Dutch Police and NCSC Dismantle 17 Million-Device Botnet From Netherlands Servers

Dutch authorities dismantled a massive botnet that controlled more than 17 million infected devices in one of the largest cybercrime disruptions in recent years, in a joint operation involving the Dutch National Police and the National Cyber Security Centre (NCSC).

“Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center”

Ars Technica

Investigators identified around 200 servers that managed the network’s infrastructure, and officials said the servers operated from hosting facilities inside the Netherlands.

Ars Technica

The investigation began after a cybersecurity researcher alerted the NCSC about suspicious activity tied to a sprawling proxy network, and police later seized several servers connected to the network.

Authorities said the botnet supported phishing campaigns, spam distribution, and distributed denial-of-service attacks targeting online services, while hosting providers disabled parts of the infrastructure after confirming the systems supported criminal activity.

The NCSC and Dutch police said the botnet was taken offline after the Police Unit The Hague confiscated 200 servers from the hosting provider for forensic examination.

The operation centered on a “residential proxy service” model, where cybercriminals covertly infected poorly protected consumer devices and then used those compromised devices to route internet traffic and launch large-scale cyberattacks without the owners’ knowledge.

The NCSC explained that “Because residential proxies use real, trusted IP addresses, malicious use of them is much more difficult to detect or block,” and it added that many security systems and websites trust residential proxy IPs more than data-center or anonymous VPN traffic.

France 24

In the same NCSC advisory, the agency warned that “Residential proxies are used to maintain anonymity and circumvent geographical restrictions,” making it difficult to mitigate cybercrime.

The NCSC also advised users to change default passwords right away, ensure Wi-Fi is secured with WPA2 or WPA3, and install software updates as soon as they become available.

Ars Technica reported that the NCSC said the botnet was taken offline by the provider because it was used for criminal purposes, and it described the host infrastructure as located in the Netherlands.

Dutch authorities said they did not identify suspects connected to the operation, and the investigation remained ongoing after police and the NCSC disrupted the infrastructure tied to the botnet.

“Europol and Eurojust announce that they have dismantled a major pro-Russian hacker group”

France 24

The takedown was framed by the NCSC as a warning about insecure internet-connected devices, with officials saying poorly secured devices often become entry points for malicious software that attackers can remotely control without owners noticing suspicious behavior.

Officials urged consumers and businesses to strengthen device security, including installing software updates quickly and replacing default passwords on routers and smart devices, while also recommending enabling two-factor authentication and monitoring devices connected to home networks regularly.

In parallel, the NCSC and Dutch police advised users to secure Wi-Fi with WPA2 or WPA3 and to install updates as soon as they become available, reflecting the agencies’ focus on reducing exposure to proxy botnets.

The NCSC’s post also emphasized that residential proxies can resemble “regular” traffic, and it warned that this overlap complicates cybercrime detection and mitigation efforts for security teams.