApps and Asocks. In that campaign, the malware turned each phone into a residential proxy, allowing buyers to purchase “clean” IP addresses for activities ranging from web scraping to credential stuffing.
Expert perspective
“Residential‑proxy services are a double‑edged sword,” says Dr. Anika Verhoeven, senior researcher at the NCSC. “Legitimate users need them for privacy and geo‑restriction bypass, but the same infrastructure is perfect for criminals who want a massive pool of IPs that look like ordinary home users.”
Mike Chen, principal security analyst at Mandiant, adds: “The scale we’re seeing—tens of millions of devices—means the botnet operator had automated the infection chain. Manual exploitation would never reach those numbers. The real problem is the supply chain: cheap hosting, lax password policies on consumer routers, and a marketplace that sells access to compromised devices without any vetting.”
Why residential proxies attract bad actors
- Low cost, high volume – Asocks advertised subscriptions from $5 to $15 per month, with bulk discounts that make it cheap to rent thousands of IPs.
- Perceived legitimacy – Traffic originating from a residential ISP is less likely to be flagged by anti‑fraud systems than traffic from data‑center ranges.
- Global distribution – By compromising devices in many countries, attackers can appear to come from any region, evading geo‑based blocks.
These incentives create a “shadow ecosystem” where proxy providers, botnet operators, and cybercriminals intersect. The Dutch takedown shows that law‑enforcement can disrupt the infrastructure, but the underlying market dynamics remain.
Practical steps to protect your devices
- Patch relentlessly – Enable automatic updates on all operating systems, firmware on routers, and any IoT firmware. Most infections exploit known vulnerabilities that have already been fixed.
- Change default credentials – Many consumer routers ship with
admin/adminor similar. Replace them with strong, unique passwords. - Enable MFA wherever possible – Even on mobile devices, use a biometric lock combined with a PIN or password.
- Restrict remote access – Disable services like Telnet, SSH, or RDP unless you need them, and if you do, limit access to specific IP ranges.
- Monitor network traffic – Deploy a network‑visibility solution that flags unusual outbound connections, especially to known proxy or C2 IP ranges.
- Use reputable app stores – Install Android apps only from Google Play or other vetted stores, and verify the publisher’s reputation.
- Secure Wi‑Fi – Switch to WPA3 where supported; otherwise, use WPA2 with a long, random passphrase.
What the takedown means for the broader threat landscape
The seizure of the 200‑plus servers is a significant blow to the operators, but the model is likely to reappear under a different banner. Security teams should treat the incident as a reminder that any internet‑connected device can become a proxy if an attacker can install a small loader.
For enterprises, the lesson is to extend endpoint‑detection‑and‑response (EDR) capabilities to non‑traditional assets—IoT gateways, smart HVAC controllers, and even point‑of‑sale terminals. Visibility tools that aggregate logs from routers, switches, and wireless access points can surface the same indicators of compromise that were used to locate the Dutch botnet’s C2 servers.
Looking ahead
The NCSC plans to publish a technical advisory with indicators of compromise (IOCs) and recommended firewall rules. Meanwhile, industry groups are pushing for tighter regulation of residential‑proxy marketplaces, arguing that anonymity should not come at the cost of mass‑scale abuse.
Until such policies materialize, the onus remains on device owners and security professionals to harden the edge of the network. A single compromised router can become the gateway for millions of devices, and as the Dutch operation demonstrated, the impact can be global.
For a deeper dive into the technical indicators, see the NCSC advisory (link pending) and the original PROXYLIB analysis by HUMAN’s Satori team.
Comments
Please log in or register to join the discussion