Dutch Politie and NCSC Dismantle Asocks Residential Proxy Botnet of 17 Million Devices

The Asocks takedown is the rare cybercrime-infrastructure story where the supply side belongs to ordinary citizens — and the rare brief in this slot where a reader rebooting their router actually helps fix the problem.

THE HAGUE, NETHERLANDS — On May 28, 2026 — three days before this article publishes, and the staleness is the point: this story moved through the English-language security press across May 28-29 and the late-arriving cycle is itself a small editorial signal that the residential-proxy beat is still under-covered — the Dutch National Police (Politie) cybercrime unit at The Hague and the National Cyber Security Centre (NCSC-NL) announced they had dismantled a botnet of at least 17 million compromised consumer devices worldwide and seized 200 servers, all physically located in the Netherlands, that ran its infrastructure.

Dutch authorities did not name the service in their own statements. The connection to Asocks — a commercial residential and mobile proxy service marketed openly online — was first reported by Dutch outlet NL Times on May 28 and has since been carried by BleepingComputer, Help Net Security, The Register, Cybernews, and Risky Business. That hedge matters, and this article preserves it: the takedown is confirmed; the Asocks attribution is press attribution, not police attribution.

What Happened

Three days before this article publishes, on May 28, 2026, the Dutch Politie cybercrime unit at The Hague and NCSC-NL jointly announced a takedown that — by the only number any of us have to go on, the device count — is one of the largest residential-proxy disruptions ever made public. At least 17 million compromised consumer devices worldwide, the agencies said, were enrolled in a botnet whose command infrastructure was concentrated in 200 servers physically located in the Netherlands. The hosting provider took the entire botnet offline once the Politie cybercrime unit had seized the relevant servers, on the grounds that the infrastructure was being used for criminal purposes.

The investigation began, the agencies said, with a report from an unnamed security researcher to NCSC-NL. NCSC-NL passed the lead to the Politie cybercrime unit at The Hague, and the joint investigation that followed ended in last week's action. Neither the Politie's own announcement nor NCSC-NL's named the service publicly. The identification as Asocks — a commercial residential and mobile proxy service that has been marketed openly to anyone with a credit card — was first reported by Dutch outlet NL Times on May 28 and has since been repeated by BleepingComputer, Help Net Security, The Register, Cybernews, and Risky Business. We treat that attribution as well-supported press reporting rather than as a Dutch-government finding, and we preserve the distinction throughout this piece. No specific Asocks operators have been publicly identified or charged at time of writing.

What a Residential Proxy Service Actually Is

Asocks belongs to a category of cybercrime-economy product that most security teams have heard of but few have had to defend against in concrete terms: the residential proxy service. The pitch to the buyer is simple. For a monthly fee, a customer gets the ability to route their internet traffic through tens of millions of consumer IP addresses — home broadband connections that, to the receiving server's eyes, look indistinguishable from an ordinary person logging in from a home in Rotterdam, Sao Paulo, or Phoenix. The pitch to the criminal customer is the same pitch, with the upside that the IP is not on any data-center or VPN block list and is unlikely to trip a reputation filter. Phishing campaigns, credential-stuffing runs, scraping, account-takeover attempts, ad fraud, click fraud, SMS pumping, and the human-traffic legs of large-scale cyberattacks all benefit from coming out of a residential IP rather than a hosting provider's range. NCSC-NL, in a separate expert blog published the day before the takedown, was unusually direct about why this matters: 'Because residential proxies use real, trusted IP addresses, malicious use of them is much more difficult to detect or block.' The supply side of that economy — what actually makes the 'real, trusted IP' possible — is unpatched, weakly-passworded consumer devices, infected with proxyware malware and quietly rented out without their owners' knowledge. Seventeen million is the supply side.

The Second Dutch Takedown in Eight Days

Read in isolation, the Asocks action is a single big-number takedown. Read in context, it is the second major Dutch criminal-infrastructure operation in eight days. On May 22, FIOD and the Politie arrested two suspects and seized roughly 800 servers tied to the Stark Industries bulletproof-hosting operation — a sustained, sanctions-evading infrastructure used by Russian-aligned attackers and disinformation operators. Six days later, the same Politie cybercrime unit, working with NCSC-NL, took down the 200 servers underpinning Asocks. The two cases are operationally distinct — one is bulletproof hosting, the other a residential proxy supply chain — but they share the same uncomfortable fact: the Netherlands has been hosting an outsized share of Europe's criminal cyber infrastructure, and the Dutch government has, in the space of a single week, demonstrated a willingness to act against it on both fronts. The European policy implication is one to watch in the coming weeks: criminal-infrastructure takedowns tend to displace rather than eliminate, and the operators behind Asocks-style proxy markets are now on notice that Netherlands-based hosting carries new operational risk.

Why This Late-Cycle Story Still Matters

We are publishing this three days after the announcement, and that is worth naming. The Asocks takedown moved through the English-language security press in a fast May 28-29 cycle, and our coverage trails it. The reason we are running it anyway is not novelty but utility: the operational implications for defenders are still being worked out, the NCSC-NL IOC question is still open, and the through-line that matters — IP-reputation degradation as a structural defender problem, plus the consumer-action sidebar that almost no other publication has packaged with this story — has not been adequately covered in the day-of pieces. The point of this article is the implication and the action items, not the scoop. Residential-proxy takedowns of this scale are also not new: a year ago, US and Dutch law enforcement disrupted 5socks and Anyproxy; earlier this year, a multinational coalition dismantled SocksEscort. The arc of criminal-asset-tracing operations that Europol catalogued in Project Asset — coordinated, multinational, infrastructure-led — is the model these takedowns increasingly follow. The pattern is clear: criminal-infrastructure markets dent under enforcement pressure but reconstitute under new branding, and the supply of compromised consumer devices that feeds them does not get smaller on its own.

Scope and Impact

The single most important operational implication for SOC and threat-hunting teams is one most have not had reason to confront before: your IP-reputation tooling has been quietly weakened. Every commercial IP-reputation feed, every 'is this a residential or data-center IP' lookup, every behavioral allowlist that treats a Dutch home broadband connection as more trustworthy than a hosting-provider range has, until last week, been silently absorbing a 17-million-device supply of laundered traffic. The Asocks takedown does not fix this. It changes its shape. In the next several weeks, vendor IP-reputation feeds will go through a noisy transition window as the historical Asocks IP set drains out of the active proxy market and, in many cases, is replaced by IPs from the next residential-proxy provider in line. Defenders should expect false-positive churn in the short term and a steady degradation of the implicit assumption that a 'real residential IP' is a trust signal in the long term. The Verizon DBIR 2026 finding that vulnerability exploitation just overtook credential theft as the number-one initial-access method is part of the same picture: the easy detection cues that worked five years ago are eroding across the board, and the residential-proxy supply is one of the more important reasons why.

For IT and network operations teams, the takedown points to a different audit. The Asocks supply was, by every account, the everyday consumer-device population: unpatched home routers running firmware years past vendor support, smart security cameras shipped with default admin credentials, smartphones sideloading free apps that came bundled with proxyware SDKs. Many companies issue or permit a long tail of these same device classes — corporate-owned smart cameras in offices and warehouses, voice-assistant devices in conference rooms, IoT sensors across building-management systems, employee-owned smartphones on BYOD. Each is an attractive enrollment target for the next residential-proxy operator. The work for IT teams is straightforward and overdue: audit the fleet of company-issued and company-tolerated connected devices against vendor advisories from the past 24 months, isolate IoT devices on a separate segment, and replace any device whose vendor has stopped shipping firmware updates.

Several questions remain genuinely unresolved at this writing. NCSC-NL had not, by publication time, released a public IOC bundle for the Asocks command-and-control infrastructure or the specific proxyware malware families involved — and an IOC bundle, if and when it comes, is the single most actionable piece of follow-up reporting we expect. Whether all 17 million enrolled devices have been notified or cleaned is unknown; the Dutch government has historically used the abuse.ch and CleanDNS notification pipelines for this kind of cleanup, and watching that channel over the coming weeks is the right place to learn the answer. Whether any specific Asocks operators are facing charges has not been publicly stated. And the broader question — whether 17 million is an undercount, an overcount, or a fair estimate of the active enrolled population at the moment of takedown — depends on methodology that the agencies have not detailed. We have used the agencies' figure throughout and have not adjusted it.

Response and Attribution

For CISOs and product-security leaders, the brief is to brief the board, in plain language, on IP-reputation degradation as a structural problem rather than a single-vendor news story. The residential-proxy economy is a cybercrime-infrastructure layer, not a product; takedowns of individual services dent it but do not eliminate it. Plan tooling investments accordingly: assume IP-based trust signals will continue to weaken, prioritize behavioral and device-attestation signals over IP allowlists, and budget for the false-positive churn that the next several weeks of vendor-reputation rebalancing will produce. If your organization sells or operates consumer-grade connected devices — routers, cameras, IoT — the broader regulatory direction is also worth tracking: the EU Cyber Resilience Act and analogous frameworks are increasingly pointing the way toward holding manufacturers responsible for the supply-side problem that takedowns like this one merely surface. The FBI's Silent Ransom Group work on the human-attack side of the same threat economy and recent botnet-and-arrest cases such as the Kimwolf DDoS-for-hire operator round out the picture: the cybercrime infrastructure stack is being pulled apart from several directions at once, and the residential-proxy supply layer is now plainly inside the law-enforcement attention window.

For SOC and threat-intelligence teams, the immediate playbook is concrete. Treat any internal 'residential IP allowlist' or 'home-broadband trusted' rule as suspect and review it in the next week. Subscribe to NCSC-NL's published-advisories feed for the IOC bundle that the case warrants; in parallel, watch the Shadowserver-and-partner takedown-IOC pipeline that has become the working pattern for cases like Glassworm — that pipeline is the most likely public source of usable Asocks indicators in the coming days. If your fleet egress includes consumer-grade devices, hunt outbound to known proxyware-related infrastructure, and flag the long-tail of suspicious user-agent strings tied to historic Asocks-pattern requests in your application logs. For incident-response teams: the residential-proxy attribution problem also runs the other way — if an attacker accessed your environment from a residential IP that has historically been part of an Asocks-style network, the home IP is not the actor, and traceback will need to start from the proxyware operator's records, which is generally law-enforcement territory.

The CyberSignal Analysis

Signal 01 — IP Reputation Is the Defender Cost

The defender-utility story behind the Asocks takedown is not the headline number. It is the steady erosion of one of the cheapest, most widely deployed trust signals in security tooling: the implicit assumption that traffic from a real residential IP is more trustworthy than traffic from a data center or a known VPN. Asocks, with 17 million enrolled devices, was a single major contributor to that erosion; the broader residential-proxy economy contains many more. Every security team that has been quietly leaning on IP reputation as a low-cost detection signal — for credential stuffing, account-takeover, scraping, even baseline anomaly scoring — is now operating in a market where that signal is weaker than it was a year ago and will be weaker still next year. The takedown is good news on the law-enforcement side and a structural cost on the defender side at the same moment. The takedown does not reverse the trend; it only buys time. The right response is to invest in detection signals that do not depend on the IP being honest about what kind of network it lives on.

Signal 02 — The Consumer Sidebar Is the Story

Almost every cybercrime story arrives with a defender-utility framing and stops there. Asocks is different, and the difference is worth naming. The 17 million devices are not the attackers; they are the supply side, owned by ordinary people who have no idea their home router or smart camera is laundering somebody else's phishing campaign. That is the rare case in which reader-as-citizen action — the simple, repeatable, boring advice of rebooting the router, updating firmware, and changing the default admin password on every connected device — is genuinely on the path to fixing the supply side. We are including a consumer-facing checklist in the response section above because the demand side will be dented by enforcement and the supply side will be dented by literally millions of households doing five minutes of basic hygiene. Both halves of the economy are addressable, and the consumer half almost never is. When it is, the publication that frames a piece purely for the SOC is doing only half of its job.

Signal 03 — The Cadence Acknowledgement

We are publishing three days after the announcement, and that delay matters editorially. The Asocks story moved through the English-language press in a tight May 28-29 cycle and we are out of phase with it. The honest framing is to say so up front and to argue for what this piece adds anyway: the IP-reputation through-line and the consumer-sidebar packaging, neither of which has been done well in the day-of coverage; the explicit pairing with the May 22 Stark Industries takedown as the second-in-eight-days editorial arc; and the preservation of the press-attribution hedge on the Asocks name itself. Methodology failure mode #3 — running stale news as if it were breaking — is something we try to avoid by acknowledging the cadence rather than pretending it. This is the form that acknowledgement takes. The story is three days old; the implications for defenders are still working themselves out; the consumer-side action items are durable for weeks, not hours; and the through-line — that the cybercrime infrastructure stack is being pulled apart in public, one supply-layer takedown at a time — is exactly the kind of slower-tempo story that benefits from a beat of editorial distance.

Sources