Skip to main content
Threat IntelligenceEmerging Threats

Netherlands Disrupts Russian Cyber Operations with Server Seizure

Law enforcement officers oversee rows of partially disassembled servers in a brightly-lit data center.
“The [Dutch] web hosting company, according to the research team, provided support to actions by the Russian Federation that undermine democracy and security, including through information manipulation and disruption of public and economic systems,” FIOD says.

Dutch financial crime investigators (FIOD) say that declaration underpins a coordinated law-enforcement action that resulted in arrests and the seizure of hundreds of servers. The operation targeted a web hosting ecosystem investigators allege enabled cyberattacks, interference operations, and disinformation campaigns tied to sanctioned Russian and Belarusian entities.

Raids, arrests, and equipment seized

FIOD executed multiple raids across data centers and business locations, seizing 800 servers as well as laptops, phones, and administrative records. The searches took place in data centers in Dronten and Schiphol-Rijk, with additional searches in Enschede and Almere. Two men were arrested: a 57‑year‑old suspect identified by FIOD as the company director, and a 39‑year‑old who headed a separate firm that provided internet connectivity.

Stark Industries: founding date, sanctions, and an alleged transfer

Investigators focused on the web hosting firm Stark Industries, which was founded on February 10, 2022. The European Union added Stark Industries to its list of sanctioned entities on May 20 of last year. According to FIOD, after those EU restrictions were applied the web hosting infrastructure was transferred to a newly created Dutch company that investigators believe acted as a front for the sanctioned entities.

WorkTitans / THE.Hosting, Mirhosting, and alleged operational roles

Reporting from De Volkskrant identified the Dutch entity as WorkTitans B.V., which provides hosting services under the brand THE.Hosting. De Volkskrant also reports that Mirhosting, based in Almere, operated physical servers, provided colocation, and supplied high‑capacity connectivity to major internet exchanges in Amsterdam and Frankfurt—functioning as the transport layer through which Stark’s traffic entered Europe to reach the WorkTitans infrastructure.

WorkTitans did not respond to De Volkskrant’s requests for a statement. Mirhosting denied knowingly supporting illegal operations and said it quickly intervened upon receipt of abuse complaints.

Connections to known threat activity: NoName057(16) and DDoS

De Volkskrant alleges that Danish authorities and infrastructure providers linked WorkTitans to attacks by the pro‑Russian hacktivist group NoName057(16). That group, the reporting notes, has previously targeted key organizations with distributed denial‑of‑service (DDoS) attacks. FIOD’s statement frames the hosting company’s role more broadly, saying the firm supported actions that included information manipulation and disruption of public and economic systems.

What this means for technologists, policymakers, and infrastructure providers

  • Technologists and security teams: the seizures underscore how hosting, colocation, and high‑capacity connectivity can be combined to move malicious traffic at scale; engineers responsible for abuse handling will watch how providers identify and disrupt that transport layer.
  • Policymakers and regulators: the case highlights enforcement avenues tied to EU sanctions lists and the transfer of infrastructure into new corporate entities; regulators will likely follow the investigation’s findings about alleged front companies and resource flows to sanctioned actors.
  • Infrastructure and hosting providers: Mirhosting’s published response—that it intervened after abuse complaints—illustrates a familiar tension between preserving customer service and responding to alleged misuse; providers may re‑examine abuse reporting and rapid mitigation procedures in light of the action described by FIOD.

The Dutch operation placed 800 servers, multiple devices, administrative records, and two arrests at the center of an inquiry that ties commercial hosting services to sanctioned actors and alleged information operations. Investigators say an infrastructure transfer after EU sanctions and the use of intermediary firms are central to the case; Mirhosting’s denial of knowingly supporting illegal operations and WorkTitans’ silence leave open the question of how intent and corporate structure will be proved in court. FIOD’s statement and the seizures make clear authorities are treating hosting and connectivity provision as frontline elements in modern interference and disruption campaigns.

For the public record and further reading, see the original reporting at BleepingComputer.