Netherlands Seizes 800 Servers Linked to Hosting Firm Behind Cyberattacks and Disinformation

Netherlands Seizes 800 Servers Linked to Hosting Firm Enabling Cyberattacks

OverviewFinancial crime investigators in the Netherlands conducted a major enforcement operation tied to a web hosting operation that allegedly supported cyberattacks, interference campaigns, and disinformation efforts. In a series of raids, authorities arrested two men and seized about 800 servers and related equipment. The operation centers on a hosting firm that reportedly provided resources to sanctioned entities connected to Russia and Belarus, raising questions about the flow of infrastructure used to conduct disruptive activities across Europe.

Key Players and Roles

Suspects: A 57-year-old company director and a 39-year-old individual who led a separate firm supplying internet connectivity were taken into custody.
Target organization: Stark Industries, a web hosting firm founded on February 10, 2022, shortly before Russia’s invasion of Ukraine.
Front operation: After the European Union sanctioned Stark Industries, its hosting infrastructure reportedly moved to a newly created Dutch company acting as a front for sanctioned entities.

Hosting Infrastructure and Front Company

Transition of assets: The sanctioned hosting activities were reportedly transferred to WorkTitans B.V., which operates under the THE.Hosting brand.
Front implications: Investigators believe the new Netherlands-based entity acted as a vehicle to continue serving sanctioned actors and their activities.
Connectivity partners: A Dutch hosting and infrastructure ecosystem involved other players that provided the transport for traffic entering Europe and linking to the WorkTitans infrastructure.

Raids, Evidence, and Locations

Raid locations: Data centers in Dronten and Schiphol-Rijk, with searches conducted in Enschede and Almere.
Seized items: About 800 servers, along with laptops, mobile devices, and administrative records.
Transport and routing: The operation highlighted the role of physical servers and colocation providers in enabling international cyber activity.

Associated Entities and Cross-Border Links

Mirhosting: Based in Almere, Mirhosting operated the physical servers, provided colocation, and supplied high-capacity connectivity to major internet exchanges in Amsterdam and Frankfurt, functioning as the transport layer through which Stark’s traffic entered Europe to reach the WorkTitans infrastructure.
NoName057(16) connection: Danish authorities and infrastructure providers linked WorkTitans to attacks by the pro-Russian hacktivist group NoName057(16), which has previously targeted critical organizations with disruptive actions.
Denial of involvement: Mirhosting denied knowingly supporting illegal operations and claimed it acted quickly to address abuse complaints when alerted.

Sanctions and Legal Context

EU sanctions: Stark Industries was added to the European Union sanctions list in May of the previous year, restricting its access to resources and markets.
Post-sanction restructuring: Following sanctions, the hosting framework reportedly shifted to a Dutch front company, enabling continued operations under a sanctioned umbrella.
Enforcement message: The Dutch authorities framed the operation as disrupting a network that undermined democracy and security through information manipulation and disruption of public and economic systems.

Timeline and Important Dates

February 10, 2022: Stark Industries founded, establishing the hosting operation tied to later sanctions.
May 20, 2025: EU formally sanctions Stark Industries, triggering subsequent asset transfers and restructuring.
May 22, 2026: Dutch authorities execute raids, arrest suspects, and seize the bulk of the hosting infrastructure connected to the case.

Operational Implications and Observations

Infrastructure as a vector: The case underscores how hosting facilities, colocation services, and connectivity providers can serve as critical nodes in transnational cyber operations, enabling offenders to stage attacks, spread disinformation, and disrupt services.
Front companies and sanctions circumvention: The sequence from sanctioned entity to front company highlights the ongoing challenges in ensuring that sanctions reliably cut off the resources and networks that support illicit activities.
International cooperation: The involvement of Danish infrastructure ties and Dutch enforcement illustrates the cross-border nature of cybercrime investigations and the need for coordinated responses.

