Dutch authorities dismantle 17 million-device botnet linked to Russian proxy network
The network, managed by 200 servers, is tied to ASOCKS, a Russia-based residential proxy provider.
Dutch police and the National Cyber Security Center (NCSC) have dismantled a botnet comprising more than 17 million devices, managed by 200 servers. The joint operation, announced on Thursday, followed a report from a security researcher and involved the seizure of servers from a hosting provider in the Netherlands. The hosting provider subsequently took the botnet offline after determining it was being used for criminal purposes.
According to a report by the NL Times, the botnet is linked to ASOCKS, a Russia-based company that provides residential proxy services. These services allow users to obscure their locations or identities by routing internet traffic through third-party devices. While often used to maintain anonymity or circumvent geographical restrictions, such services are frequently utilised for illicit activities, including distributed denial-of-service (DDoS) attacks, phishing, and web scraping.
The NCSC highlighted the broader implications of such technology in a post published on Wednesday, titled “Residential proxies and their major impact on digital security in the Netherlands.” The authority warned that residential proxies complicate cybercrime mitigation by mimicking regular traffic patterns, allowing attackers to launch operations that appear to originate from within the country.
Previous investigations have established connections between ASOCKS and malicious activity. In 2024, security firm Human identified evidence linking a botnet named Proxylib to the proxy network. The findings included Proxylib-infected IP addresses returned by an ASOCKS proxy-list endpoint and requests exiting through an infected test device. At that time, 28 apps available in the Google Play store were found to have enrolled up to 190,000 devices into the network without user approval.
Ars Technica was unable to independently confirm the specific link between the current 17-million-device botnet and ASOCKS, though the claim was deemed plausible. It remains unclear how the devices in this specific network were compromised, whether through exploited software vulnerabilities, malicious app installations, or obscured terms in app agreements. Questions sent to ASOCKS regarding the operation received no response.
