Dutch authorities seize 800 servers in crackdown on hosting firm linked to cyberattacks

Dutch financial crime investigators arrested two men and seized more than 800 servers during a major operation targeting a hosting infrastructure allegedly connected to cyberattacks, interference campaigns, and pro-Russian disinformation activity across Europe.

The Dutch Fiscal Information and Investigation Service, known as FIOD, said the investigation centers on a web hosting company established on Feb. 10, 2022, just weeks before Russia launched its full-scale invasion of Ukraine. Authorities believe the company functioned as a front for Stark Industries, a hosting provider later sanctioned by the European Union for facilitating Russian cyber operations.

Investigators conducted raids at business locations in Enschede and Almere, along with data centers in Dronten and Schiphol-Rijk. Authorities seized servers, laptops, phones, and administrative records during the operation.

FIOD arrested a 57-year-old man identified as the director of the hosting company and a 39-year-old man linked to a separate firm that allegedly provided internet connectivity services for the infrastructure. Investigators said both suspects indirectly supplied economic resources to Russian and Belarusian entities subject to EU sanctions.

The investigation found that after the EU imposed sanctions on Stark Industries in May 2025, a significant portion of the hosting infrastructure was transferred to a Dutch company allegedly controlled by one of the suspects. Authorities believe another Dutch company helped maintain internet access for the servers after the sanctions took effect.

Dutch publication De Volkskrant identified the company as WorkTitans B.V., which operated hosting services under the brand THE.Hosting. The report stated that Danish authorities and internet infrastructure providers linked WorkTitans to cyberattacks conducted by the pro-Russian hacktivist group NoName057(16), known for distributed denial-of-service attacks targeting European institutions and government systems.

Investigators and cybersecurity analysts said Stark Industries infrastructure carried substantial volumes of pro-Russian cyberattack traffic and acted as a proxy network designed to obscure the origin of attacks. Mirhosting, a separate company based in Almere, allegedly provided colocation services and network connectivity routing traffic into European internet exchanges in Amsterdam and Frankfurt.

FIOD said the hosting operation supported activities that undermined European democracy and security through cyber interference, information manipulation, and disruptions targeting public and economic systems.

Stark Industries was founded by Moldovan national Ivan Neculiti, who is from the breakaway region of Transnistria. His brother, Iurie Neculiti, also played a leadership role in the company. Previous investigations and intelligence assessments alleged links between the brothers and Russian intelligence services, allegations they have denied while calling the accusations defamatory.

Investigators also found that nine days after EU sanctions were imposed, one of the Neculiti brothers’ companies, PQ Hosting, changed its name to THE.Hosting, matching the branding later used by WorkTitans in the Netherlands. Researchers additionally traced IP addresses allegedly used in attacks by NoName057(16) from Stark Industries infrastructure to WorkTitans systems.