Summary
- Dutch police and the NCSC say they acted against 200 servers controlling at least 17 million infected devices.
- The servers were hosted in the Netherlands and used to control computers, tablets, smartphones, routers, and IoT devices.
- The case raises questions about hosting accountability, residential proxy abuse, and edge-device visibility.
Dutch police and the Netherlands’ National Cyber Security Centre have taken a large botnet offline after identifying 200 servers used to control millions of infected devices.
The police said the network consisted of at least 17 million compromised devices and that the command infrastructure was hosted in the Netherlands. The infected estate included computers, tablets, and smartphones, while the authorities also warned that weakly secured routers and other IoT devices remain attractive to criminal groups.
According to the official police notice, the case began with a report from an NCSC security researcher. The NCSC informed police, and the cybercrime team in The Hague investigated with the national centre. Several servers were seized from a hosting provider for investigation, after which the provider took the botnet offline because it was being used for criminal purposes.
Botnets can support denial-of-service attacks, spam, phishing, online fraud, and wider criminal infrastructure. The Dutch notice also refers to residential proxies, where compromised consumer devices are used to route traffic through ordinary internet connections and make malicious activity harder to distinguish from legitimate user behaviour.
The takedown shows how criminal infrastructure can sit inside legitimate European hosting markets. Botnets are often described through the number of infected endpoints, but command servers, abuse handling, hosting relationships, and evidence preservation are just as central to disruption. In this case, the pathway ran from researcher detection to national cyber coordination, police investigation, provider action, and server seizure.
Although many infected devices may belong to consumers, the enterprise exposure is not remote. Residential proxy networks can be used to mask credential attacks, automate fraud, bypass reputation controls, and make malicious traffic appear to originate from normal broadband connections. Controls built around known hostile infrastructure become weaker when traffic is routed through compromised devices dispersed across legitimate networks.
The operation also underlines the limits of enterprise perimeter control. Organisations can patch their own systems, monitor cloud environments, harden identity controls, and improve endpoint protection, but hostile infrastructure increasingly draws on unmanaged devices outside their estate. Weak routers, outdated phones, abandoned IoT equipment, and poorly maintained edge systems create capacity that can be redirected against businesses, public services, and critical-sector operators.
Hosting providers remain part of the resilience equation. The police account does not identify the provider or suggest wrongdoing by it, but it shows that infrastructure used for criminal control can reside in provider environments until abuse is identified and escalated. Effective disruption depends on timely detection, usable reporting channels, legal process, and cooperation between providers and authorities.
Several facts remain unknown. Police have not named the operators, disclosed victim distribution, or said whether arrests have been made. The stated size of the botnet also does not show how many devices were active at any one time, which services were most abused, or how the network was monetised.
The operation removes one botnet, while leaving the underlying supply problem intact. Compromised consumer and edge devices remain cheap infrastructure for attackers, and defensive responsibility remains spread across device makers, broadband providers, hosting companies, law enforcement, and the organisations that become targets of traffic routed through those systems.
