17 Million Devices Just Got Rescued From A Massive Global Botnet

Law enforcement in the Netherlands has dismantled a massive global botnet that hijacked more than 17 million consumer devices worldwide. The coordinated strike targeted 200 command-and-control servers physically hosted within Dutch borders, cutting off a sprawling infrastructure used to mask major cybercriminal operations.

The joint operation, executed by the Cybercrime Team of the Police Unit The Hague and the Dutch National Cyber Security Centre (NCSC), began after a private security researcher discovered the network and flagged it to authorities. Investigators subsequently pressured a local hosting provider, which cooperated by taking the malicious infrastructure offline while police seized multiple servers for forensic analysis.

The compromised network has been linked to ASOCKS, a Russia-headquartered company operating a so-called commercial residential proxy service, which allow buyers to route internet traffic through everyday consumer hardware, making illicit activities appear legitimate. Security firm Human had previously tied ASOCKS to a botnet called Proxylib that stealthily enrolled hundreds of thousands of Android devices through seemingly benign apps available on Google Play.

The botnet operators were able to infect and quietly gain control of poorly protected hardware including computers, routers, tablets, smartphones, and internet-of-things (IoT) devices, such as smart security cameras. The owners of these devices typically had no idea their hardware was being used as a shield for external threat actors.


Investigators have not detailed exactly how all 17 million endpoints were compromised, but proxy botnets generally spread by exploiting unpatched software vulnerabilities, cracking default login credentials, or bundling proxy scripts into free software. In some cases, consumers unwittingly agree to share their bandwidth when installing free applications, buried deep within obscure terms of service agreements.