Your phone or router may have been one of 17 million devices secretly rented out

A botnet does not always announce itself by slowing your phone to a crawl or flooding the screen with pop-ups. The network that Dutch police just dismantled did almost nothing an ordinary owner would notice. It quietly borrowed a sliver of more than 17 million devices, including computers, smartphones, tablets, home routers and internet-connected gadgets, and rented their connections out to strangers. If one of those devices was yours, someone you will never meet may have been browsing, scraping or attacking websites through your home line for months.

The Dutch National Police and the country’s National Cyber Security Centre took the operation offline after seizing around 200 servers from a hosting provider inside the Netherlands. Investigators describe the network as a residential proxy service, a system that routes other people’s traffic through real consumer devices so it looks like ordinary household browsing. That disguise is the whole product. Traffic that appears to come from a genuine home address slips past the fraud filters that would instantly block a known data-center server, which is exactly why residential proxies are prized by advertisers, data scrapers and criminals alike.

Dutch reporting has tied the infrastructure to ASOCKS, a Russia-based company that sells residential and mobile proxy access commercially. On the surface ASOCKS looks like a normal subscription business. The problem is where its residential connections come from. Security researchers have argued for years that a large share of the devices feeding networks like this were never knowingly enrolled, and that their owners had no idea their bandwidth was on sale.

The devices were recruited in a few different ways, and most of them came down to trust misplaced in free software. Some people installed a free app, a wallpaper tool or a phone utility or an unofficial VPN, that quietly bundled proxy software in the background. On Android, a code library known as PROXYLIB, tucked inside a software development kit that app makers dropped into their products, signed phones up as proxy nodes without asking. Other machines were infected with malware that installed the same capability outright. In every case the device kept working normally while its connection was put to work for someone else.

Once a device joined the pool, its connection could be used for almost anything that benefits from looking like an innocent home user. Dutch authorities say the network fed phishing campaigns, spam, distributed denial-of-service attacks that knock services offline, credential stuffing and brute-force login attempts, click fraud, and SMS pumping schemes that quietly drain money through premium-rate texts. A single hijacked router does not generate much of that on its own. Seventeen million of them, pooled together, become serious infrastructure.

The takedown is real, but it is not a cure. Police seized the servers that coordinated the network, yet the ASOCKS website was still reachable afterward, and how much of the underlying business was actually destroyed remains unclear. Pulling the command servers does not automatically clean the 17 million devices, because bundled proxy code and malware can sit on a phone or router untouched until a new controller picks them up. Residential-proxy abuse is also a market rather than a single company. Shut one network down and demand migrates to the next, because the legitimate appetite for real addresses, from ad-verification firms to AI companies scraping the web, keeps the model profitable.

For scale, 17 million devices places this among the largest proxy networks ever taken offline, far bigger than many of the malware botnets that make headlines for spreading a single virus. Unlike a ransomware infection, though, there is rarely an obvious symptom. The clues tend to be mundane. A router that runs hot or reboots for no reason, a home plan that keeps bumping into its data cap, a phone whose battery and data drain do not match how you actually use it, or being asked to solve captcha puzzles again and again because websites think your address looks suspicious.

Because the infected devices were scattered worldwide rather than concentrated in any one country, the risk is not regional. Anyone running an aging router or a cheap Android phone loaded with free utilities could have been swept in. The practical defenses are unglamorous and familiar. Keep routers and phones updated, delete free apps you do not actually use, steer clear of sideloaded software and unofficial VPNs that promise something for nothing, and restart a router that has been running untouched for years.

The case began when a security researcher flagged suspicious proxy activity to the NCSC, and Dutch authorities have signaled that their analysis of the seized servers is continuing, with no arrests announced so far. What it makes clear is that the device economy now includes a black market in your bandwidth. The next time an app costs nothing, the product being sold may be the internet connection you are already paying for.