Authorities in the Netherlands have arrested two individuals accused of operating a bulletproof hosting service that provided critical infrastructure for Russian-backed cyberattacks, allowing threat actors to evade European Union sanctions and launch disruptive operations against EU member states. The arrests, conducted by the Dutch Fiscal Information and Investigation Service (FIOD), mark a significant step in the global fight against cybercrime and state-sponsored hacking groups.
According to an official announcement from the FIOD, the two suspects—a 57-year-old man from Amsterdam and a 39-year-old man from The Hague—were taken into custody on May 18, 2025. Investigators conducted simultaneous searches at three properties in Enschede and Almere, as well as at two data centers in Dronten and Schiphol-Rijk. During these operations, authorities seized laptops, mobile phones, and over 800 servers used to support the illicit hosting services.
Background on Bulletproof Hosting
Bulletproof hosting services are a critical enabler for cybercriminals and state-sponsored actors, providing server space and internet connectivity with minimal oversight. These providers deliberately ignore abuse complaints, fail to comply with takedown requests, and often conceal the identities of their clients. Such services facilitate a wide range of illegal activities, including hosting malware command-and-control servers, distributing ransomware, launching distributed denial-of-service (DDoS) attacks, and operating disinformation campaigns. The suspects in this case allegedly offered exactly such a service to Russian threat groups.
The two men are believed to have acted as administrative and technical operators for a Dutch company that served as a front for a sanctioned web hosting provider. This sanctioned entity, created just two weeks before Russia’s full-scale invasion of Ukraine in February 2022, had been used to conduct information manipulation, interference, and disruptive cyberattacks against EU members. After the European Union imposed sanctions on the entity in May 2025, its operators attempted to evade those restrictions by transferring most of its technical infrastructure to a new Dutch company controlled by the arrested suspects.
The Role of Sanctioned Entities
The EU sanctions, announced in May 2025, specifically targeted Stark Industries, a web hosting provider founded by Moldovan nationals Iurie and Ivan Neculiti. According to the European Council, Stark Industries had acted as “enablers of various Russian state-sponsored and affiliated actors to conduct destabilizing activities including information manipulation, interference, and cyberattacks against the Union and third countries.” The sanctions prohibited European citizens and entities from providing any services or resources to Stark Industries, effectively cutting off its access to European infrastructure.
To circumvent these restrictions, the Neculiti brothers restructured their operations. A detailed investigation by the Dutch newspaper de Volkskrant revealed that after the sanctions were imposed, the brothers moved part of their operations to a company called WorkTitans, based in Enschede and owned by the 57-year-old suspect, identified as Youssef Z. WorkTitans rented server space and resold it to clients, obscuring the true identity of customers and making abuse detection extremely difficult. Meanwhile, the 39-year-old suspect, identified as Andrey N., operated Mirhosting, a firm that ensured the servers remained functional and online.
Connection to Russian Threat Actors
Investigators found that Mirhosting had physical servers deployed at multiple data centers across the Netherlands. These servers were rented to Stark Industries, which in turn provided them to Russian hacktivist groups such as NoName057(16). This group is known for launching large-scale DDoS attacks against government, media, and financial institutions in EU countries, particularly those supporting Ukraine. The bulletproof nature of the hosting meant that even when abuse reports were filed, the servers remained operational, allowing sustained attacks over long periods.
The EU’s sanctions against Stark Industries cited evidence that the company had facilitated “information manipulation and interference campaigns” aimed at undermining democratic processes in EU member states. These campaigns included spreading disinformation about the war in Ukraine and amplifying pro-Russian narratives. The hosting infrastructure also supported cyber espionage operations conducted by Russian intelligence agencies, including the GRU and SVR, which have repeatedly targeted European energy grids, transportation networks, and government databases.
Details of the Arrests and Seizures
The FIOD’s operation was months in the making, relying on intelligence from both Dutch and international partners. The raids on May 18, 2025, were meticulously planned to ensure maximum impact. At the three residential and commercial properties in Enschede and Almere, investigators seized financial records, client lists, and communication devices. At the two data centers in Dronten and Schiphol-Rijk, they dismantled the server infrastructure, imaging hard drives and collecting network logs that will be critical for future prosecutions.
“The seizure of over 800 servers is one of the largest ever in a single European operation targeting bulletproof hosting,” said a spokesperson for the FIOD. “These servers were actively used to commit serious cybercrimes, including attacks on critical infrastructure and the dissemination of illegal content.” The suspects are currently being held for questioning, and further arrests are expected as the investigation expands to other individuals and entities involved in the scheme.
Implications for Cybercrime and Sanctions Enforcement
The arrests send a strong signal that the EU and its member states are serious about enforcing sanctions and dismantling the infrastructure that supports Russian cyber operations. Bulletproof hosting providers have long been a weak point in the global fight against cybercrime, as they operate in the shadows and often benefit from lax legal frameworks in certain jurisdictions. However, this case demonstrates that even well-hidden services can be uncovered through persistent investigative work and international cooperation.
European cybersecurity officials have praised the operation as a model for future efforts. “This case should serve as a warning to anyone who thinks they can provide sanctuary for cybercriminals,” said a senior official at the European Union Agency for Cybersecurity (ENISA). “We will continue to target the financial and technical enablers of these attacks, using all tools at our disposal, including sanctions, law enforcement actions, and public-private partnerships.”
