Botnet of more than 17 million devices dismantled - Ars Technica

Open Original Page

Botnet of more than 17 million devices dismantled - Ars Technica

Small
Standard
Large

Botnet of more than 17 million devices dismantled

The botnet was reportedly tied to a Russia-based residential proxy network.

Dan Goodin

-


May 29, 2026 2:46 pm

Aurich Lawson / Ars Technica

Aurich Lawson / Ars Technica

Small
Standard
Large

Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center.

The action, announced Thursday, came about after a security researcher reported the sprawling network to authorities. The host infrastructure was located in the Netherlands.

Used for criminal purposes

"The police then seized several botnet servers from a hosting provider for investigation," the NCSC said. "The botnet was taken offline by the provider because it was used for criminal purposes."

According to a report Thursday by the NL Times, the botnet was linked to ASOCKS, a Russia-based company that provides residential proxy services. These services cater to people and organizations who want to obscure their locations or identities by proxying their Internet traffic through third-party devices. Proxy services are often used for illicit or unethical purposes such as performing DDoS attacks, running botnet command-and-control servers, operating phishing operations, and scraping website content.

Ars was unable to independently confirm the NL Times report, but the claim checks out. Thursday's NCSC post linked to a separate post that the nonprofit organization published a day earlier. That post, in turn, was updated to add a link to Thursday's post. Wednesday's post, headlined "Residential proxies and their major impact on digital security in the Netherlands," warned: "Residential proxies are used to maintain anonymity and circumvent geographical restrictions. In this way, a Dutch organization can be attacked with Dutch proxies that have similarities with 'regular' traffic, making cybercrime mitigation more difficult."

In 2024, security firm Human said its researchers found evidence that a botnet named Proxylib was tied to ASOCKS. The evidence included (1) Proxylib-infected IP addresses and port numbers that were returned by an Asocks proxy-list endpoint and (2) requests made to asocks[.]com exiting through an infected test device. Twenty-eight apps available in Google Play had enrolled as many as 190,000 devices into the Russia-headquartered proxy network without user approval.

Questions emailed to ASOCKS received no response.

It's unclear how the 17 million devices controlled by the botnet taken down by the Dutch police came to be that way. In some cases, such devices are infected through exploited software vulnerabilities or through the installation of malicious apps. In some cases, apps disclose the behavior, often in small or obscured print. Other times, apps disclose the proxy arrangement outright.

People who want to prevent their devices from being swept into botnets should install security updates in a timely manner and resist the urge to continue using software or devices that no longer receive them. People should carefully research apps before installing them and then only when they provide a true benefit. Apps should be uninstalled when they're no longer needed.

Senior Security Editor

Dan Goodin

Senior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

1.
The most spectacular rocket explosion since N1 just happened in Florida

2.
Here's why the failure of Blue Origin's New Glenn rocket is so catastrophic

3.
Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code

4.
Rocket Report: A dark day for Blue Origin; Pentagon eyes new launch site

5.
Websites have a new way to spy on visitors: Analyzing their SSD activity

Ars Technica has been separating the signal from
the noise for over 25 years. With our unique combination of
technical savvy and wide-ranging interest in the technological arts
and sciences, Ars is the trusted source in a sea of information. After
all, you don't need to know everything, only what's important.

More
from Ars

About Us

© 2026 Condé Nast. All rights reserved. Use of and/or
registration on any portion of this site constitutes acceptance of our User Agreement and
Privacy Policy and
Cookie Statement and Ars
Technica Addendum and Your
California Privacy Rights. Ars Technica may earn compensation on
sales from links on this site. Read our
affiliate link policy. The material on this site may not be
reproduced, distributed, transmitted, cached or otherwise used, except
with the prior written permission of Condé Nast. Ad
Choices

Links

Browse another page: