← Back to Home
May 30, 2026

Microsoft Plays Legal Hardball While Dutch Police Crush Massive Botnet

Microsoft Threatens Legal Action Over Public Zero-Day Exploit Disclosures
SECURITY

Microsoft Threatens Legal Action Over Public Zero-Day Exploit Disclosures

Here's a fun contradiction: Microsoft is threatening criminal action against a security researcher for publicly disclosing vulnerabilities — while simultaneously employing people who have done exactly that, some with actual criminal hacking convictions on their resumes.

The researcher in question goes by Nightmare Eclipse, and they've been posting proof-of-concept exploit code for unpatched Microsoft vulnerabilities out in the open, without following what Microsoft considers proper disclosure protocols. Some of their posts hint at a personal grudge, suggesting a former employee situation gone sideways. Microsoft's response has been aggressive: it flagged potential criminal charges for failing to follow "responsible disclosure" procedures and got Nightmare Eclipse's accounts on GitHub, GitLab, and Microsoft's own Security Response Center wiped out.

That last part is where things get genuinely awkward for Microsoft. Security researcher Kevin Beaumont, who has been following this feud closely, pointed out the obvious problem: you can't ban someone from every reporting channel and then turn around and demand they report vulnerabilities responsibly. That's not a policy. That's a trap.

But the hypocrisy runs deeper than a locked account. Microsoft has a long, documented history of hiring researchers who built their reputations on exactly the kind of public exploit drops it's now threatening to prosecute. The company has also purchased vulnerability information from brokers — people who operate in the gray market of security research, far outside any "responsible disclosure" framework. So the principle Microsoft is trying to enforce here is one it has never consistently applied to itself.

The legal threat is also shaky on its merits. Responsible disclosure frameworks are not laws. They're industry norms, and even those norms are contested. Researchers have been publicly posting zero-days as a pressure tactic for decades, usually because vendors dragged their feet on fixes. Courts have generally been reluctant to criminalize security research, and a case built around "you didn't follow our preferred reporting process" would face an uncomfortable amount of scrutiny into Microsoft's own track record.

What Microsoft probably wants here is deterrence. If you make enough noise about legal action, other researchers might think twice before posting embarrassing vulnerabilities publicly. That's a legitimate business interest. But the execution has been clumsy. Banning someone from your reporting infrastructure and then complaining they didn't report properly is the kind of move that makes the entire security community trust you a little less.

The broader stakes matter here. When big companies use legal threats to manage vulnerability disclosure, it chills the research ecosystem. Researchers who find serious bugs start calculating legal risk before deciding whether to report them. That calculus does not end well for users who are sitting on unpatched software while a company and a researcher argue about procedure on social media.

Microsoft has real security problems. Picking a very public, very winnable-looking fight with one disgruntled researcher is not how you solve them.
Source: The Verge
17 Million Device Botnet Tied to Russian Proxy Network Dismantled
SECURITY

17 Million Device Botnet Tied to Russian Proxy Network Dismantled

Seventeen million devices. Let that number sit for a second. Dutch authorities just dismantled a botnet that had quietly conscripted more devices than the population of the Netherlands itself, all of them funneling traffic through a network linked to a Russian proxy service.

The takedown was a joint operation between Dutch police and the National Cyber Security Center, triggered after a security researcher flagged the network to authorities. The botnet's infrastructure was physically hosted in the Netherlands, which gave law enforcement a clean jurisdictional hook. Once investigators identified the servers, the hosting provider pulled the plug — shutting down the operation rather than letting it run under surveillance.

The network has been tied to ASOCKS, a Russia-based company that sells residential proxy services. If you're not familiar with the business model, here's the short version: ASOCKS routes customers' internet traffic through real devices — your laptop, your phone, your smart TV — so that the traffic looks like it's coming from ordinary residential users rather than a data center. That's useful if you're trying to scrape websites at scale, dodge geo-restrictions, or, in less polite applications, run phishing campaigns or DDoS attacks without getting traced back to an obvious source.

The connection to ASOCKS isn't new intelligence. Security firm Human flagged the link back in 2024, when researchers found a botnet called Proxylib feeding infected device addresses directly into ASOCKS infrastructure. They also found 28 apps in the Google Play store that had silently enrolled up to 190,000 devices into the network without telling users anything useful about what was happening. ASOCKS has not responded to press inquiries.

What's still unclear is how the full 17 million devices ended up in this particular botnet. The infection vectors are familiar: unpatched software vulnerabilities, malicious apps, or apps that technically disclose the proxy arrangement somewhere in fine print that nobody reads. The ambiguity matters because it affects what users can actually do to protect themselves.

The practical advice is unsexy but real. Keeping devices updated, ditching software that no longer receives security patches, and being selective about which apps you install all reduce your exposure meaningfully. If an app doesn't offer you obvious value, it probably shouldn't be on your device. That's not paranoia — it's just basic hygiene at a time when the attack surface includes everything from phones to routers to smart home gadgets that haven't seen a firmware update since 2019.

The scale of this takedown is worth pausing on. Seventeen million compromised devices represent a serious offensive capability — one that can make malicious traffic look indistinguishable from normal residential internet use. That's exactly what makes residential proxy botnets so attractive to bad actors and so difficult for defenders to filter out. Dismantling one this size is a genuine win, even if the underlying infrastructure behind these operations tends to rebuild faster than law enforcement can dismantle it.
Source: Ars Technica

Enjoyed this?

Get stories like this delivered every Tuesday — free.