Dutch investigators dismantled infrastructure tied to cyberattacks, disinformation campaigns, and pro-Russian operations after seizing hundreds of servers and arresting two suspects.
Dutch Authorities Target Cybercrime-Linked Hosting Infrastructure
Financial crime investigators in the Netherlands have seized 800 servers connected to a hosting infrastructure allegedly used to support cyberattacks, disinformation campaigns, and destabilization operations across Europe.
The operation was led by the Dutch Fiscal Information and Investigation Service (FIOD). Authorities arrested two suspects during the investigation. One suspect reportedly directed the hosting company, while the second managed a separate connectivity provider linked to the infrastructure.
Investigators believe the companies indirectly supplied economic resources and technical services to Russian and Belarusian entities sanctioned by the European Union.
Investigation Focuses on Stark Industries
The investigation centers around Stark Industries, a hosting provider founded shortly before Russia launched its invasion of Ukraine in 2022.
According to investigators, the company supported activities that threatened democratic institutions and public security. Authorities claim the infrastructure enabled operations involving information manipulation, disruption campaigns, and cyberattacks targeting European organizations.
The European Union sanctioned Stark Industries in May 2025. However, investigators believe the infrastructure later moved to another Dutch company that acted as a front organization to continue operations.
Authorities Seize Hundreds of Servers
FIOD conducted raids across multiple locations, including data centers in Dronten and Schiphol-Rijk. Investigators also searched properties in Enschede and Almere.
During the operation, authorities confiscated 800 servers along with laptops, mobile phones, and administrative records linked to the suspected network.
Reports indicate that the infrastructure operated under the hosting brand THE.Hosting through a Dutch company identified as WorkTitans B.V.
Infrastructure Allegedly Linked to DDoS Campaigns
Investigators and infrastructure providers reportedly connected the hosting environment to cyber operations conducted by the pro-Russian hacktivist group NoName057(16).
The group has previously launched distributed denial-of-service (DDoS) attacks against government institutions, transportation networks, and public services across Europe.
Meanwhile, another company named Mirhosting allegedly supplied colocation services and high-capacity internet connectivity. Authorities believe this infrastructure acted as a transport layer that routed traffic into Europe through Amsterdam and Frankfurt internet exchanges.
Mirhosting denied knowingly supporting illegal activity. The company stated that it responded quickly whenever abuse complaints appeared.
Hosting Providers Face Increasing Scrutiny
The case highlights the growing role of hosting infrastructure in modern cyber operations. Threat actors increasingly rely on resilient hosting networks to distribute malware, launch DDoS attacks, conduct phishing campaigns, and spread disinformation.
Law enforcement agencies across Europe have intensified efforts to disrupt these enabling services instead of focusing only on individual attackers. By targeting infrastructure providers, authorities aim to reduce operational capabilities for threat groups and state-aligned actors.
The incident also demonstrates how sanctioned organizations may attempt to bypass restrictions using front companies and layered infrastructure models.
For cybersecurity teams, the case reinforces the importance of monitoring traffic sources, reviewing hosting dependencies, and strengthening supply chain visibility. Organizations should also track threat intelligence related to hosting providers frequently associated with malicious campaigns.