Dutch Botnet Takedown Exposes Proxy Market Weak Spot

The Dutch botnet takedown announced on May 28 cut into a criminal network of at least 17 million infected devices. The joint Dutch botnet operation identified 200 servers in the Netherlands that controlled computers, tablets, smartphones and smart devices, then seized several servers while the hosting provider disconnected the network.

The Dutch Police, the national law enforcement agency, and the Netherlands’ National Cyber Security Centre (NCSC, the Dutch government’s cyber response center) did not name the service. The harder problem runs through the market for residential proxies, where a normal home connection becomes cover for someone else’s fraud, scanning, spam or password attack.

The Seized Servers Were the Control Layer

The case began with a security researcher report to the NCSC, which then alerted police. Investigators traced the backend to servers in the Netherlands. That mattered because it gave Dutch authorities and the provider a clear point of intervention once the criminal use was established.

In botnet terms, the servers were not the infected machines. They were the command-and-control (C2, servers that send instructions to infected devices) layer. Removing that layer can interrupt tasks sent to the bots, though it does not guarantee that every device has been cleaned.

• 17 million infected devices were counted by the Dutch investigation.
• 200 servers in the Netherlands were identified for action.
• May 28 was the date the NCSC published the notice, with the police page updated the next day.

The agencies said the hosting provider took the botnet offline because it was being used for criminal purposes. That leaves a crucial distinction for readers: offline means the control service was disrupted; it does not mean every router, phone or camera was remediated by its owner.

Residential Proxies Turn Trust Into Inventory

A residential proxy routes a customer’s web request through an Internet Protocol (IP, the network address websites see) assigned to a real home or small business. That can serve lawful uses, including testing how a website appears in different regions. The criminal appeal is sharper: the traffic looks like it comes from an ordinary home IP address, not a data center block that defenders already distrust.

NCSC’s residential proxy threat briefing says the method gives attackers anonymity and scale. The Federal Bureau of Investigation (FBI, the U.S. law enforcement agency), in its residential proxy public warning, says threat actors use the same routing trick to hide identities and locations through home and small business networks.

For security teams, that changes the sorting problem. A request from a hosting provider can be challenged, throttled or blocked. A request from a broadband address in the same city as the victim might look like a customer coming back from lunch.

• Credential stuffing, where stolen username and password pairs are tried at scale.
• Phishing and spam, where residential IP reputation can help messages or pages last longer.
• Distributed denial-of-service (DDoS, a traffic flood meant to overwhelm a site or service) attacks.
• Click fraud and ad fraud, where fake users need to look like real households.

App Monetization Fed the Proxy Supply

The Dutch agencies did not publicly identify the operator, so the primary record stops at servers and device count. A separate research trail shows how this market gets fed. HUMAN Security, a bot defense company, said its Satori Threat Intelligence and Research Team found Android apps that enrolled user devices into a proxy network without clear user awareness.

In HUMAN’s PROXYLIB and LumiApps research, the company described a Golang library that turned phones into residential proxy nodes. The work began with Oko VPN, a free virtual private network app, then expanded to 28 related applications. HUMAN said the Google Play Store, Google’s official Android app marketplace, removed those apps after the findings.

The same report said Satori researchers found evidence connecting PROXYLIB to Asocks, a residential proxy seller, and later to LumiApps, a software development kit (SDK, code that developers add to apps to deliver a feature or service). That is where three supply lines meet: compromised devices, apps that bury proxy behavior in permissions, and developers paid for bandwidth they do not own in any meaningful sense.

This is why a takedown built around servers is only a partial answer. If devices are enrolled through malware, app bundles or vague consent screens, the supply can be rebuilt anywhere users keep installing free tools that ask for broad network access.

Recent Cases Show the Same Business Model

The Dutch action landed after a run of official botnet disruptions built around the same commodity: other people’s devices. Some cases are DDoS businesses. Others are proxy services that rent residential exit points. The table below shows why the Dutch number stands out and why it fits a wider enforcement pattern.

SocksEscort shows the router side of the problem. The FBI said AVrecon targeted about 1,200 device models from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link and Zyxel, mostly small-office and home-office routers. In some cases, the malware modified firmware in ways that made removal difficult.

The DDoS cases show the demand side. The U.S. Justice Department said the four botnets launched hundreds of thousands of attack commands and that some attacks measured about 30 terabits per second. The same devices used to knock services offline can also be rented, routed or resold.

Device Owners Carry the Cleanup Burden

Law enforcement can seize servers. It usually cannot log in to every living room router, Android TV box or small business camera and patch it. That cleanup burden falls on owners, internet providers, device makers and IT teams that may not even know a device has been lending its bandwidth to someone else.

Devices can become part of a botnet when they are accessible to malicious actors.

That sentence appears in the English version of the NCSC notice. Its plainness is useful. The weak point may be a default password, an unpatched router, a sideloaded streaming app, a fake free VPN or a device so old that the vendor no longer ships security fixes.

For households and small offices, the fastest checks are boring but effective:

• Open the router admin page and check whether firmware updates are available.
• Change default administrator passwords on routers, cameras, storage devices and TV boxes.
• Remove free VPN, proxy, streaming or browser extension tools you do not recognize.
• Put cameras, smart TVs and other low-trust devices on a guest or segmented network when possible.
• Watch for sudden CAPTCHA prompts, account challenges, unexplained data use or notices that your IP address has been blocked.

The Cybersecurity and Infrastructure Security Agency (CISA, the U.S. cyber defense agency) home network security guidance points to the same basics: firmware updates, changed default passwords and safer Wi-Fi settings. None of that is glamorous. It is still the difference between owning a device and donating it to someone else’s attack platform.

The Trust Problem Outlasts One Takedown

There is a useful temptation after a case this large: treat the number as the story and the seizure as the ending. A case at this scale exists because attackers found cheap supply, paying customers and a defensive blind spot around residential traffic.

That blind spot has consequences beyond botnet headlines. Banks looking for account takeover, retailers fighting sneaker bots, ad exchanges filtering fake clicks and cloud providers absorbing DDoS traffic all rely in some way on judging whether a connection looks normal. Residential proxies poison that judgment by making hostile traffic look local, familiar and human.

For Dutch authorities, the seizure is a clean win. For defenders, the proxy market survives as long as millions of poorly managed devices remain online and bandwidth can be quietly converted into a product. If defenders treat this case as a one-service cleanup, the next pool simply moves. If they treat residential IP trust as the abused asset, the next takedown has a smaller market waiting.