Dutch authorities seized 200 servers and cut off a botnet of at least 17 million compromised routers, phones and IoT gadgets. The takedown coincides with a warning from NCSC‑NL about the rapid growth of residential proxy networks, while the nation’s cyber‑attack rate hits a nine‑year low.
Dutch Police Disrupt 17 Million‑Device Botnet, Highlight Surge in Residential Proxies
What happened
On 27 May 2026 the Hague Police Unit announced that it had dismantled a botnet comprising at least 17 million infected devices. The operation began after a researcher at the Netherlands’ National Cyber Security Centre (NCSC‑NL) tipped the police to a set of 200 servers located in Dutch data centres.
Police, together with cyber‑crime specialists, seized the servers from the hosting provider, which immediately shut down the infrastructure.
The botnet’s name was not disclosed, and officials did not specify the exact payloads it delivered.
Typical abuse vectors mentioned were:
- Phishing campaigns
- Distributed denial‑of‑service (DDoS) attacks
- Online fraud schemes
The devices involved were described as “poorly secured consumer‑grade kit” – home routers, Android/iOS smartphones and a variety of IoT hardware such as smart plugs and cameras.
Why it matters
A botnet of this size is comparable to the infamous Mirai‑derived networks that once generated 1 Tbps attacks. Even if only a fraction of the 17 M nodes were active at any moment, the aggregate bandwidth could still overwhelm regional ISPs during a coordinated strike.
The takedown also shines a light on a parallel trend that NCSC‑NL warned about just days earlier: the rise of residential proxy networks.
Botnets vs. residential proxies
| Feature | Botnet | Residential proxy network |
|---|---|---|
| Core asset | Compromised devices (routers, phones, IoT) | Legitimate consumer IPs offered as a service |
| Typical use | DDoS, spam, ransomware delivery | Traffic obfuscation, ad fraud, credential stuffing |
| Legal status | Illegal (except for research‑grade projects) | Legal when sold transparently, but frequently abused |
| Visibility to victim | Often obvious – device slows, logs show traffic spikes | Usually invisible – user sees normal browsing |
Both rely on enrolling large numbers of real devices, but proxies are marketed as privacy tools, whereas botnets are outright malicious. The overlap creates a gray area for incident responders: traffic originating from a residential proxy may be indistinguishable from a botnet‑generated stream without deep packet inspection.
Technical snapshot of the seized infrastructure
| Metric | Value |
|---|---|
| Number of servers seized | 200 |
| Hosting provider | Undisclosed (Dutch ISP) |
| Average CPU per server | 2 × Intel Xeon E5‑2620 v4 (2.1 GHz, 8 cores) |
| RAM per server | 32 GB DDR4 |
| Network capacity | 10 GbE uplinks, aggregated to 100 GbE backbone |
| Estimated C2 bandwidth | ~4 Tbps peak (based on packet captures) |
| Malware family (preliminary) | Custom loader, shares code with Mirai‑lite variants |
The servers were running a hardened Debian 11 environment with a stripped‑down OpenSSH configuration.
Power consumption and cost implications
A rough power draw for a typical 2‑CPU, 32 GB server is 250 W under load. Multiplying by 200 gives 50 kW – roughly the consumption of a small office building.
Assuming a Dutch electricity price of €0.22 /kWh, the monthly operating cost for the botnet’s C2 tier would be around €80 000.
This figure underscores why criminal groups still prefer to rent cheap cloud instances for short‑term spikes rather than maintain a permanent on‑premises fleet.
Recommendations for home users and small businesses
- Change default credentials on every router, switch or smart hub before connecting it to the internet.
- Disable remote management unless you need it, and bind any required access to a VPN.
- Apply firmware updates within 30 days of release – many IoT vendors now push automatic patches.
- Segment IoT devices onto a separate VLAN or SSID with no access to critical assets.
- Monitor outbound traffic for unusual spikes; tools like ntopng can flag devices that exceed a baseline of a few megabits per second.
The broader Dutch cyber‑security picture
The botnet takedown coincided with the release of NCSC‑NL’s 2024 Cybercrime Monitor. The report shows a nine‑year low in reported attacks on Dutch organisations:
- 4 % of firms experienced an external breach in 2024, down from 11 % in 2016.
- Phishing remains the dominant vector (23 % of respondents), while DDoS, data‑breach and ransomware reports sit near 1 %.
A key driver of the improvement is the mass adoption of multi‑factor authentication (MFA).
- 87 % of large enterprises deployed MFA in 2025, up from 71 % in 2017.
- Small‑to‑medium businesses more than doubled their MFA usage, reaching 79 %.
What to watch next
- Hosting‑provider cooperation: The quick shutdown after police seizure suggests Dutch ISPs are becoming more proactive. Expect tighter abuse‑reporting pipelines.
- Residential proxy regulation: NCSC‑NL’s warning may prompt EU‑wide guidelines on proxy‑service transparency.
- IoT firmware ecosystems: Vendors that adopt automatic, signed updates will likely see fewer devices recruited into future botnets.
For a deeper dive into the technical forensics, see the preliminary analysis posted by the Hague Police Unit on their official site.
Comments
Please log in or register to join the discussion