Dutch Botnet Takedown: 17 Million Devices Were Used as Cybercrime Proxies

Dutch police and the Netherlands’ National Cyber Security Centre (NCSC) say they helped take a major botnet offline after investigators traced its backend to more than 200 servers in the Netherlands. The botnet controlled at least 17 million infected devices, including computers, tablets, smartphones, routers, and other consumer equipment, and used them to support cyberattacks without the owners’ knowledge.¹

The official police notice was published on May 28, 2026, and updated on May 29. It says the case started with a report from an NCSC security researcher, after which NCSC and the cybercrime team in The Hague investigated the infrastructure. Police seized several servers for analysis, and the hosting provider took the criminal infrastructure offline.¹

Editorial cartoon of investigators unplugging a botnet server rack from home devices — A botnet loses its strings after investigators pull the plug.

The authorities did not publicly name the botnet. Security press reports linked it to a residential proxy service, but that attribution should be treated as reporting rather than an official Dutch government finding. The harder lesson is broader: compromised home and office devices are increasingly being converted into proxy infrastructure that makes malicious traffic look like it came from ordinary households.

What users and defenders should check now

A botnet is not only useful for loud DDoS traffic. NCSC warned one day before the takedown that residential proxies can support phishing and spam, credential-stuffing, brute-force attacks, click fraud, SMS pumping, malware delivery, and command-and-control evasion because traffic comes from real consumer IP addresses.² That makes reputation-based blocking harder, especially when attacks are spread across thousands or millions of ordinary connections.

For home users, the immediate action is practical rather than exotic. Update router firmware, phones, tablets, smart cameras, TV boxes, and any device that still receives security patches. Replace default passwords with unique credentials. Disable remote administration panels unless they are truly needed. Remove free VPN, proxy, streaming, PDF tool, or browser-extension software that you do not trust. Strange CAPTCHA prompts, unexplained bandwidth spikes, antivirus alerts about proxy or tunneling software, or warnings that your IP address is blocked can be signs that a device or connection is being abused.²

For small businesses and site operators, the useful triage is to look at outbound traffic, not just inbound alerts. Check whether IoT segments, guest networks, and unmanaged endpoints are making unexpected SOCKS, HTTP proxy, or long-running encrypted connections. Separate smart devices from workstations, block unnecessary outbound proxy ports where possible, and treat unknown bandwidth use as an incident signal. The older BlackProxies residential proxy case shows why this market keeps attracting abuse: attackers want trusted-looking IP addresses, not just raw bandwidth.

The Dutch action also fits a familiar pattern in botnet disruption: law enforcement can cut command infrastructure, but infected devices may remain vulnerable if owners do not patch or clean them. The Qakbot takedown was another reminder that backend seizures reduce criminal capacity, yet defenders still have to verify endpoints and accounts. If your network recently showed proxy, DDoS, or spam behavior, do not assume the takedown solved the local infection.

BleepingComputer reported that it contacted the named proxy service mentioned in press coverage for comment and had not received a response by publication time.³ Until Dutch authorities publish more technical indicators, the safest conclusion is conservative: look for signs of unwanted proxyware or malware on routers, phones, and IoT devices, then reduce the chance that those devices can quietly become somebody else’s attack infrastructure.

References