What happens when a company hit by European Union sanctions simply changes its name, shifts assets, and keeps doing business? New reporting shows that a hosting provider long tied to Kremlin-linked cyber operations appears to have sidestepped EU measures by rebranding and moving resources into sister companies controlled by the same operators. The case underscores how resilient and evasive bulletproof hosting can be, and why sanctions alone often fall short.
Bulletproof hosting as an enabler of malicious activity
In May 2025 the European Union announced targeted financial sanctions against the owners of Stark Industries Solutions Ltd., a hosting provider that investigators say was created just before Russia’s full-scale invasion of Ukraine and rapidly became a major conduit for Kremlin-linked cyberattacks and disinformation campaigns. Stark’s offering — a model commonly called bulletproof hosting — is designed to tolerate or obscure client activity that mainstream providers would reject: distributing malware, hosting phishing pages, amplifying false narratives, and sheltering command-and-control infrastructure.
KrebsOnSecurity and other analysts tracked Stark’s networks before the sanctions and then followed what happened after. The result was sobering: instead of dismantling operations, Stark’s operators shifted domains, customer relationships and infrastructure into other corporate entities that are effectively controlled by the same people. Familiar IP ranges and services resurfaced under new corporate names, and clients who relied on Stark’s protections continued to find the support they needed.
Why this matters is simple but significant. Bulletproof hosting provides the operational continuity that lets nation-state proxies and criminal groups sustain campaigns despite public exposure and takedown attempts. When operators can reconstitute infrastructure through new shells or alternate registrars, the intended punitive and deterrent effect of sanctions is weakened.
Enforcement gaps and the limits of legal designations
The Stark episode highlights a recurring enforcement problem: legal designation of an entity is necessary but not sufficient. Corporate registries, banking relationships and other formal records can be altered or replaced. The decentralized, transnational nature of internet infrastructure gives bad actors room to migrate services across jurisdictions or hide behind intermediaries that may be slow or unwilling to act.
Sanctions are a useful nonkinetic tool intended to raise the cost of illicit behavior, but their effectiveness depends on coordinated, complementary measures. These include rapid action from domain registrars, hosting operators, ISPs, payment processors, and international partners—actors that often operate under different incentives, legal frameworks and resource constraints. Without synchronized follow-through, the result is a cycle of naming, short-term disruption, and quick reappearance.
Technical and market remedies
Technologists watching the case point to technical and market-based mitigations in addition to legal measures. Hardening takedown mechanisms and improving signal-sharing between providers and abuse desks can raise friction for wrongdoers. Expanding use of cryptographic attestations for domain ownership can make it harder to impersonate legitimate operators or to hide beneficial ownership of infrastructure. Automated monitoring of infrastructure indicators of compromise (IoCs) and more aggressive blocking at the registrar, CDN, and upstream transit levels can identify and contain malicious systems earlier.
One independent cybersecurity consultant noted that increasing transparency and speed of response among registrars and hosting firms is crucial. Several registrars and hosting providers tightened their policies after the invasion of Ukraine, and those shifts helped limit certain types of abuse. But equally important is ensuring that these policies are enforced consistently and paired with legal mechanisms that enable cross-border takedowns when appropriate.
Policy trade-offs and civil liberties concerns
Policymakers face thorny choices. Some advocate for broader authorities: mandatory transparency rules for domain registrars and hosting firms, economic penalties for intermediaries that knowingly serve sanctioned clients, and expedited processes for cross-border takedowns. Civil liberties advocates counter that heavy-handed rules risk chilling legitimate speech and creating overbroad takedown power without sufficient due process. The challenge is crafting narrowly tailored rules that pierce illicit shells without undermining legitimate enterprise or free expression online.
Practical consequences for defenders and users
For corporations, governments and security teams, the persistence of hostile infrastructure means ongoing investment in incident response, threat intelligence, and defensive controls. For ordinary internet users, continued availability of bulletproof hosting increases exposure to fraud, misinformation and other societal harms. Adversaries evidently understand this calculus: if operators can reconstitute services under alternate corporate identities with relative ease, the expected cost of being designated diminishes, blunting sanctions as a deterrent.
Signs of progress and path forward
There are constructive signs. Industry groups have been working to strengthen best practices for handling abuse, and law-enforcement cooperation has succeeded in shutting down other pieces of infrastructure historically used by state-aligned actors. Yet the Stark episode shows that piecemeal gains can be undone by rapid reorganization and jurisdictional arbitrage.
The bottom line is stark: naming and sanctioning a company will not alone dismantle an ecosystem built to be evasive. What’s required is a layered strategy that combines rapid technical disruption, tighter industry standards for transparency and abuse response, real-time international cooperation on financial and registrar enforcement, and legal tools calibrated to pierce shell companies where there is clear evidence of wrongdoing. Only by designing policies and technical defenses that anticipate rebranding, asset transfers and other evasive maneuvers can lawmakers and technologists meaningfully raise the operational cost of malign cyber activity.
If the objective is to make operations supported by bulletproof hosting too costly and risky to sustain, decision‑makers must align legal authorities, industry incentives and technical capabilities. Otherwise the same networks will simply reappear under different names, and governments, businesses and citizens will keep paying the price.




