Full Report
Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the
Analysis Summary
# Incident Report: Takedown of Global Proxy Botnet (linked to Asocks)
## Executive Summary
Dutch authorities, in coordination with the National Cyber Security Center (NCSC), successfully dismantled a massive botnet consisting of over 17 million infected devices worldwide. The operation targeted the infrastructure of a residential proxy service, believed to be "Asocks," which facilitated cyberattacks by routing malicious traffic through compromised consumer devices. The takedown involved the seizure of over 200 servers located in the Netherlands that served as the network's backend.
## Incident Details
- **Discovery Date:** April 2024 (Initial identification of PROXYLIB campaign)
- **Incident Date:** Takedown announced May 31, 2026
- **Affected Organization:** Users of infected Android, IoT, and desktop devices; Infrastructure hosted by a Dutch provider.
- **Sector:** Infrastructure / Proxy Services
- **Geography:** Global (Infected devices); Netherlands (Command & Control backend)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since at least early 2024.
- **Vector:** Malware disguised as legitimate applications or proxyware (e.g., LumiApps).
- **Details:** Devices were infected through "PROXYLIB" and similar campaigns where users unknowingly downloaded apps that turned their devices into proxy nodes.
### Lateral Movement
- **Movement:** Not applicable in the traditional enterprise sense; the malware spread via public app distribution and exploitation of vulnerable IoT devices to expand the botnet pool.
### Data Exfiltration/Impact
- **Impact:** Devices were "enslaved" into a botnet to route malicious traffic for third-party cybercriminals, enabling credential stuffing, DDoS, and other anonymized attacks.
### Detection & Response
- **April 2024:** Satori Threat Intelligence (HUMAN) identifies PROXYLIB campaign linking Android devices to Asocks.
- **May 2026:** Dutch Politie and NCSC execute a joint operation to seize 200+ servers.
- **May 31, 2026:** Formal announcement of the botnet dismantlement.
## Attack Methodology
- **Initial Access:** Hidden proxyware bundled with ostensibly legitimate mobile apps or software.
- **Persistence:** Installation of malware that allows remote control and persistent communication with C2 servers.
- **Privilege Escalation:** Exploiting vulnerable operating systems or default credentials on IoT devices.
- **Defense Evasion:** Routing traffic through residential IPs to bypass geography-based security filters and IP reputation lists.
- **Credential Access:** Used by the *customers* of the botnet for automated credential stuffing attacks.
- **Discovery:** Targeting edge devices (routers) and IoT devices accessible via the public internet.
- **Lateral Movement:** Automated spreading via malicious application clones.
- **Collection:** Enrolling system resources (bandwidth) rather than specific data theft.
- **Exfiltration:** Not the primary goal; the objective was the use of the device's IP address as a relay.
- **Impact:** Enslavement of 17 million devices for criminal activity.
## Impact Assessment
- **Financial:** Bots were sold as a service for $5–$15/month subscriptions.
- **Data Breach:** High risk of secondary data breaches as the botnet facilitated access for other threat actors.
- **Operational:** Increased latency and bandwidth consumption for 17 million global users.
- **Reputational:** Damage to Dutch hosting providers used as cover for criminal backend infrastructure.
## Indicators of Compromise
- **Network indicators:** Traffic to known proxy-service domains (e.g., asocks[.]com, lumiapps[.]io).
- **File indicators:** Presence of PROXYLIB-related SDKs within mobile applications.
- **Behavioral indicators:** Unusual outbound traffic on non-standard ports; device overheating or high data usage on mobile/IoT devices.
## Response Actions
- **Containment:** Dutch Politie seized 200 servers to sever the Command & Control (C2) link.
- **Eradication:** Hosting provider took the remaining botnet infrastructure offline.
- **Recovery:** Public advisory issued by NCSC for users to secure devices.
## Lessons Learned
- **The "Gray" Market Risk:** Residential proxy services often bridge the gap between legitimate business tools and criminal infrastructure.
- **IoT Vulnerability:** The sheer scale (17 million devices) highlights the continued lack of security in consumer IoT and mobile app ecosystems.
- **Infrastructure Hosting:** Malicious actors continue to favor jurisdictions with high-quality hosting infrastructure like the Netherlands for C2 backends.
## Recommendations
- **Device Hygiene:** Keep mobile and IoT operating systems updated to the latest security patches.
- **Credential Management:** Change default passwords on all routers and IoT devices immediately upon installation.
- **Source Verification:** Install applications only from verified, official app stores (Google Play, Apple App Store) and avoid third-party "free" versions of paid software.
- **Network Security:** Implement WPA2/WPA3 encryption and disable UPnP on home routers to prevent external exposure.