A 35-year-old man has been arrested by the Dutch National Police for allegedly hacking the systems of Dutch football club AFC Ajax earlier this year. The suspect, arrested in the municipality of Buren on May 26, is accused of illegally accessing Ajax’s computer systems multiple times. According to police, the investigation began after the club reported suspicious activity in early 2026 involving unauthorized access to internal systems.
Ajax first disclosed the breach in March, revealing that attackers exploited vulnerabilities in its IT infrastructure to access personal data belonging to several hundred individuals. The flaws also allowed to manipulate stadium bans affecting fewer than 20 supporters and enabled ticket transfers between accounts.
Dutch broadcaster RTL later reported that the attacker allegedly demonstrated how they could access fan data through vulnerable APIs and share authentication keys, reassign VIP season tickets within seconds, and potentially manipulate 538 supporter bans and 42,000 season tickets. Reports also indicated that details linked to more than 300,000 accounts could be viewed through the compromised systems.
Ajax has since patched the vulnerabilities and notified both the Dutch Data Protection Authority and law enforcement agencies.
Last week, Dutch financial crime agency seized 800 servers linked to a hosting company allegedly facilitating cyberattacks, disinformation campaigns, and interference operations linked to Russian hackers.