Seventeen million devices. Computers, phones, tablets, routers — quietly conscripted into a criminal network larger than the population of most nations. On Thursday, Dutch authorities pulled the plug.

The Netherlands Police and the National Cyber Security Center (NCSC) seized 200 servers at a Dutch hosting provider after a security researcher reported the sprawling botnet. The provider took the network offline because it was being used for criminal purposes, the NCSC said in a statement.

Local media identified the operation as infrastructure for ASOCKS, a Russia-based company selling residential proxy access — essentially renting out the internet connections of infected devices to third parties. Subscriptions ranged from $5 to $15 per month, with bulk discounts. ASOCKS did not respond to a request for comment from BleepingComputer.

Residential proxies route traffic through real devices on real home networks, making malicious activity nearly indistinguishable from ordinary browsing. The NCSC warned in a separate advisory published a day earlier that this allows attackers to hit Dutch organizations using Dutch IP addresses, bypassing security filters that would flag data-center traffic.

The uses are ugly: DDoS attacks, credential stuffing, phishing operations, click fraud, and malware distribution. The owners of the conscripted devices most likely had no idea their hardware was involved.

Research by HUMAN Security’s Satori team two years ago traced a code library called PROXYLIB — embedded in a popular monetization SDK called LumiApps — back to ASOCKS infrastructure, suggesting the proxyware was being bundled into seemingly legitimate apps. Ars Technica noted it could not independently confirm the ASOCKS link, though the circumstantial evidence aligns with what authorities described.

This is part of a widening crackdown. A year ago, US and Dutch law enforcement dismantled two similar services, 5socks and Anyproxy. Earlier this year, European and American agencies took down SocksEscort. The residential proxy market remains opaque, with researchers from Sekoia.io and Orange Cyberdefense warning that many providers do little to ensure their networks are used legally.

For ordinary device owners, the defense is straightforward: change default credentials, update firmware, and disable remote administration panels when they’re not needed. If your router still has the password it shipped with, it was exactly the kind of target these operations depended on.

Sources