Huge Botnet Linked To Russia Infected Over 10 Million Devices Before Being Shut Down

Dutch authorities announced that they disrupted one of the largest cyberhacking breaches in history. Targeting more than 17 million consumer devices worldwide, ranging from computers and tablets to smartphones and security cameras, hackers targeted victims in a vast botnet scheme, enlisting them in a residential proxy service that was used to conduct cyberattacks at scale. According to a press release announcing the enforcement action, Dutch investigators confiscated 200 servers located in the Netherlands that were used to run the operation. 

A botnet is a dangerous form of cyberattack framework that hijacks infected devices to carry out malicious activities. Typically, hackers infect victims' devices with malicious software that enables them to control the devices remotely without the user's notice. Because they can control vast numbers of devices, botnets are incredibly effective at Distributed Denial of Service (DDoS) attacks, in which hackers overwhelm a server with an unmanageable volume of internet traffic. They're also effective means of anonymously conducting cyberattacks, distributing phishing and spam emails, and conducting fraud. In this case, a report by Dutch outlet NL Times states that cybercriminals infected devices with poor security protections to serve as nodes in a "residential proxy service." Once infected, the devices were then used to reroute internet traffic to "launch large-scale cyberattacks," without victims' knowledge. According to Dutch authorities, the network is now offline.

The action reflects the increasing prevalence of botnets and residential proxy networks in global hacking operations. In recent months, victims have seen everything from routers to Android-based streaming devices spying for hackers. It seems like it's time to make your home router more secure.

The sting operation began when a security researcher at the National Cyber Security Centre, a division of the Netherlands' Ministry of Justice and Security, was tasked with overseeing the country's cyber security wing. Once flagged, watchdog officials collaborated with the Dutch police to investigate the case, ultimately identifying and confiscating 200 domestic servers used to run the botnet's infrastructure. To date, little is known about the criminal enterprise's tactics, as Dutch authorities have yet to comment on how the hackers infected 17 million devices with malware. Historically, botnets have spread through infected applications, software exploits, phishing campaigns, and brute-force attacks.

The operation was connected to the residential proxy service Asocks. In 2024, cybersecurity firm HUMAN found that a botnet dubbed Proxylib infected roughly 190,000 devices and enlisted them into Asocks' proxy service. Residential proxies use the IP address of private internet users as a waystation for internet traffic. Researchers linked the botnet that routed victims through Asocks' proxy network to a now-banned VPN service and at least 28 Android applications. Although the company's website lists a British phone number and a registered address in the East African island of Seychelles, Western media have long connected Asocks with Russia, raising major security concerns. According to its website, the company offers proxy services for as low as $5 per month. 

Following the report, Ars Technica unsuccessfully reached out to Asocks for comment. Interestingly, the NCSC has updated its report on residential proxies, which the agency released one day before announcing its botnet takedown, with a link to the sting announcement. In its updated blog post, the NCSC states that the enforcement action "demonstrates" how residential proxies pose "a threat to national and international cybersecurity."

The takedown exemplifies the rising threats of botnets and residential proxy networks. According to the NCSC, the technique is "being deployed more and more frequently in digital attacks," enabling hackers to orchestrate DDoS shutdowns, brute force attacks, phishing schemes, credential theft, SMS pumping, and malware distribution. Dutch authorities note that botnets and residential proxies present unique challenges, as their hijacking of trusted IP addresses makes them more difficult to detect. This is not to say that residential proxies are inherently malicious, as they can be valuable tools for circumventing geographical internet censorship. However, their increasing prevalence in cybercriminal operations is notable.

The Dutch enforcement action is just one of several high-profile botnets to be dismantled by law enforcement in recent months. In March, for instance, German, Canadian, and American agencies coordinated the takedown of two of the world's leading botnet operations, dubbed "Aisuru" and "Kimwolf," that German authorities state were executing high-volume DDoS attacks. According to the U.S. Attorney's Office, the botnets hijacked over three million devices. Earlier this year, Google took down the IPIDEA proxy network whose development kits were used by Kimwolf's botnet. Two months later, the Netherlands Ministry of Finance's fiscal crime service (FIOD) seized more than 800 servers linked to a sanctioned illegal hosting service used to run botnet and malware scams. 

Such actions are a reminder to protect oneself from cyberthreats. At a minimum, users should create more difficult passwords, update software whenever possible, monitor network traffic, and ensure their Wi-Fi security settings include either WPA2 or WPA3 protections. Avoid downloading applications from unofficial sources, refrain from using residential proxy services when possible, and review application conditions to avoid being listed in proxy services without your consent. Traditional protections, such as antivirus software, are also a plus.