On May 28, 2026, Dutch authorities announced that a joint operation between the Dutch National Police and the National Cyber Security Centre (NCSC) had successfully disrupted a major botnet. The operation involved seizing more than 200 servers and disabling infrastructure that had infected an estimated 17 million devices globally.
This is one of the larger law enforcement actions against botnet infrastructure to date, and it offers a useful case study in how coordinated takedowns work and why they matter.
What Is a Botnet and Why Does It Matter
A botnet is a network of compromised devices computers, phones, routers, smart home devices, and servers controlled by an attacker without the knowledge of the devices' owners. Once infected, each device becomes a "bot" that can be directed to carry out tasks: sending spam, launching DDoS attacks, distributing malware, mining cryptocurrency, or serving as a relay point for further criminal activity.
Botnets are infrastructure. They are not just a way to attack one target. They can be rented to other criminal groups, used to launder activity across thousands of IP addresses, or repurposed for different types of attacks over time.
A botnet with 17 million infected devices represents significant criminal capacity. Even a fraction of those devices, if directed at a single service, can cause serious disruption. That scale also means the botnet was likely used for a range of purposes, not just one.
What the Operation Involved
The Dutch operation seized more than 200 servers. The NCSC and police coordinated the action, which reportedly involved international partners.
Seizing servers is one part of a takedown. The other challenge is that infected devices remain compromised even after the command-and-control infrastructure is removed. The 17 million infected devices around the world still contain the malware or access mechanisms that made them part of the botnet. Removing the C2 infrastructure cuts the attacker's ability to issue commands, but it does not clean up the endpoints.
This gap between infrastructure disruption and endpoint remediation is a persistent challenge in botnet takedowns.
How Devices Get Infected
Understanding the botnet also means understanding the infection path. Devices typically join a botnet through one of several routes:
| Infection Path | How It Works |
|---|---|
| Phishing emails | A malicious attachment or link installs malware when opened or clicked |
| Drive-by downloads | A compromised or malicious website silently installs malware through browser vulnerabilities |
| Software vulnerabilities | Unpatched software with known flaws gives attackers a way in |
| Default or weak credentials | Routers, cameras, and IoT devices with factory passwords are scanned and accessed automatically |
| Malicious downloads | Cracked software, fake utilities, or trojanized apps carry hidden payloads |
| USB and removable media | Physical media can introduce malware in environments where network paths are restricted |
Many infected devices belong to ordinary users who have no idea their device is participating in criminal activity. The device may run slightly slower, or show no symptoms at all.
Why the Scale of This Takedown Matters
Most botnet disruptions target specific malware families or single operators. Seizing more than 200 servers in one action suggests either a concentrated infrastructure where the operators managed most of their capacity from a relatively small number of hosting providers or a coordinated multi-jurisdiction action that allowed simultaneous seizures across different countries.
The 17 million figure is an estimate. Botnet size assessments are typically based on sinkholing redirecting C2 traffic to a controlled server or analysis of configuration data found on seized infrastructure. The real number may be higher or lower, but the scale is significant.
Large botnets are often associated with criminal groups that operate them as services. The disruption affects not just the original operators but anyone who was renting access to the botnet.
The Role of the NCSC
The involvement of the Dutch NCSC alongside law enforcement is significant. Cyber operations against criminal infrastructure increasingly require both legal authority arrests, seizures, warrants and technical expertise to understand and dismantle the systems involved.
The NCSC brings threat intelligence, malware analysis, and coordination with the broader security community. That combination allows takedown operations to go beyond simple seizure and actually understand what the infrastructure was doing, who it affected, and how to notify victims.
Victim notification is one of the harder parts of botnet takedowns. The NCSC and similar agencies often work with ISPs and national CERTs to identify and alert affected users or organizations.
What Affected Users and Organizations Should Do
If your device or network was part of this botnet, you may not know it. The general remediation advice applies:
For individuals:
Run a full malware scan using reputable security software. Update your operating system, browser, and all installed software. Change passwords, especially if you suspect any accounts may have been accessed. Check router firmware and change default credentials if you have not done so. If you have any IoT devices cameras, smart speakers, home automation check whether they use default passwords and whether firmware updates are available.
For organizations:
Review outbound network traffic logs for anomalous connections, especially to uncommon IP addresses or domains. Look for unusual DNS queries, beaconing patterns, or large outbound data transfers at odd hours. Correlate endpoint alerts with network logs to identify hosts that may have been beaconing to C2 infrastructure. Patch known vulnerabilities, particularly on internet-facing systems. Review credential policies for any service accounts or administrative accounts that could have been used for lateral movement.
For everyone:
Pay attention to victim notification. The NCSC and cooperating agencies may publish indicators of compromise (IoCs) or notification mechanisms for potentially affected parties. Check whether your national CERT or NCSC equivalent has issued any advisories related to this operation.
Why These Takedowns Are Difficult to Sustain
Law enforcement actions against botnets are meaningful, but the disruption is rarely permanent. Criminal groups can rebuild infrastructure, reinfect devices, and resume operations sometimes within weeks.
Several factors make lasting disruption difficult:
Hosting providers in permissive jurisdictions can be hard to compel into action. Criminal operators often use bulletproof hosting services designed to resist takedowns. Infected devices remain compromised unless actively cleaned. Malware can include backup C2 mechanisms that activate if the primary infrastructure goes down. Operators who are not arrested can simply rebuild.
This is why takedowns are most effective when combined with arrests, criminal prosecution, and disruption of financial flows. Infrastructure seizure alone buys time but does not permanently remove the threat.
The Broader Pattern
The Dutch operation fits into an ongoing pattern of coordinated international law enforcement activity against cybercriminal infrastructure. Recent years have seen similar actions against ransomware groups, infostealer operations, and DDoS-for-hire services.
What distinguishes the more effective operations is the combination of factors: simultaneous seizures across multiple jurisdictions, arrests of key operators, financial disruption, and public attribution. The more of these elements a takedown includes, the harder it becomes for operators to simply resume activity.
For defenders, the lesson is not to rely on law enforcement to solve the problem. Takedowns help, but infected devices remain a risk even after C2 infrastructure is disrupted. The best defense is still prevention: patching, strong credentials, network monitoring, and endpoint security.
What to Watch For Next
Following a major botnet takedown, several things typically happen:
The operators if not arrested look for ways to rebuild. New C2 infrastructure may appear using similar malware with modified signatures to evade detection. Competing criminal groups may attempt to take over or reinfect the same pool of compromised devices. Law enforcement may publish indicators of compromise and request that ISPs and organizations check for signs of infection.
The NCSC advisory and any follow-on technical reporting should be treated as active resources. Organizations should review published IoCs against their own logs and endpoint data.
Sources: - NCSC Gezamenlijke actie politie en NCSC legt groot botnetwerk plat