Dutch law enforcement dismantled a botnet comprising at least 17 million compromised devices — including computers, tablets, smartphones, and IoT devices — by seizing more than 200 command-and-control servers supporting the operation. A hosting provider cooperated with investigators and shut down the infrastructure upon discovering its criminal purpose.
Scale of the Dutch Botnet Takedown: 17 Million Devices, 200+ Servers Seized
The operation ranks among the largest botnet dismantlements of 2026. At 17 million devices, the compromised network illustrates the scale at which consumer electronics and IoT devices — largely without their owners’ knowledge — are conscripted into criminal infrastructure. The Dutch National Police coordinated the seizure, which targeted the command-and-control layer enabling the botnet’s operators to direct the infected device pool.
How 17 Million Compromised Devices Are Typically Weaponized by Botnet Operators
Botnets of this scale serve multiple criminal use cases simultaneously. Operators typically monetize infected device pools through distributed denial-of-service attacks for hire, spam and phishing campaigns, credential stuffing operations against online services, and proxy network services that route attacker traffic through legitimate-appearing residential and commercial IP addresses. The breadth of device types in this botnet — including smartphones and IoT devices alongside traditional computers — reflects the expansion of the exploitable device pool as internet-connected consumer electronics have proliferated without consistent security update mechanisms.
Unidentified Operators: Who Built and Ran the 17-Million-Device Infrastructure
Dutch police have not publicly identified the botnet’s operator or operators, and the infrastructure has not been attributed to any known threat actor group. The hosting provider’s cooperation was instrumental in the shutdown: after investigators flagged the criminal purpose of the server infrastructure, the provider terminated the operations. The anonymity of the operators and the distributed global reach of 17 million infected devices represent the standard architecture of large-scale botnet operations designed to resist attribution and law enforcement disruption.
What Remains After the Dutch Botnet Seizure: Infected Devices Still at Risk
Dismantling the command-and-control infrastructure removes the operators’ ability to direct the botnet, but the 17 million infected devices remain compromised unless their owners take action to clean them. Devices that were part of this botnet may be reinfected by other malware operators who discover the vulnerable device pool. Consumers and organizations whose devices show signs of unexplained network activity, performance degradation, or unusual battery drain — common indicators of botnet infection — should run updated security scans and verify their devices are running current firmware and software.
