Dutch police arrests suspect linked to Ajax football club hack

Source: Bleeping Computer

The Dutch National Police arrested a 35‑year‑old man suspected of hacking the professional football club Ajax Amsterdam (AFC Ajax) earlier this year.

Arrest of the suspect

The suspect was taken into custody in Buren. According to a Tuesday press release, he is believed to have hacked into the club’s systems multiple times.

“On the morning of Tuesday, May 26, the police arrested a 35‑year‑old man from the municipality of Buren for computer trespassing at the Amsterdam football club Ajax. The man is suspected of deliberately unlawful intrusion into Ajax’s computer systems several times,” the police said.

“In early 2026, Ajax was confronted with the computer trespass after the suspect granted himself access to the football club’s computer systems. After the police were informed, the criminal investigation department started an investigation in which the suspect from the municipality of Buren came into the picture.”

Impact on AFC Ajax

AFC Ajax disclosed the incident in late March, stating that the attacker exploited vulnerabilities in its IT systems to access data belonging to a few hundred individuals. The vulnerability also allowed:

• Modifying stadium bans imposed on fewer than 20 individuals.
• Transferring purchased tickets to others.

According to an RTL report, the same security flaw enabled broad access to fan data via APIs and shared keys. The hacker demonstrated how they could:

• Reassign a VIP season ticket in seconds.
• Manipulate 538 supporter stadium bans, 42 000 season tickets, and view details on more than 300 000 accounts.

The club has since patched the exploited vulnerabilities and notified the Dutch Data Protection Authority and the police of the incident.

Related law‑enforcement actions

• In September 2025, the Dutch National Police arrested two teenage boys suspected of spying for Russia using a Wi‑Fi sniffer device near Europol, Eurojust offices, and the Canadian embassy – see the report on BleepingComputer.
• More recently, financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web‑hosting company that enabled cyberattacks, interference operations, and disinformation campaigns – see the coverage on BleepingComputer.