Massive 17-Million Device Botnet in the Netherlands Dismantled in a Police and NCSC Joint Operation
Published
Key Takeaways
- Botnet Infrastructure Dismantled: The Police and NCSC successfully took down 200 servers controlling 17 million compromised devices.
- Targeted Cybercriminal Activity: The illicit network infected computers, smartphones, and tablets to carry out cyberattacks.
- Mitigation and Prevention: Security professionals mandate prompt patching, two-factor authentication, and securing network perimeters.
A 17-million-device botnet network that hosted its infrastructure on 200 servers located in the Netherlands was recently dismantled. On May 28, 2026, the Police and the National Cyber Security Center (NCSC) announced the joint operation that successfully took the unnamed botnet offline.
It was initially discovered by a security researcher, who reported the anomaly to the NCSC, which subsequently informed the Police to initiate a comprehensive forensic investigation.
Infrastructure Takedown and Seizure
The joint investigation revealed that the threat actors controlled this massive compromised architecture, which included computers, tablets, and smartphones, using approximately 200 infrastructure servers physically located within the Netherlands.
During the operation, the Police seized several botnet servers from a local hosting provider for ongoing investigation purposes. According to the NCSC, the hosting provider permanently took the botnet offline following the seizure because the infrastructure was actively being used for criminal activities.
Some reports suggest the law enforcement operation targeted the Asocks network, which operated as a “residential proxy service.”
Defensive Posture and Prevention Guidance
To secure hardware against botnet integration, the NCSC issued explicit prevention guidance. Users and network administrators must keep operating systems, routers, and apps up to date. It is critical to maintain full visibility of all edge devices operating on the network.
The NCSC advises users to:
- Implement strong, unique passwords
- Enable two-factor authentication wherever possible.
- Only install software from trusted sources,
- Secure Wi-Fi networks using WPA2 or WPA3 encryption,
- Immediately change default hardware passwords,
- Utilize comprehensive antivirus or security software,
- Regularly check all connected devices.
In March, an international law enforcement initiative dubbed Operation Lightning dismantled the SocksEscort proxy network, which operated by hijacking small-office and home-office (SOHO) routers utilizing the AVRecon botnet.
Around the same time, Aisuru, KimWolf, JackSkid, and Mossad were also taken down, and Asus routers were hijacked by the KadNap botnet to serve as malicious proxies. In January, the IPIDEA proxy network was disrupted.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular