A collaboration between the Dutch National Police and the National Cyber Security Centre (NCSC), has seen a large botnet being shut down.
In this operation, 200 servers were identified and addressed as well. These servers controlled millions of infected devices, from computers to phones, and were used to carry out cyberattacks.
A security researcher first identified the network and notified the NCSC. The NCSC then alerted the police, and together they dug into the matter. It turns out, the botnet had at least 17 million infected devices. To make matters worse, its 200 controlling servers were right in the Netherlands.
The police moved in, grabbed several botnet servers from a hosting provider for closer inspection. Because it was being used for criminal activities, the hosting company shut down the botnet, helping it go completely off the grid.
Law enforcement is clearly prioritizing this space
Denis Calderone, CTO of Suzu Labs, says: “This is the third major residential proxy botnet takedown in 2026 alone, after the KimWolf/Aisuru operation in March took down four botnets totaling over three million devices. Law enforcement is clearly prioritizing this space, which is encouraging, but the demand side of the equation hasn’t changed. Asocks was selling access for as little as five dollars a month and accepting crypto. At that price point, supply rebuilds fast. And seventeen million devices are still infected.”
He says the C2 infrastructure is down, which is a good tactical win, but every one of those compromised computers, routers, phones, and IoT cameras still has malware on it. “They’re orphaned, not clean. Most of those device owners will never know they were part of a residential proxy network that was routing DDoS attacks, phishing campaigns, and fraud through their home IP addresses.
“What makes residential proxy botnets a fundamentally different problem than traditional botnets is that the criminal traffic is indistinguishable from your remote workforce. It’s coming from real consumer IPs, real ISPs, real residential connections. You can’t blocklist it without blocking your own employees working from home. That’s exactly why these services exist, and it’s why IP reputation as a primary security signal is losing the arms race. Every organization that’s relying on geofencing or IP-based conditional access policies to catch suspicious logins needs to understand that the attacker’s traffic now looks identical to a legitimate remote worker in the same city.
Start trusting the device instead
Calderone adds that the best way for enterprises to defend against this is to stop relying on IP reputation alone and to start trusting the device instead. Managed device enrollment through Intune or JAMF, conditional access layered with sign-in risk scoring and behavioral analytics, device-bound credentials like FIDO2 keys or passkeys tied to a TPM.
“None of this is new. These controls have been available for years. The problem is adoption, and incidents like this one are making the case louder. When the attacker’s traffic originates from a real household connection in the same city as your employee, the only signals that catch it are device compliance, session behavior, and hardware-anchored credentials. On the consumer side, this is a reminder to update your router firmware, change default credentials, and pay attention to what apps you’re installing. Seventeen million devices didn’t get enrolled in a proxy botnet because their owners were doing the basics.”
A deep, structural vulnerability in modern threat detection
Damon Small, Board of Directors at Xcape Inc, adds: “The successful disruption of this 17-million-device botnet exposes a deep, structural vulnerability in modern threat detection: our over-reliance on IP reputation as an anchor of trust. By weaponizing a massive fleet of infected consumer phones, tablets, and IoT devices, operators covertly constructed a commercial residential proxy network that allowed cybercriminals to rent out legitimate household IP addresses. This technique completely neutralizes traditional perimeter controls; when malicious traffic (such as credential stuffing or automated fraud) mirrors the exact geographic and behavioral signature of a trusted consumer, standard rate-limiting and geo-blocking tools are rendered blind.
The illusion of residential trust
Small says while seizing 200 backend servers provides a significant short-term victory, it does not solve the root issue. “Security leaders must accept that static IP telemetry is dead. To defend against automated threats routing through compromised residential infrastructure, organizations must transition away from reputation-based filtering and invest heavily in continuous behavioral analysis, device attestation, and contextual application-layer verification.
“Seizing 200 backend servers is a great headline, but as long as our defense tools treat a compromised Android tablet like a trusted digital passport, criminals will just migrate to the next proxy provider.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.