Netherlands Seizes 800 Russian DDoS Servers, Arrests Two

Dutch financial crime investigators have dismantled one of the most significant pro-Russian DDoS hosting networks operating inside the European Union, seizing 800 servers and arresting two Dutch nationals linked to a hosting company that helped Russia undermine European democracy. The operation by the Fiscal Intelligence and Investigation Service (FIOD), carried out on May 22, 2026, targeted WorkTitans B.V. and its brand THE.Hosting - a front company created specifically to circumvent European Union sanctions against the notorious Stark Industries Solutions hosting infrastructure. The Netherlands DDoS servers Russia connection had been on investigators' radar for months.

Stark Industries: Sanctioned, Then Reborn as THE.Hosting

Stark Industries Solutions was established on February 10, 2022 - days before Russia's full-scale invasion of Ukraine - and rapidly became one of the most documented enablers of Russian-aligned cyberattacks in Europe. Its servers hosted DDoS attack infrastructure, disinformation campaigns, and interference operations targeting NATO member states, Ukrainian institutions, and EU government portals.

The European Union formally sanctioned Stark Industries on May 20, 2025, adding it to the list of entities banned from receiving economic resources from EU-based businesses. Within weeks, the infrastructure was quietly migrated to a new Dutch-registered entity: WorkTitans B.V., operating under the commercial brand THE.Hosting. Investigators allege that WorkTitans was created precisely to circumvent the sanctions - allowing the same servers and attack capabilities to continue operating under a clean legal identity.

FIOD arrested two Dutch nationals in connection with the scheme: a 57-year-old who directed WorkTitans B.V., and a 39-year-old who headed a separate company that provided internet connectivity to the hosting infrastructure. Investigators raided two data centers in Dronten and Schiphol-Rijk, and conducted additional searches in Enschede and Almere. In total, 800 servers, along with laptops, mobile phones, and administrative records, were seized.

NoName057(16): The DDoS Group WorkTitans Served

Danish authorities and infrastructure providers were among the first to link WorkTitans directly to NoName057(16) - the pro-Russian hacktivist collective that has conducted hundreds of politically motivated DDoS attacks across Europe since 2022. The group openly coordinates via Telegram, celebrates successful takedowns of government websites, and targets NATO-aligned countries as part of its stated ideological mission in support of the Kremlin.

• Targets: Government portals, financial institutions, transportation systems, and media outlets across Poland, Germany, France, Italy, the Baltic states, Ukraine, and dozens of other countries.
• Method: High-volume DDoS floods designed to knock targets offline temporarily for political impact.
• Infrastructure need: Bulletproof hosting that resists takedown requests and legal pressure - exactly what Stark Industries and later THE.Hosting provided.
• Coordination: Telegram channels where attack results are posted and shared publicly as propaganda.

The infrastructure seized in the raids was not only used for DDoS attacks. Investigators also linked it to Russian information operations - campaigns designed to spread disinformation and undermine public confidence in democratic institutions across EU member states. Prosecutors described the operation as directly helping Russia interfere with European democracy.

Sanctions Evasion as a Criminal Charge

The legal framing of this case goes beyond traditional cybercrime prosecution. Both suspects face charges of violating EU sanctions by indirectly providing economic resources to Russian and Belarusian entities that appear on the EU's restricted list. This argument - that a Dutch hosting company can face criminal liability for enabling sanctioned entities to continue operations under a new shell - sets a direct precedent for future prosecutions across the EU.

The progression from Stark Industries to WorkTitans B.V. illustrates a pattern that EU law enforcement is now actively targeting: sanctioned cyber-actors creating new legal shells in EU member states to continue operations. The FIOD investigation shows that this evasion strategy does not provide legal cover - it adds sanctions violations to the existing criminal exposure.

Scale of the Seizure: Four Locations, 800 Servers

The coordination across four simultaneous locations was deliberate. Bulletproof hosting operations routinely maintain redundant infrastructure across multiple data centers, allowing operators to shift traffic if one node is taken offline. By hitting Dronten, Schiphol-Rijk, Enschede, and Almere simultaneously, FIOD prevented any traffic migration or data destruction before investigators arrived.

The 800 seized servers represent hardware that was actively routing DDoS traffic and hosting attack control panels at the time of the raid. Combined with administrative records and communications data from the seized phones and laptops, investigators now have a detailed map of the infrastructure - its clients, configurations, and connections to other sanctioned actors.

What This Means for Privacy Infrastructure

The takedown of THE.Hosting illustrates the stakes when anonymizing and bulletproof hosting infrastructure is captured by state-aligned threat actors. Legitimate privacy tools - including VPN services, anonymous hosting, and encrypted communications - serve a critical function for journalists, activists, and businesses operating in high-risk environments. But when that same type of infrastructure is repurposed for sanctioned attack campaigns and state-sponsored disinformation, law enforcement action follows. The only sustainable path for legitimate privacy services is full legal transparency, clear jurisdiction, and verified compliance with applicable EU law.