Deutsch
English
Español
Français
Nederlands
Português
Dutch Authorities Seize 800 Servers in Major Sanctions Bust
The Dutch Fiscal Information and Investigation Service (FIOD) arrested two men on May 18, 2026, on suspicion of facilitating Russian cyberattacks against the European Union and violating EU sanctions. A 57-year-old suspect from Amsterdam and a 39-year-old suspect from The Hague are accused of providing technical infrastructure for destabilizing activities including cyberattacks, political interference, and disinformation campaigns targeting EU member states.
During coordinated raids across Enschede, Almere, Dronten, and Schiphol-Rijk, investigators seized over 800 servers, laptops, phones, and administrative records from three business premises and two data centers. The operation marks one of the largest enforcement actions against sanctions evasion in the Netherlands to date.
Web Hosting Company at the Center of the Investigation
The investigation focuses on Stark Industries, a web hosting company founded on February 10, 2022 — just two weeks before Russia's full-scale invasion of Ukraine. The EU placed Stark Industries on its sanctions list in May 2025 for facilitating pro-Russian cyber operations, including attacks on Danish municipal elections and other critical infrastructure across Europe.
According to the FIOD, shortly after the EU sanctions were imposed, Stark Industries transferred a significant portion of its technical infrastructure to a newly established Dutch company, WorkTitans B.V., which investigators believe acted as a front company. The 57-year-old suspect from Amsterdam served as the director of this Dutch entity.
How the Sanctions Evasion Scheme Operated
The second suspect, a 39-year-old from The Hague, is the director and sole shareholder of MIRhosting, a Netherlands-based company that allegedly provided internet connectivity to keep the sanctioned servers operational. This setup allowed Stark Industries to continue its destabilizing activities despite EU sanctions.
Cybersecurity researchers at GreyNoise and Recorded Future have documented how Stark Industries anticipated the EU sanctions. Leaked documents obtained by the company 12 days before the sanctions were announced allowed the Neculiti brothers — Moldovan nationals who owned Stark Industries — to methodically restructure their operations. They transferred their autonomous system (AS44477) to a new RIPE organization, migrated Russian-facing infrastructure to Moscow-based UFO Hosting LLC, and rebranded as 'THE.Hosting' under WorkTitans B.V.
The evasion of EU cyber sanctions was seamless: the network infrastructure remained virtually unchanged despite the corporate restructuring, with identical threat tags, shared VPN services, and overlapping technical fingerprints proving operational continuity.
Links to Pro-Russian Hacktivist Groups
Danish authorities have linked WorkTitans to distributed denial-of-service (DDoS) attacks carried out by the pro-Russian hacktivist group NoName057(16). During Denmark's local and regional elections, the group targeted the websites of multiple Danish political parties, including the Conservatives and the Red-Green Alliance, as well as public broadcaster DR. The Danish Defence Intelligence Service (FE) formally attributed these attacks to Russian state-linked actors.
The rise of pro-Russian hacktivist attacks has become a growing concern for European security agencies, with groups like NoName057(16) and Z-Pentest conducting increasingly sophisticated operations against critical infrastructure, water utilities, and democratic processes.
Broader Implications for EU Cybersecurity
The arrests highlight the challenges European authorities face in enforcing sanctions against cybercriminal infrastructure. Despite the EU's cyber sanctions regime — established in 2019 to deter and respond to cyberattacks threatening member states — bulletproof hosting providers continue to find ways to operate within European jurisdictions.
Experts emphasize that organizations must scrutinize third-party service providers and adopt zero-trust security frameworks to mitigate the risk of their infrastructure being used for malicious purposes. The Dutch approach to cyber sanctions enforcement may serve as a model for other EU member states seeking to crack down on sanctions evasion.
Both suspects were released from custody but remain under investigation. The FIOD has stated that the case is ongoing and further arrests are possible.
FAQ
What did the two Dutch suspects do?
They are accused of providing web hosting infrastructure and internet connectivity to a Russian-linked company that conducted cyberattacks, disinformation campaigns, and political interference against EU targets.
How many servers were seized?
Over 800 servers were seized from data centers in Dronten and Schiphol-Rijk, along with laptops, phones, and administrative records.
What is Stark Industries?
Stark Industries is a bulletproof web hosting company founded in February 2022, just before Russia's invasion of Ukraine. It was sanctioned by the EU in May 2025 for facilitating pro-Russian cyber operations.
Were the suspects involved in the Danish election attacks?
Danish authorities have linked the front company WorkTitans to DDoS attacks by pro-Russian group NoName057(16) targeting Danish political party websites during local elections.
What are the penalties for violating EU sanctions?
Violating EU sanctions can result in asset freezes, travel bans, and criminal prosecution, including prison sentences of up to six years under Dutch law.
Follow Discussion