Botnet of more than 17 million devices dismantled

Botnet of more than 17 million devices dismantled - Ars Technica

Privacy Center

Currently, only residents from GDPR countries and certain US states can opt out of Tracking Technologies through our Consent Management Platform. Additional options regarding these technologies may be available on your device, browser, or through industry options like AdChoices. Please see our Privacy Policy for more information.

Social Media

• [x] On

These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

• * *

Essential

• [x] On

This website uses essential cookies and services to enable core website features and provide a seamless user experience. These cookies and services are used to facilitate features such as navigation, remember user preferences, and ensure the security of the website.

• * *

Targeted

• [x] On

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

• * *

Performance

• [x] On

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

• * *

Functional

• [x] On

This website uses functional cookies and services to remember your preferences and choices, such as language preferences, font sizes, region selections, and customized layouts. They enable this website to offer enhanced and personalized functionalities.

• * *

Audience Measurement

• [x] On

We use audience measurement cookies in order to carry out aggregated traffic measurement and generate performance statistics essential for the proper functioning of the site and the provision of its content (for example to measure performance, to detect navigation problems, to optimization technical performance or ergonomics, to estimate server power needed and to analyse content performance). The use of these cookies is strictly limited to measuring the site's audience. These cookies do not allow the tracking of navigation on other websites and the data collected is not combined or shared with third parties. You can refuse the use of this cookie by switching off the slider to the right.

OK

English Deutsch Español Français Italiano 日本語 繁體中文

en

Privacy Policy

Powered by

Skip to contentArs Technica home

Sections

ForumSubscribeSearch

• AI
• Biz & IT
• Cars
• Culture
• Gaming
• Health
• Policy
• Science
• Security
• Space
• Tech

• Feature
• Reviews

• AI
• Biz & IT
• Cars
• Culture
• Gaming
• Health
• Policy
• Science
• Security
• Space
• Tech

ForumSubscribe

Story text

Size Width * Links

• Subscribers only

Learn more

Pin to story

Theme

• HyperLight
• Day & Night
• Dark
• System

[Search](https://arstechnica.com/search/ "Search")

Sign In

Sign in dialog...

Sign in

Takedown

Botnet of more than 17 million devices dismantled

The botnet was reportedly tied to a Russia-based residential proxy network.

Dan Goodin – May 29, 2026 6:46 PM|[14](https://arstechnica.com/security/2026/05/botnet-of-more-than-17-million-devices-dismantled/#comments "14 comments")


Credit: Aurich Lawson / Ars Technica

Credit: Aurich Lawson / Ars Technica

Text settings

Story text

Size Width * Links

• Subscribers only

Learn more

Minimize to nav

Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center.

The action, announced Thursday, came about after a security researcher reported the sprawling network to authorities. The host infrastructure was located in the Netherlands.

Used for criminal purposes

“The police then seized several botnet servers from a hosting provider for investigation,” the NCSC said. “The botnet was taken offline by the provider because it was used for criminal purposes.”

According to a report Thursday by the NL Times, the botnet was linked to ASOCKS, a Russia-based company that provides residential proxy services. These services cater to people and organizations who want to obscure their locations or identities by proxying their Internet traffic through third-party devices. Proxy services are often used for illicit or unethical purposes such as performing DDoS attacks, running botnet command-and-control servers, operating phishing operations, and scraping website content.

Ars Video

[What Happens to the Developers When AI Can Code? | Ars Frontiers](https://www.arstechnica.com/video/watch/what-happens-to-the-developers-when-ai-can-code-ars-frontiers)

Ars was unable to independently confirm the NL Times report, but the claim checks out. Thursday’s NCSC post linked to a separate post that the nonprofit organization published a day earlier. That post, in turn, was updated to add a link to Thursday’s post. Wednesday’s post, headlined “Residential proxies and their major impact on digital security in the Netherlands,” warned: “Residential proxies are used to maintain anonymity and circumvent geographical restrictions. In this way, a Dutch organization can be attacked with Dutch proxies that have similarities with ‘regular’ traffic, making cybercrime mitigation more difficult.”

In 2024, security firm Human said its researchers found evidence that a botnet named Proxylib was tied to ASOCKS. The evidence included (1) Proxylib-infected IP addresses and port numbers that were returned by an Asocks proxy-list endpoint and (2) requests made to asocks[.]com exiting through an infected test device. Twenty-eight apps available in Google Play had enrolled as many as 190,000 devices into the Russia-headquartered proxy network without user approval.

Questions emailed to ASOCKS received no response.

It’s unclear how the 17 million devices controlled by the botnet taken down by the Dutch police came to be that way. In some cases, such devices are infected through exploited software vulnerabilities or through the installation of malicious apps. In some cases, apps disclose the behavior, often in small or obscured print. Other times, apps disclose the proxy arrangement outright.

People who want to prevent their devices from being swept into botnets should install security updates in a timely manner and resist the urge to continue using software or devices that no longer receive them. People should carefully research apps before installing them and then only when they provide a true benefit. Apps should be uninstalled when they’re no longer needed.

Dan GoodinSenior Security Editor

Dan GoodinSenior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

[14 Comments](https://arstechnica.com/security/2026/05/botnet-of-more-than-17-million-devices-dismantled/#comments "14 comments")

Comments

Forum view

Loading comments...

[Prev story](https://arstechnica.com/health/2026/05/analysis-of-texas-measles-outbreak-shows-just-how-dangerous-virus-is/ "Go to: Analysis of Texas measles outbreak shows just how dangerous virus is")

[Next story](https://arstechnica.com/health/2026/05/kenyan-court-blocks-trump-admin-from-dumping-ebola-exposed-americans-there/ "Go to: Kenyan court blocks Trump admin from dumping Ebola-exposed Americans there")

Most Read

1.  1.The most spectacular rocket explosion since N1 just happened in Florida
2. 2.Here's why the failure of Blue Origin's New Glenn rocket is so catastrophic
3. 3.Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code
4. 4.Rocket Report: A dark day for Blue Origin; Pentagon eyes new launch site
5. 5.Websites have a new way to spy on visitors: Analyzing their SSD activity

Customize

[](https://arstechnica.com/) Ars Technica has been separating the signal from the noise for over 25 years. With our unique combination of technical savvy and wide-ranging interest in the technological arts and sciences, Ars is the trusted source in a sea of information. After all, you don’t need to know everything, only what’s important.

[](https://bsky.app/profile/arstechnica.com)[](https://mastodon.social/@arstechnica)[](https://www.facebook.com/arstechnica)[](https://www.youtube.com/@arstechnica)[](https://www.instagram.com/arstechnica/)

More from Ars

• About Us
• Staff Directory
• Ars Newsletters
• General FAQ
• Posting Guidelines
• AI Policy
• RSS Feeds

Contact

• Contact us
• [Advertise with us](mailto:adinquiries@condenast.com)
• Reprints

Manage Preferences

© 2026 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Ars Technica Addendum and Your California Privacy Rights. Ars Technica may earn compensation on sales from links on this site. Read our affiliate link policy. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Sign in dialog...

Sign in