What Happened
The Dutch National Police Cybercrime Unit, working with the National Cyber Security Centre of the Netherlands (NCSC-NL), seized 200 servers and dismantled the infrastructure behind Asocks — a residential and mobile proxy service that operated by silently infecting consumer devices with malware. The botnet comprised at least 17 million compromised devices worldwide, including home computers, routers, tablets, smartphones, and internet-connected cameras. Asocks marketed itself as a legitimate commercial proxy service offering 7 million IP addresses across 150 locations, with subscriptions starting at $5 per month. The hosting provider that housed the servers voluntarily shut down the remaining infrastructure once investigators revealed it was being used for criminal purposes.
Police identified the botnet after a tip from an NCSC-NL researcher. Dutch news outlet NL Times reported the takedown is linked to Asocks. Police disclosed that the botnet was used to conduct phishing campaigns, DDoS attacks, credential stuffing, click fraud, and malware distribution. Full details are available at BleepingComputer and Help Net Security.
Why This Matters for Canadian Organizations
Residential proxy botnets like Asocks are a direct threat to Canadian organizations on two fronts. First, Canadian consumer devices — home routers, IoT cameras, and personal computers — are among the device categories routinely recruited into botnets of this type. Canadians whose devices were unknowingly part of the Asocks network had their internet connections used to conduct attacks on others without their knowledge.
Second, organizations defending their networks face a specific challenge from residential proxy traffic: because the attack traffic originates from residential IP addresses, it bypasses IP reputation filters and geographic blocking controls that would catch data centre-based attacks. Credential stuffing, account takeover, and web scraping attacks routed through residential proxies are significantly harder to detect and block. Threat intelligence feeds now carry Asocks-linked IP ranges; Canadian security teams should cross-reference their web application and authentication logs against these indicators.
The takedown also reinforces the importance of the NCSC-NL and Dutch Police as key Five Eyes-adjacent partners. Canada’s CCCS collaborates closely with European cyber agencies, and disruption operations like this directly reduce the attack surface facing Canadian organizations. The operation reflects an accelerating international effort to dismantle commercial cybercrime infrastructure — a priority echoed in Canada’s National Cyber Security Strategy.
What to Do
Cross-reference your web application firewall, authentication, and proxy logs against Asocks-linked IP indicators now available through threat intelligence providers. Review anomalous login attempts and rate-limited authentication events from the past 90 days — these are consistent with credential stuffing routed through residential proxies. If your organization uses residential proxy detection for fraud prevention, update your detection ruleset. Home users should keep router firmware current, change default router credentials, and run reputable endpoint security software to reduce the risk of silent botnet enrollment. Report suspected infected devices to your ISP or to the CCCS at cyber.gc.ca.
