Dutch authorities dismantled a proxy-malware botnet that had infected more than 17 million devices [1].
The operation represents a significant blow to large-scale cybercrime infrastructure. By neutralizing the botnet, officials stopped malicious activity that leveraged hijacked hardware to mask the origins of cyberattacks.
The takedown was a joint effort involving the national police and the National Cyber Security Center [1]. The botnet operated through a network of around 200 servers [2], which authorities seized during the operation in May 2026 [1].
Investigators found that the malware targeted a wide variety of hardware. The infected devices included smartphones, home routers, and other connected electronics [3]. These hijacked devices were used as proxies, allowing operators to route illicit traffic through legitimate user connections to avoid detection.
The primary goal of the disruption was to protect the millions of users whose devices had been compromised [3]. Because the botnet relied on a distributed network of infected endpoints, the seizure of the central command-and-control servers was necessary to break the chain of communication.
While some reports state the operation seized more than 200 servers, other data indicates the number was roughly 200 [2]. This scale of infrastructure allowed the botnet to maintain a massive global footprint before the intervention by Dutch officials [1].
“Dutch authorities dismantled a proxy-malware botnet that had infected more than 17 million devices.”
The scale of this botnet highlights the growing vulnerability of the Internet of Things (IoT) ecosystem. By targeting routers and smartphones, attackers can create a massive, distributed proxy network that makes attributing cyberattacks nearly impossible. The success of this operation demonstrates the necessity of international cooperation and the ability of state agencies to disrupt decentralized criminal infrastructure at the server level.