What This Case Reveals

A pattern of using legitimate hosting and connectivity services to enable illicit activities across borders.
The risk that sanctioned entities can attempt to bypass restrictions through reorganizing ownership and branding under newly formed Dutch entities.
The importance of monitoring and auditing hosting ecosystems, including data centers and transport networks, to detect signs of abuse and prevent operational continuation by sanctioned networks.

Notes on Context and Connectivity

The investigation connects a Dutch hosting company and multiple support firms with a broader web of sanctioned actors and international groups aimed at disrupting democratic and economic stability.
The action involved physical raid operations and the seizure of substantial digital assets, illustrating the tangible scale of modern cybercrime infrastructure when law enforcement mobilizes resources across jurisdictions.

Potential Areas for Further Inquiry

How the front company structure functioned to sustain operations post-sanction.
The precise nature of the alleged connections to NoName057(16) and any operational overlaps with other known cyber campaigns.
The extent to which Mirhosting and other connectivity providers were aware of or involved in forwarding traffic on behalf of sanctioned actors, and what steps they took in response to abuse notices.

Impact on the Ecosystem

The seizure of 800 servers and related equipment represents a significant disruption to the hosting capacity previously aiding the sanctioned network.
The case highlights ongoing vulnerabilities in the hosting and connectivity supply chain that can be exploited by state-adjacent actors for cyber operations, influence campaigns, and disruption activities.

SummaryA Dutch law enforcement operation targeting a sanctioned hosting network led to the arrest of two individuals and the seizure of hundreds of servers and devices. The activities implicated a web hosting firm, Stark Industries, and a Dutch front entity operated by WorkTitans B.V., with ancillary ties to a pro-Russian hacktivist group and cross-border connectivity providers. The case emphasizes the role of hosting infrastructure in cyber operations, the challenges posed by sanctions evasion through corporate fronts, and the importance of international cooperation in pursuing illicit activity that spans multiple countries.

Netherlands Seizes 800 Servers Linked to Hosting Firm Behind Cyberattacks and Disinformation

Dutch authorities seized 800 servers and arrested two men tied to Stark Industries, a hosting firm accused of enabling cyberattacks, information manipulation, and disruption campaigns on behalf of sanctioned Russian and Belarusian entities. Investigators say Stark Industries operated through WorkTitans B.V. (THE.Hosting) with support from Mirhosting, providing hosting, colocation, and connectivity to route traffic for these operations. The EU had sanctioned Stark Industries on May 20, 2025. Raids targeted data centers in Dronten and Schiphol-Rijk, with searches in Enschede and Almere as part of the probe.

TechLogHub

May 22, 2026

0 views

Netherlands Seizes 800 Servers Linked to Hosting Firm Enabling Cyberattacks

Key Players and Roles

Suspects: A 57-year-old company director and a 39-year-old individual who led a separate firm supplying internet connectivity were taken into custody.
Target organization: Stark Industries, a web hosting firm founded on February 10, 2022, shortly before Russia’s invasion of Ukraine.
Front operation: After the European Union sanctioned Stark Industries, its hosting infrastructure reportedly moved to a newly created Dutch company acting as a front for sanctioned entities.

Hosting Infrastructure and Front Company

Transition of assets: The sanctioned hosting activities were reportedly transferred to WorkTitans B.V., which operates under the THE.Hosting brand.
Front implications: Investigators believe the new Netherlands-based entity acted as a vehicle to continue serving sanctioned actors and their activities.
Connectivity partners: A Dutch hosting and infrastructure ecosystem involved other players that provided the transport for traffic entering Europe and linking to the WorkTitans infrastructure.

Raids, Evidence, and Locations

Raid locations: Data centers in Dronten and Schiphol-Rijk, with searches conducted in Enschede and Almere.
Seized items: About 800 servers, along with laptops, mobile devices, and administrative records.
Transport and routing: The operation highlighted the role of physical servers and colocation providers in enabling international cyber activity.