Historical Context: Previous Bulletproof Hosting Takedowns
The Netherlands has been a hotspot for bulletproof hosting services due to its advanced internet infrastructure and historically permissive data protection laws. In 2019, Dutch police dismantled a similar service called “CyberBunker,” which had been used by criminals to host illegal marketplaces and child abuse material. More recently, in 2023, Europol coordinated the takedown of “LizardStresser,” a DDoS-for-hire service that relied on bulletproof hosting in the Netherlands. Each operation has demonstrated the need for sustained pressure on these providers.
The current case also highlights the evolving relationship between commercial hosting providers and state-sponsored groups. While earlier bulletproof services were often run by criminal entrepreneurs who profited from renting space to any client, the Stark Industries case shows a more sophisticated model: a front company specifically created to evade sanctions and support a single state actor. This blurring of lines between commercial cybercrime and state-sponsored operations poses new challenges for law enforcement.
Detailed Analysis of the Suspects’ Operations
According to the de Volkskrant investigation, Youssef Z. had been involved in the hosting business for over a decade. His company, WorkTitans, presented itself as a legitimate reseller of server space, targeting small businesses and startups. However, investigators found that a significant portion of its capacity was reserved for high-risk clients, including those associated with Stark Industries. The company used shell companies and anonymous payment methods to obscure the flow of funds.
Andrey N., the younger suspect, ran Mirhosting, which specialized in “bare-metal” server rentals. Mirhosting’s infrastructure was designed to be resilient to takedown attempts, with redundant connections and backup servers located in jurisdictions with weak enforcement. The company offered clients the ability to rapidly switch IP addresses and domains, making tracking difficult. In several instances, when one server was identified as malicious, traffic was rerouted to another within minutes.
The two suspects reportedly communicated using encrypted messaging apps and met in person only rarely to avoid surveillance. Despite these precautions, Dutch authorities were able to penetrate their network through a combination of financial intelligence, undercover operations, and cooperation from legitimate data centers that had unknowingly hosted their servers. The data centers in Dronten and Schiphol-Rijk, once informed of the situation, cooperated fully with the investigation, providing access logs and physical access to the servers.
The Russian Hacktivist Landscape
Groups like NoName057(16) have become increasingly prominent since the start of the war in Ukraine. They operate as part of a wider pro-Russian hacktivist ecosystem that also includes the likes of Killnet and Anonymous Sudan. These groups often claim to target countries that provide military or humanitarian aid to Ukraine. However, cybersecurity researchers have noted that many of these groups have direct ties to Russian intelligence agencies, which supply them with resources and guidance.
NoName057(16) specifically rose to prominence in 2022 by launching DDoS attacks against European railroads, airports, and government websites. The group uses a distributed botnet of compromised devices and rented servers—many of which were hosted on bulletproof infrastructure in the Netherlands—to amplify the scale of its attacks. The takedown of the hosting service is expected to significantly degrade the group’s capabilities, at least temporarily.
Response from the Cybersecurity Community
Cybersecurity experts have welcomed the arrests but caution that they represent only one piece of a larger puzzle. “Dismantling a single hosting provider is important, but there are many more waiting to take its place,” said a senior analyst at the Shadowserver Foundation, a nonprofit that monitors malicious internet activity. “The real challenge is to address the underlying economics of bulletproof hosting and to ensure that data centers and domain registrars comply with due diligence requirements.”
The EU has already taken steps in this direction, including the introduction of the Cyber Resilience Act and the expansion of sanctions powers to cover digital infrastructure providers. However, enforcement remains uneven, particularly when providers operate across multiple jurisdictions. The Dutch operation shows what can be achieved when domestic law enforcement agencies prioritize cybercrime and work closely with partners such as Europol, the FBI, and cybersecurity firms.
Techniques Used to Evade Sanctions
The suspects employed a variety of techniques to circumvent EU sanctions. After Stark Industries was added to the sanctions list, its operators quickly transferred domain registrations, IP address blocks, and customer accounts to WorkTitans. They also set up a network of nominee directors and shell companies in different countries, making it difficult for authorities to trace ownership. In some cases, servers were physically moved to data centers in non-EU countries to avoid detection.
Financial transactions were conducted through cryptocurrency exchanges and unregulated digital wallets, with payments being made in Bitcoin and Monero to preserve anonymity. The suspects also used multi-layered billing arrangements, where legitimate resellers invoiced end clients, obscuring the ultimate source of funds. These sophisticated methods prolonged the operation for months before investigators could piece together the full picture.
Broader Implications for National Security
The case underscores the critical role that infrastructure providers play in enabling state-sponsored cyber operations. As the war in Ukraine continues, European governments are increasingly focused on disrupting the supply chains that support Russian hacking groups. This includes not only hosting services but also domains, certificate authorities, and ransomware payment facilitators.
The arrests also come at a time of heightened geopolitical tensions, with NATO and the EU warning that Russian cyberattacks could escalate in response to Western military support for Ukraine. By targeting the enabling infrastructure, law enforcement agencies hope to raise the cost and risk for those who support these attacks. The FIOD has indicated that it will continue to investigate other companies that may be providing similar services, and it has called on the public and private sectors to report suspicious hosting activities.
In the aftermath of the arrests, several European cybersecurity agencies have urged businesses and organizations to review their supply chains and ensure they are not inadvertently using bulletproof hosting services. The European Commission has also announced plans to strengthen the regulatory framework for cloud and hosting providers, including mandatory reporting of abusive behavior and faster takedown procedures.
As the two suspects await further legal proceedings, their arrest serves as a reminder that even in the shadowy world of cybercrime, actions have consequences. The international community is now better equipped than ever to track down and prosecute those who enable malicious cyber operations, regardless of how well they hide behind layers of legal and technical obfuscation.
Source: SecurityWeek News