Dutch police seize hundreds of servers in takedown of criminal hosting network

The police force in the Netherlands seized roughly 250 physical servers that powered a bulletproof hosting operation used exclusively by cybercriminals, dismantling an infrastructure that had supported illicit activity for years.

The action targeted a hosting service that operated since 2022 and appeared in more than 80 cybercrime investigations across multiple countries. The provider functioned as a haven for threat actors by offering complete anonymity, ignoring abuse complaints, refusing cooperation with law enforcement, and bypassing Know Your Customer requirements. Bulletproof hosting companies typically served ransomware groups, malware distributors, phishing operations, spammers, and money laundering services, often receiving payment in hard-to-trace cryptocurrency.

Investigators found that the service enabled ransomware attacks, botnet operations, phishing campaigns, and the distribution of child sexual abuse material. The police operation last week removed hundreds of physical servers and thousands of virtual servers advertised as fully anonymous.

During the coordinated action on November 12, officers seized the servers housed in data centers in The Hague and Zoetermeer, taking the broader network offline. Forensic specialists were preparing to analyze the confiscated systems to identify operators and users of the infrastructure. No arrests had been made at the time of the announcement.

The takedown unfolded as Dutch authorities contributed to the latest phase of Operation Endgame, an international effort that disrupted the Rhadamanthys, VenomRAT, and Elysium malware operations. Within that initiative, investigators conducted nine searches in data centers across the Netherlands and seized an additional 83 servers and 20 domain names. Although the two enforcement actions occurred during the same period, police said the investigations were unrelated.

Authorities did not disclose the name of the disrupted hosting provider. However, industry sources indicated that servers used by CrazyRDP—a service offering virtual private servers and remote desktop access with strict no-logs and no-KYC policies—went offline on November 12 after a seizure in a Hague data center. CrazyRDP had long appeared in threat-actor discussions as a favored bulletproof hosting option and had been cited in multiple cybersecurity analyses for its role in supporting malicious campaigns.

The official CrazyRDP Telegram channel deleted all posts last week and redirected users to a new channel discussing the sudden shutdown. Customers reported losing access to dozens of hosted servers and raised concerns about a potential exit scam after support staff first claimed technical issues and then stopped responding. Some users described receiving assurances that problems would be resolved, followed hours later by messages offering no timeline for restoration.

While investigators did not confirm whether CrazyRDP operated the network taken down by police, the service remained offline following the operation.