Associated Entities and Cross-Border Links

Mirhosting: Based in Almere, Mirhosting operated the physical servers, provided colocation, and supplied high-capacity connectivity to major internet exchanges in Amsterdam and Frankfurt, functioning as the transport layer through which Stark’s traffic entered Europe to reach the WorkTitans infrastructure.
NoName057(16) connection: Danish authorities and infrastructure providers linked WorkTitans to attacks by the pro-Russian hacktivist group NoName057(16), which has previously targeted critical organizations with disruptive actions.
Denial of involvement: Mirhosting denied knowingly supporting illegal operations and claimed it acted quickly to address abuse complaints when alerted.

Sanctions and Legal Context

EU sanctions: Stark Industries was added to the European Union sanctions list in May of the previous year, restricting its access to resources and markets.
Post-sanction restructuring: Following sanctions, the hosting framework reportedly shifted to a Dutch front company, enabling continued operations under a sanctioned umbrella.
Enforcement message: The Dutch authorities framed the operation as disrupting a network that undermined democracy and security through information manipulation and disruption of public and economic systems.

Timeline and Important Dates

February 10, 2022: Stark Industries founded, establishing the hosting operation tied to later sanctions.
May 20, 2025: EU formally sanctions Stark Industries, triggering subsequent asset transfers and restructuring.
May 22, 2026: Dutch authorities execute raids, arrest suspects, and seize the bulk of the hosting infrastructure connected to the case.

Operational Implications and Observations

Infrastructure as a vector: The case underscores how hosting facilities, colocation services, and connectivity providers can serve as critical nodes in transnational cyber operations, enabling offenders to stage attacks, spread disinformation, and disrupt services.
Front companies and sanctions circumvention: The sequence from sanctioned entity to front company highlights the ongoing challenges in ensuring that sanctions reliably cut off the resources and networks that support illicit activities.
International cooperation: The involvement of Danish infrastructure ties and Dutch enforcement illustrates the cross-border nature of cybercrime investigations and the need for coordinated responses.

What This Case Reveals

A pattern of using legitimate hosting and connectivity services to enable illicit activities across borders.
The risk that sanctioned entities can attempt to bypass restrictions through reorganizing ownership and branding under newly formed Dutch entities.
The importance of monitoring and auditing hosting ecosystems, including data centers and transport networks, to detect signs of abuse and prevent operational continuation by sanctioned networks.

Notes on Context and Connectivity

The investigation connects a Dutch hosting company and multiple support firms with a broader web of sanctioned actors and international groups aimed at disrupting democratic and economic stability.
The action involved physical raid operations and the seizure of substantial digital assets, illustrating the tangible scale of modern cybercrime infrastructure when law enforcement mobilizes resources across jurisdictions.

Potential Areas for Further Inquiry

How the front company structure functioned to sustain operations post-sanction.
The precise nature of the alleged connections to NoName057(16) and any operational overlaps with other known cyber campaigns.
The extent to which Mirhosting and other connectivity providers were aware of or involved in forwarding traffic on behalf of sanctioned actors, and what steps they took in response to abuse notices.

Impact on the Ecosystem

The seizure of 800 servers and related equipment represents a significant disruption to the hosting capacity previously aiding the sanctioned network.
The case highlights ongoing vulnerabilities in the hosting and connectivity supply chain that can be exploited by state-adjacent actors for cyber operations, influence campaigns, and disruption activities.

Netherlands Seizes 800 Servers Linked to Hosting Firm Behind Cyberattacks and Disinformation

More from the Blog

Former US execs plead guilty to aiding tech support scammers

Apple blocked over $11 billion in App Store fraud in six years

Google Exposes Unfixed Chromium Flaw That Keeps JavaScript Running in the Background

Stay Updated

Netherlands Seizes 800 Servers Linked to Hosting Firm Behind Cyberattacks and Disinformation

More from the Blog

Former US execs plead guilty to aiding tech support scammers

Apple blocked over $11 billion in App Store fraud in six years

Google Exposes Unfixed Chromium Flaw That Keeps JavaScript Running in the Background

Stay Updated