Dutch law enforcement dismantled one of the largest criminal proxy networks in recorded history on May 28 and 29, 2026, seizing 200 command servers from a Netherlands hosting provider and cutting off the infrastructure behind Asocks, a Russia-linked residential proxy service that had quietly infected at least 17 million devices across 163 countries. The malware on every one of those routers, smartphones, and internet-connected gadgets remains installed — and each device is available for re-enrollment the moment a new operator or rebuilt network reaches out.
The Dutch National Police Cybercrime Team at The Hague, working with the National Cyber Security Centre (NCSC), announced the operation on May 29, 2026, following the previous day's raids. The probe began when an unnamed private security researcher filed a tip with the NCSC, which passed it to the police's cybercrime unit. A months-long investigation that followed mapped the full scale of the botnet and traced all 200 of its command-and-control servers to a single Netherlands hosting provider. That provider, once it confirmed the criminal purpose of the traffic running through its infrastructure, voluntarily took the entire network offline.
"The investigation revealed that the botnet consisted of at least 17 million infected devices and that the 200 servers used to host the infrastructure were located in the Netherlands," the NCSC stated. "The police subsequently seized several botnet servers from a hosting provider for investigation purposes. The hosting provider took the botnet offline because it was being used for criminal activities."
What Asocks Sold: Residential IP Addresses Rented to Cybercriminals
Asocks was not a conventional hacking tool. It was a commercial service. According to reporting by Dutch media outlet NL Times and confirmed by subsequent coverage in The Hacker News and Help Net Security, the network operated as a residential proxy service — a business model built on routing paying customers' internet traffic through compromised consumer devices. Monthly subscriptions were advertised at $5 to $15 per proxy, with bulk discounts for larger purchases. HUMAN Security's Satori researchers described Asocks as a Russia-based service promoted to cybercriminals on Russian-language hacking forums.
The distinction between a residential proxy and a standard datacenter proxy matters to every security system the traffic passes through. Datacenter IP addresses are well-known to web filters and fraud-detection systems; residential IP addresses are not. A request routed through a hijacked home router looks, to every internet security tool it encounters, like a legitimate household or small business connection.
"Because residential proxies use real, trusted IP addresses, malicious use of them is much more difficult to detect or block," the NCSC warned in an advisory published the day before the takedown. "Many security systems and websites trust traffic from residential proxy IPs more than traffic from data centers or anonymous VPNs. After all, the residential proxies belong to regular citizens who may just as well be an employee or a customer."
That cover made the network valuable for distributed denial-of-service amplification, phishing infrastructure, spam campaigns, credential stuffing and brute-force attacks, click fraud, SMS pumping, and malware distribution. Asocks's own marketing materials claimed access to roughly 7 million IP addresses across 150 locations and a customer base of 100,000 clients — numbers that, if accurate, indicate a substantial commercial operation advertising openly on the web and on Russian-language hacking forums.
How Asocks Reached 17 Million Devices: The PROXYLIB Supply-Chain Attack
The botnet did not grow to 17 million devices through direct exploitation alone. HUMAN Security's Satori Threat Intelligence team identified a key infection mechanism in April 2024: a code library called PROXYLIB, embedded in a legitimate Android monetization tool called LumiApps, was silently enrolling app users' devices into the proxy network. Developers who integrated LumiApps into their applications to earn ad revenue were unknowingly turning their users into botnet nodes.
HUMAN Security researchers found a direct technical link between LumiApps and Asocks: registration email headers from the LumiApps service pointed to a domain that, as recently as February 2023, hosted an unstylized version of the Asocks website. Researchers concluded the two services were "connected and potentially owned or operated by the same threat actor." Following the disclosure, Google removed 28 affected apps from the Play Store.
This supply-chain infection model — embedding proxy-enrollment code inside a widely adopted developer SDK rather than launching direct exploits — explains how the Asocks network reached across 163 countries and across virtually every device category: not just PCs and smartphones, but home routers, smart cameras, and IoT devices that have no antivirus software at all.
Botnet Takedown: What Was Seized, and What Was Not
Seizing 200 command-and-control servers and cutting a botnet's management infrastructure is a significant operational achievement. It disrupts the operators' ability to issue instructions, collect data harvested from compromised endpoints, and route paying customers' traffic through the infected devices.
It does not clean the 17 million infected devices.
The malware installed on each router, phone, and IoT gadget before the raid remains in place. Each device remains capable of re-enrollment by the same operators rebuilding their network elsewhere, or by entirely different criminal actors scanning for known-compromised devices. Security researcher Roland Dobbins, cited by KrebsOnSecurity in related coverage, noted in the context of comparable takedowns that "even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in" — a warning that applies with equal force to unpatched devices freed by any botnet disruption.
The Asocks website remained accessible in the days following the operation, suggesting that the commercial infrastructure behind the service was not fully destroyed. No arrests have been announced. The Dutch authorities have not named any suspects. The investigation is described as ongoing.
