17 Million Devices Freed: Dutch Police Botnet Takedown
Just saw the breaking news about the Dutch Politie and NCSC dismantling a massive botnet infrastructure. The scale here is honestly staggering—17 million infected devices spanning IoT, mobile, and workstations, with over 200 C2 servers hosted in the Netherlands alone.
While the disruption is a win, the sheer volume of IoT devices implies this is likely a Mirai-variant or similar commodity malware targeting weak telnet/SSH credentials. With the C2s seized, we're going to see a lot of devices attempting to phone home to sinkholes.
If you're monitoring network telemetry, you might want to start hunting for high-frequency connection attempts to the seized IP ranges (once published) on non-standard ports. Here is a quick KQL query to start hunting for devices broadcasting potential C2 beacons on common IoT ports:
DeviceNetworkEvents
| where RemotePort in (23, 2323, 80, 8080, 37215)
| where InitiatingProcessFileName !in ("system", "services.exe", "sshd")
| summarize Count = count() by DeviceName, RemotePort, RemoteIP
| where Count > 50
| order by Count desc
The real challenge remains remediation. We can patch servers, but how do you force a patch on 17 million smart lightbulbs or cheap cameras?
How are you guys handling IoT segmentation to prevent this kind of recruitment in your environments? Are we seeing a shift towards zero-trust for 'dumb' devices yet?
Great post. We've started seeing a spike in blocked traffic on our edge firewalls, likely devices trying to reconnect to the dead C2s. For IoT segmentation, we're strictly enforcing 802.1X where possible, but for legacy gear that doesn't support it, we dump them into a dedicated 'quarantine' VLAN with no internet access—only local management. It's a pain to manage, but it beats being part of a 17-million-strong DDoS army.
The numbers are wild. Most of these infections stem from default credentials. I've been using a simple Python script to audit our local subnet for open Telnet/SSH during internal assessments. It's terrifying how many devices still ship with 'admin/admin'.
import socket
import sys
def check_port(ip, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
result = s.connect_ex((ip, port))
s.close()
return result == 0
# Usage: iterate over your subnet range
From a SOC perspective, this takedown actually makes our job harder in the short term. We used to see stable, high-volume traffic to known bad IPs which were easy to block. Now, the residual scanning from these 'orphaned' bots looks more like horizontal worm activity than C2 beacons. We're updating our rules to look for the behavioral pattern—rapid sequential connection attempts across the /24 subnet—rather than just destination IPs.
Valid point, Sam. The 'noise' from orphaned devices can mask real threats. To help prioritize cleanup, we've been aggregating firewall logs to spot high-frequency scanners. This KQL query helps isolate the worst offenders by vendor and IP so we can push for patching or replacement:
FirewallEvents
| where DestinationPort in (23, 2323) and Action == "Blocked"
| summarize Count = count() by SourceIP, SourceVendor
| top 10 by Count
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access