On May 28, 2026, the cybercrime team of the police unit in The Hague and the Netherlands' National Cyber Security Centre (NCSC) seized roughly 200 servers and took offline a botnet of at least 17 million infected devices. According to the NCSC's own statement, the case began when a security researcher flagged the network; the host then pulled the infrastructure because it was being used for criminal purposes. Dutch and international outlets quickly linked the operation to ASOCKS, a Russia-based residential proxy service that markets access to roughly seven million IP addresses across 150 locations for $5–$15 a month.
The scale is genuinely large, and the police work is real. But the most instructive detail is what didn't happen: the ASOCKS website stayed up, and every conscripted device — routers, phones, tablets, smart cameras — remained infected the day after the raid. That gap between a dramatic seizure and a barely dented business is the policy story.
What ASOCKS actually is
Residential proxies route traffic through ordinary consumer connections so the requests look like they come from a real home rather than a data center. There are legitimate uses — ad verification, brand-protection scraping, price comparison, geolocation testing. There is also a thriving criminal market, because traffic that looks residential evades the IP-reputation filters that block known cloud and bot ranges. The same property that helps a retailer check whether its ads display correctly in Jakarta lets an attacker launder phishing, spam, credential-stuffing, and DDoS traffic through a stranger's broadband line.
The technology is not the offense. The offense is how the supply is sourced. In April 2024, HUMAN's Satori Threat Intelligence team documented a campaign it named PROXYLIB, in which at least 28 free Android apps on Google Play — many of them VPN utilities — silently enrolled users' phones into a proxy pool tied to ASOCKS, using an SDK from a company called LumiApps. Google removed the apps, but the model is durable: bundle proxyware into something free and useful, bury the enrollment in terms nobody reads, and sell the resulting bandwidth. The Dutch operation makes clear that consent was not obtained from the 17 million device owners.
Steelman the case for hard rules
The instinct to regulate residential-proxy providers aggressively is reasonable. A market that monetizes hijacked consumer devices, fronts for a Russia-based operator beyond European reach, and supplies the infrastructure for DDoS and fraud looks like a textbook negative externality. If a provider cannot prove that every IP in its pool was contributed knowingly, the argument goes, the service is built on a foundation of unauthorized computer access and should be treated accordingly. Mandatory provenance auditing, sanctions exposure for proxy resellers, and strict app-store liability all flow naturally from that premise — and the cross-border, sanctions-resistant nature of an operator like ASOCKS makes the case for muscular intervention stronger, not weaker.
Why a proportionate response beats a broad one
The risk is that lawmakers, reaching for the biggest available lever, target the technology — proxy services, VPNs, scraping tools — rather than the conduct: unconsented enrollment. That would be a mistake on both innovation and effectiveness grounds.
The ASOCKS takedown itself is the proof. Dutch authorities did exactly what infrastructure-based enforcement allows — they found servers on their soil and seized them — and the service shrugged. ASOCKS is incorporated outside the EU's enforcement reach; the command servers happened to sit in a Dutch data center, but the business does not depend on any single host. Treating residential proxies as inherently illicit would burden the legitimate ad-verification, security-research, and localization-testing firms that operate in plain sight inside the EU, while the genuinely abusive operators — already offshore and already criminal — simply re-rack elsewhere. You would tax the compliant and miss the target.
The more precise lever sits upstream, where consent is actually broken: the app stores and SDKs. The PROXYLIB pattern is a distribution-and-disclosure failure. Google Play Protect now flags PROXYLIB, and Google pulled the apps — that is the enforcement surface that scales, because it sits at a chokepoint inside Western jurisdiction. A proportionate framework would (1) require explicit, separable, plain-language consent before any app sells a user's bandwidth, treating buried proxyware enrollment as the deceptive practice it is; (2) hold SDK vendors and the app marketplaces that distribute them to a clear disclosure-and-takedown standard; and (3) reserve the heaviest tools — sanctions, criminal referral — for operators who knowingly source from malware, which the Dutch evidence shows ASOCKS did.
That approach is enforceable where the actors actually are, and it leaves the dual-use technology — and the privacy-protecting VPN market that millions rely on — intact. The EU already has most of the scaffolding: the Digital Services Act's due-diligence and notice-and-action duties for platforms, the GDPR's consent standard, and the NIS2 directive's incident-reporting regime. The gap is not missing authority; it is aiming existing authority at the consent fraud rather than at the proxy category.
The Russia angle, and the limit of takedowns
That ASOCKS is Russia-based is not incidental. It places the operator beyond European indictment and beyond meaningful sanctions enforcement, which is precisely why a server raid — however large — buys disruption, not closure. The honest lesson from May 28 is that infrastructure seizures are necessary but insufficient. The 17 million figure is a measure of how many consumer devices were compromised through weak security and deceptive apps, not of how many criminals were stopped. Durable progress comes from cutting off the supply of unwitting devices at the app-store and disclosure layer, hardening default device security, and sustaining the cross-border cooperation that surfaced this network in the first place — not from declaring a useful, dual-use technology guilty by category.