What Makes Residential Proxy Malware Harder to Detect Than Standard Botnets
Standard DDoS botnets and spam networks announce themselves through unusual traffic spikes and IP addresses that security filters already recognize as suspicious. Residential proxy malware is specifically designed to avoid that signal. The infected device does not DDoS anyone directly — it simply relays other people's traffic. The load on a compromised home router may be imperceptible to its owner. There is no ransom demand, no popup, and no slowdown obvious enough to prompt a call to the internet service provider.
"Devices can become part of a botnet when they are accessible to malicious actors," the NCSC stated in its advisory. The practical implication is that millions of the 17 million affected device owners have no idea they are compromised and may have no idea even after this takedown.
Part of Broader Dutch Enforcement Push Against Criminal Infrastructure
The Asocks operation was the second major criminal-infrastructure action by Dutch authorities in eight days. On May 22, 2026, the Dutch Fiscal Information and Investigation Service and the National Police arrested two suspects and seized servers linked to the Stark Industries bulletproof-hosting operation, a Russia-linked service used by attackers and disinformation operators to evade network sanctions.
The Asocks takedown also extends a lengthening list of residential proxy botnet disruptions. In March 2026, Operation Lightning — a joint US-Dutch-European action — dismantled SocksEscort, a residential proxy service that had compromised approximately 369,000 devices and defrauded US victims of millions of dollars, including $1 million stolen from one cryptocurrency exchange customer and $700,000 from a manufacturing company. In May 2025, a joint US-Dutch action called Operation Moonlander brought down the Anyproxy and 5Socks proxy-for-rent services, resulting in indictments against three Russian nationals and one Kazakh national.
The residential proxy market has proven structurally resilient to individual takedowns. Bitsight research published in April 2026 found that after the IPIDEA residential proxy network was disrupted in January 2026, device counts at the service's successor infrastructure returned to pre-disruption levels within a single day, driven by demand that simply migrated rather than disappeared.
Read more: GRU Hijacked TP-Link Routers in 23 States to Steal Outlook Passwords: FBI Urges Immediate Action
How to Check if Your Router Is Part of a Botnet
The Dutch NCSC offered specific guidance for device owners in its May 27 advisory. Users and network administrators should keep operating systems, router firmware, and applications up to date so that known vulnerabilities are patched. Default router credentials — the factory-set username and password that most users never change — are the single easiest entry point for botnet operators and should be replaced with unique passwords immediately. Two-factor authentication should be enabled wherever supported. All edge devices on a network should be regularly inventoried and audited.
For devices already suspected to be compromised, a factory reset removes most malware; however, devices returned to their original factory firmware and default credentials are immediately vulnerable to re-infection. After any reset, firmware must be updated to the current version and default credentials changed before reconnecting the device to the internet.
The Institute for Security and Technology warned in a February 2026 policy brief that as long as consumer hardware ships without mandatory security baselines, residential proxy botnets will continue to find an endless supply of recruitable devices. The Asocks takedown removed one criminal operation's command infrastructure. The conditions that enabled it — millions of unpatched, default-credential devices permanently exposed to the internet — remain entirely intact.
Frequently Asked Questions
What is the Asocks botnet and why was it dismantled?
Asocks was a commercial residential proxy service that rented access to a network of at least 17 million covertly infected consumer devices — routers, smartphones, tablets, and smart cameras — to paying cybercriminals who used them to disguise malicious traffic as ordinary household internet connections. Dutch police and the NCSC seized 200 command servers from a Netherlands hosting provider on May 28, 2026, after a private security researcher tipped off Dutch authorities, who investigated for months before executing the raid.
What is a residential proxy botnet?
A residential proxy botnet is a network of consumer devices — home routers, smartphones, and smart-home gadgets — infected with malware and secretly enrolled to relay other people's internet traffic. Because the traffic appears to originate from real residential IP addresses rather than data centers, security filters treat it as legitimate. Operators rent access to this network to cybercriminals who use it to hide the true origin of phishing attacks, credential-stuffing campaigns, and distributed denial-of-service floods.
How do I know if my router is part of a botnet?
Residential proxy malware is designed to run silently, so most infected device owners notice nothing unusual. Warning signs can include unexplained spikes in data usage, reduced connection speeds, or inability to log into your router's admin panel. The Dutch NCSC recommends checking whether your router's firmware is current, replacing default credentials with a unique password, and performing a factory reset if compromise is suspected — followed immediately by a firmware update and credential change before reconnecting.
Can a factory reset remove botnet malware from a router?
A factory reset removes most botnet malware, but it restores the device to its original factory firmware and default credentials — both of which are the conditions that made it vulnerable in the first place. Any device that is reset without immediately updating its firmware and changing its default password can be re-infected within minutes of reconnecting to the internet, according to security researchers who have tracked comparable botnets.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
