Dutch authorities have seized approximately 800 servers and arrested two suspects accused of operating hosting infrastructure used to support cyberattacks, disinformation campaigns, and influence operations linked to sanctioned Russian entities.
The operation was carried out by the Netherlands’ Fiscal Information and Investigation Service (FIOD), which confirmed raids were conducted at data centers in Dronten and Schiphol-Rijk, along with additional searches in Enschede and Almere. Investigators also confiscated laptops, mobile phones, and business administration records during the operation.
Authorities arrested a 57-year-old man identified as the director of the hosting company and a 39-year-old man accused of operating a separate internet connectivity provider connected to the infrastructure. According to Dutch investigators, both suspects indirectly provided technical and economic support to Russian and Belarusian entities currently under European Union sanctions.
The investigation centers on Stark Industries, a hosting company established in February 2022, shortly before Russia’s invasion of Ukraine. The European Union sanctioned the company in 2025 over allegations that its infrastructure supported cyberattacks and destabilization campaigns targeting European organizations and institutions.
Dutch investigators believe the hosting operation attempted to bypass sanctions after the EU restrictions were imposed. Authorities claim infrastructure connected to Stark Industries was transferred to a newly created Dutch company that allegedly functioned as a front organization, allowing operations to continue under a different name.
Reports from Dutch media identified one of the investigated firms as WorkTitans B.V., which operated hosting services under the brand THE.Hosting. Danish authorities and internet infrastructure providers reportedly linked the network to cyber operations conducted by the pro-Russian hacktivist group NoName057(16), known for launching distributed denial-of-service attacks against governments, public institutions, and critical infrastructure across Europe.
Authorities are also investigating Mirhosting, an infrastructure provider accused of supplying physical servers, colocation services, and high-capacity internet connectivity through major European internet exchanges. Investigators believe the company acted as a transport layer, routing malicious traffic through European infrastructure.
The Dutch crackdown highlights increasing efforts by European authorities to target the infrastructure enabling cybercrime and influence operations rather than focusing solely on individual hacking groups. Investigators say hosting providers that knowingly support malicious activity can play a critical role in sustaining cyberattacks, ransomware campaigns, botnets, and disinformation operations.
Cybersecurity researchers have long warned that certain hosting providers offer so-called “bulletproof hosting” services designed to ignore abuse complaints and shield cybercriminal infrastructure from takedowns. These services are frequently used by ransomware gangs, phishing operators, malware distributors, and state-aligned threat actors.
Dutch authorities stated the investigation remains ongoing and additional arrests or infrastructure seizures could follow as forensic analysis of the seized servers continues.