Authorities in the Netherlands have arrested the owners of two Dutch companies that allegedly provided bulletproof hosting services to Russian threat actors and evaded sanctions imposed by the European Union. The operation, conducted by the Dutch Fiscal Information and Investigation Service (FIOD), represents a significant step in disrupting the infrastructure that enables state-sponsored cyberattacks and disinformation campaigns targeting European nations.

According to an official announcement from the FIOD, the suspects—a 57-year-old man from Amsterdam and a 39-year-old man from The Hague—were taken into custody on May 18. The investigators carried out simultaneous searches at three locations in Enschede and Almere, as well as at two data centers in Dronten and Schiphol-Rijk. During these raids, law enforcement seized laptops, mobile phones, and over 800 servers that were used to facilitate malicious activities.

Details of the Arrests and Investigation

The FIOD revealed that the 57-year-old suspect is the owner and director of a Dutch company that acted as a front for a sanctioned web hosting provider. This sanctioned entity had been established just two weeks before the Russian invasion of Ukraine in February 2022, and it allegedly played a key role in enabling disinformation, election interference, and disruptive cyberattacks against members of the European Union. After the EU placed sanctions on the hosting provider in May 2025, the majority of its technical infrastructure was transferred to the arrested suspect's Dutch company, effectively continuing the prohibited activities under a new corporate veil.

The 39-year-old suspect, according to the FIOD, is the director and owner of a firm that ensured the servers of the front company remained operational and accessible online. This individual was responsible for maintaining the connectivity and uptime of the servers, which were rented by malicious actors to launch attacks and host propaganda content.

Links to Stark Industries and Russian Hacker Groups

Although the FIOD's announcement did not name the suspects or their companies, a detailed eight-month investigation by the Dutch newspaper de Volkskrant identified the two individuals as Youssef Z. and Andrey N. The investigation linked them to Stark Industries, a web hosting provider founded by Moldovan nationals Iurie and Ivan Neculiti. The EU sanctioned Stark Industries in 2024, stating that the company had been acting as an enabler for various Russian state-sponsored and affiliated actors conducting destabilizing activities, including information manipulation, interference, and cyberattacks against the Union and third countries.

According to de Volkskrant's findings, Andrey N. owns a company called Mirhosting, which maintained physical servers at multiple data centers across the Netherlands. These servers were rented to Stark Industries, which in turn provided infrastructure to Russian hacker groups such as NoName057(16). This group is known for launching distributed denial-of-service (DDoS) attacks against European targets, including government websites, financial institutions, and media outlets. The use of bulletproof hosting allowed these actors to operate with impunity, as the hosting provider would ignore abuse complaints and avoid taking down malicious content.

Evasion of EU Sanctions

When the EU imposed sanctions on Stark Industries in May 2025, European citizens and entities were prohibited from providing any support to the company. To circumvent these restrictions, the two Moldovan brothers restructured their operations and moved part of the activities to a new company owned by Youssef Z. This company, called WorkTitans and based in Enschede, rents server space and resells it to clients, effectively obscuring the real end-users and making abuse detection and attribution difficult for law enforcement. WorkTitans acted as a shell, allowing the sanctioned services to persist under a different name.

The case highlights the sophisticated methods used by cybercriminals and state-sponsored hackers to evade international sanctions. By using front companies, offshore registrations, and multiple layers of hosting providers, threat actors can continue their activities even after being officially blacklisted. The Dutch authorities' seizure of over 800 servers is one of the largest takedowns of bulletproof hosting infrastructure in recent years.

Broader Context of Bulletproof Hosting and Cybercrime

Bulletproof hosting refers to web hosting services that deliberately ignore abuse complaints and take minimal action against customers engaged in illegal activities, such as hosting malware command-and-control servers, phishing sites, or conducting DDoS attacks. These services are often located in jurisdictions with lax enforcement or use complex corporate structures to shield the true operators. The Netherlands, with its extensive data center infrastructure and high-bandwidth connectivity, has become a hub for such operations, though authorities are increasingly cracking down.

This arrest follows several other high-profile actions against cybercrime facilitators. In recent months, law enforcement agencies worldwide have disrupted services like the Kimwolf botnet, the First VPN cybercrime service, and the Crimenetwork marketplace. These operations demonstrate a growing international cooperation to dismantle the infrastructure that supports ransomware groups, state-sponsored hackers, and other malicious actors.

The use of bulletproof hosting by Russian state-sponsored groups is particularly concerning. Groups like NoName057(16), which is believed to have ties to Russian military intelligence, have been responsible for numerous DDoS attacks against critical infrastructure in Ukraine and NATO countries. By targeting power grids, transportation systems, and communication networks, these attacks aim to destabilize societies and undermine public trust in digital services.

Impact on EU Security

The EU has made combating cyber threats a top priority, and sanctions against enablers like Stark Industries are part of a broader strategy to disrupt the ecosystem that allows cyberattacks to flourish. The arrest of the two Dutch suspects sends a clear message that providing cover for sanctioned entities will not be tolerated. However, experts warn that as long as there is demand for bulletproof hosting, new providers will emerge. The fight against such services requires continuous monitoring, legal reforms, and international collaboration.

The FIOD has indicated that the investigation is ongoing and that additional arrests or seizures may follow. The suspects are expected to appear in court in the coming weeks to face charges related to sanctions evasion, money laundering, and facilitation of cybercrime. The case also underscores the importance of investigative journalism in uncovering the hidden networks that support cybercriminal activities.

As the digital landscape evolves, the line between legitimate hosting services and criminal enterprises can become blurred. The Dutch authorities' actions demonstrate that even sophisticated layering of corporate entities and data centers can be unraveled through persistent investigation and cross-border cooperation. The seizure of over 800 servers not only disrupts current operations but also provides valuable intelligence for future operations against other hostile actors.

Source: SecurityWeek News