Dutch Police Dismantle Asocks 17M-Device Proxy Botnet
Key insights
- Asocks enrolled 17 million devices including routers and smart cameras as covert exit nodes rented to criminals for phishing and DDoS campaigns.
- Dutch police seized approximately 200 servers and notified a Netherlands hosting provider, which subsequently shut down remaining Asocks infrastructure.
- Device owners had no knowledge their IPs were being rented; they are only now being notified by authorities.
Why this matters
Residential proxy botnets at 17-million-device scale corrupt IP reputation as a fraud detection signal, which is a core input for AI-powered systems used by payment processors, ad platforms, and security vendors. AI security teams relying on IP blocklists or geolocation to filter bot traffic need to account for adversaries routing through real consumer addresses across dozens of residential ISP ranges. The Asocks operation also shows that targeting hosting-layer infrastructure is more disruptive than device-level remediation, a model that security-focused AI startups should factor into their threat modeling and product positioning.
Summary
Dutch police and the NCSC seized 200 servers running Asocks, a botnet that quietly enrolled 17 million consumer devices as paid criminal infrastructure.
Asocks compromised routers, phones, tablets, and cameras, selling access to victim IPs to criminals routing phishing, DDoS, and fraud. Real household IPs bypass most blocklists, which is the entire value proposition.
Essentially: (Dutch National Police, NCSC) forced a Netherlands hosting provider to shut down remaining infrastructure after presenting their findings.
- 17 million+ devices enrolled; owners only now being notified.
- ~200 servers seized across the rental network.
- Victim IPs were the product; device owners were unknowing nodes.
Residential proxy botnets are now standard criminal infrastructure, making any connected home device a rentable exit node for hire.
Potential risks and opportunities
Risks
- Surviving Asocks operators could reconstitute the botnet via alternative hosting providers, re-enrolling the same already-compromised 17 million devices within weeks of the seizure.
- Phishing and fraud operations that relied on Asocks will migrate to competing residential proxy services, with no net reduction in attack volume for targeted financial institutions and email providers.
- IoT device manufacturers (router vendors, smart camera makers) face EU regulatory scrutiny under NIS2 over security failures enabling mass enrollment, with potential compliance liability emerging in Q3 2026.
Opportunities
- IoT security vendors (Armis, Claroty, Forescout) can accelerate enterprise sales cycles by framing Asocks' 17-million-device scale as evidence that unmanaged device inventory is active criminal attack surface.
- IP intelligence and residential proxy detection providers (IPQS, Spur.us) gain a direct sales hook: the Asocks case proves existing blocklists fail at this node count, creating budget pressure for upgraded threat feeds.
- Cloud and hosting providers that implement proactive botnet-infrastructure detection can position this as a competitive differentiator, especially under EU NIS2 compliance pressure where enterprise clients need documented law-enforcement cooperation records.
What we don't know yet
- Whether the 17 million already-compromised devices have been cleaned or if Asocks malware persists post-seizure, which authorities have not confirmed as of May 2026.
- Identity and jurisdiction of the criminal operators who rented Asocks access for phishing and DDoS, not disclosed in public reporting.
- How long Asocks operated before detection and the total volume of criminal campaigns run through the network, both undisclosed.
Originally reported by Ars Technica
Read the original article →Original headline: Dutch Police and NCSC Dismantle 17-Million-Device Asocks Residential Proxy Botnet Used for Phishing and DDoS