Dutch Authorities Dismantle 17-Million Device Botnet Linked to Residential Proxy Services
Table of Contents
A Massive Infrastructure Collapse
In a coordinated strike against global cybercrime infrastructure, authorities in the Netherlands have dismantled a botnet consisting of more than 17 million compromised devices. The operation, led by the Dutch police in collaboration with the National Cyber Security Center (NCSC), resulted in the seizure and shutdown of 200 servers that served as the command-and-control nerve center for the network.
The takedown was triggered after a security researcher flagged the sprawling infrastructure to the government. According to the NCSC, the host infrastructure was physically located within the Netherlands, allowing local law enforcement to act decisively. The servers were seized from a hosting provider, which subsequently took the network offline after confirming the infrastructure was being leveraged for criminal activity.
The Proxy Loophole: How Residential Networks Mask Attacks
While the NCSC focused on the technical seizure, reporting from the NL Times suggests the botnet was closely linked to ASOCKS, a Russia-based company specializing in residential proxy services. This distinction is critical to understanding how the botnet operated and why it posed such a significant risk to digital security.
Unlike traditional data center proxies, residential proxies route internet traffic through legitimate home IP addresses. This allows actors to obscure their identity and location by mimicking ‘regular’ user traffic. For a cybercriminal, this is an invaluable tool for circumventing geographical restrictions and bypassing security filters that typically block traffic coming from known malicious data centers.
The NCSC explicitly warned that this methodology makes cybercrime mitigation significantly more difficult. When a Dutch organization is attacked using Dutch residential proxies, the traffic appears local and benign, effectively neutralizing many standard perimeter defenses.
The Connection to Proxylib and App Store Malware
The link between ASOCKS and illicit botnet activity is not new. Earlier in 2024, security firm Human reported that its researchers had identified evidence connecting ASOCKS to a botnet known as Proxylib. Their findings included a direct correlation between Proxylib-infected IP addresses and endpoints provided by the ASOCKS proxy list.
The method of infection often involves the “Trojan horse” approach through legitimate-looking applications. Research indicated that at least 28 apps available on the Google Play Store had enrolled as many as 190,000 devices into the network without explicit user consent. In many of these cases, the proxy arrangement is buried deep within obscure terms of service or omitted entirely, effectively turning a user’s smartphone or home router into a node for global cyberattacks.
The Scale of the Compromise
It remains unclear exactly how the 17 million devices in this specific takedown were compromised. However, the pattern usually follows three distinct paths: the exploitation of unpatched software vulnerabilities, the installation of malicious third-party apps, or “grey-ware” apps that disclose their proxy behavior in fine print to provide a veneer of legality.
These devices are typically used for a variety of malicious ends, including distributed denial-of-service (DDoS) attacks, phishing campaigns, and large-scale content scraping. By utilizing 17 million unique residential IPs, the operators could launch attacks that are nearly impossible to block without accidentally cutting off legitimate users from the internet.
Requests for comment from ASOCKS have gone unanswered. For now, the dismantling of the 200 servers represents a major setback for the network’s operators, though the persistence of residential proxy demand suggests that similar infrastructures will likely emerge to fill the void.
