Dutch police take down a 17-million-device botnet and seize 200+ servers from a local hosting provider.
The Dutch National High Tech Crime Unit (NHTCU) has taken down a botnet (a network of remotely controlled compromised machines) that reached 17 million infected devices. Simultaneously, authorities seized more than 200 physical servers at a local hosting provider that housed the C2 (command-and-control — the servers directing infected machines) infrastructure.
The operation required coordination between the Dutch Police, the Public Prosecution Service, and likely Europol or Eurojust given the cross-border scope. Seizing physical servers rather than just sinkholing domains signals that law enforcement had deep infiltration into the infrastructure long before the public takedown.
17 million nodes is a number very few botnets in history have reached. For scale: Emotet at its peak operated roughly 1.6 million active bots. This is an order of magnitude larger.
A botnet this size runs multiple revenue streams in parallel: DDoS attacks (flooding services with synthetic traffic), bulk spam and phishing distribution, credential harvesting at scale, and SOCKS proxy (tunnels that hide the true origin of malicious traffic) services sold to other criminal actors. Monetization diversification is standard at this operational level.
Physical server seizure also means authorities now hold complete logs, victim lists, cryptocurrency wallets, and potentially operator identities. Arrests typically follow weeks or months after the technical strike.
At 17 million devices, this malware ran for years. If your org saw nothing, that's not a clean bill of health — it means your detection coverage has gaps.
Help more people discover BBLabs News.
Want to get news like this every day?
Browse all articles
