Dutch authorities seize 800 servers in Russia-linked hosting investigation
8 min. read 
Published on
Dutch authorities seized more than 800 servers and arrested two men in a sanctions investigation involving hosting infrastructure allegedly used to support Russian-linked cyberattacks, interference operations, and disinformation campaigns.
The Netherlands Fiscal Information and Investigation Service said in its official FIOD statement that officers arrested a 57-year-old man from Amsterdam and a 39-year-old man from The Hague on May 18, 2026. Both are suspected of violating Dutch sanctions law by indirectly making economic resources available to entities sanctioned by the European Union.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The case focuses on a web hosting company founded on February 10, 2022, two weeks before Russia’s full-scale invasion of Ukraine. Investigators believe the company later supported destabilizing activity aimed at the EU, including information manipulation, cyberattacks, and disruption of public and economic systems.
Servers were seized in data centers and business premises
The enforcement action included searches at three business locations in Enschede and Almere, plus two data centers in Dronten and Schiphol-Rijk. Authorities seized administrative records, laptops, phones, and more than 800 servers.
Help Net Security reported that the Dutch investigation centers on alleged support for Russian activities that undermine democracy and security through cyberattacks, disinformation, and disruption of public and economic systems.
The Dutch Public Prosecution Service’s Functional Prosecution Office is leading the criminal investigation. The case remains active, and further findings could come after forensic analysis of the seized systems and records.
| Item | Details |
|---|---|
| Agency | Netherlands Fiscal Information and Investigation Service, or FIOD |
| Arrest date | May 18, 2026 |
| Suspects | A 57-year-old man from Amsterdam and a 39-year-old man from The Hague |
| Seized infrastructure | More than 800 servers, plus records, laptops, and phones |
| Search locations | Enschede, Almere, Dronten, and Schiphol-Rijk |
| Main allegation | Indirectly providing economic resources to EU-sanctioned entities |
Investigation points to alleged sanctions evasion
The hosting company at the center of the investigation was placed on the EU sanctions list on May 20, 2025. Around the same period, a large part of its technical infrastructure was allegedly moved to a newly created Dutch company.
FIOD investigators believe that new company acted as a front for sanctioned entities. The 57-year-old suspect allegedly served as its director and indirect sole shareholder.
A second Dutch company allegedly provided internet connectivity to the servers. Authorities identified the 39-year-old suspect as the director and sole shareholder of that company.
Stark Industries was named in EU sanctions
The European Union listed Stark Industries, its CEO Iurie Neculiti, and owner Ivan Neculiti in its May 2025 Russia hybrid threats sanctions. The Council of the EU announcement said Stark Industries acted as an enabler for Russian state-sponsored and affiliated actors involved in information manipulation, interference, and cyberattacks against the EU and third countries.
The official EUR-Lex sanctions listing identifies Stark Industries Solutions Ltd. as a web hosting service registered on February 10, 2022, with an address in London. It also says the company provides server hosting with server locations around the world.
Dutch authorities did not name the company in the FIOD release. However, BleepingComputer reported that the investigation focuses on Stark Industries and cited Dutch reporting that named WorkTitans B.V., operating under THE.Hosting, as the newly created Dutch entity.
| Entity or role | Reported significance |
|---|---|
| Stark Industries Solutions Ltd. | EU-sanctioned hosting provider named in hybrid threats sanctions |
| Iurie Neculiti | Named by the EU as CEO of Stark Industries |
| Ivan Neculiti | Named by the EU as owner of Stark Industries and PQ Hosting |
| New Dutch company | Alleged front company that received a large part of the sanctioned infrastructure |
| Connectivity provider | Allegedly helped keep the infrastructure connected to the internet |
Why the hosting infrastructure mattered
Hosting companies can provide the infrastructure behind websites, servers, proxy layers, malware delivery, command-and-control routing, disinformation assets, and DDoS operations. That makes abusive hosting providers valuable to both cybercriminal groups and state-linked influence operations.
FIOD said the investigated company was allegedly used to facilitate destabilizing activities aimed at the European Union. The FIOD release also said the company supported actions by the Russian Federation that undermine democracy and security.
The scale of the seizure suggests authorities were not targeting a small rogue server. More than 800 servers point to an infrastructure-level case involving hosting capacity, connectivity, and operational support.
EU sanctions prohibit economic support to listed entities
EU sanctions do not only freeze assets. They also prohibit EU individuals and companies from making funds or economic resources available to listed people or entities.
The Council of the EU said its May 2025 hybrid threats listings targeted 21 individuals and 6 entities, including actors involved in cyberattacks, information manipulation, interference, and other destabilizing activity against the EU and partner countries.
That context matters because the Dutch case centers on suspected sanctions circumvention, not only technical cybercrime. Prosecutors will need to show whether the suspects helped keep resources available to sanctioned parties through company transfers, hosting services, or connectivity support.
- EU-listed entities can face asset freezes.
- EU persons and companies cannot make funds or economic resources available to them.
- Sanctions evasion can trigger criminal investigation in EU member states.
- Front companies and infrastructure transfers can become evidence in sanctions cases.
- Connectivity providers can face scrutiny if they allegedly enable sanctioned infrastructure.
Reports link the case to WorkTitans and Mirhosting
BleepingComputer reported that Dutch publication De Volkskrant identified the new Dutch entity as WorkTitans B.V., which provides hosting services under the brand THE.Hosting. It also reported that Mirhosting supplied colocation and high-capacity connectivity that helped route traffic into Europe.
The same BleepingComputer report said Mirhosting denied knowingly supporting illegal operations and claimed it acted quickly after receiving abuse complaints. WorkTitans reportedly did not respond to De Volkskrant’s request for comment.
Those company-level details remain separate from the official FIOD statement, which focused on the arrests, searches, suspected sanctions violations, and the alleged transfer of infrastructure to a newly created Dutch company.
What investigators seized and why it matters
The seized servers may help investigators map customers, network flows, payment arrangements, logs, management records, and possible links to sanctioned entities. Laptops, phones, and administrative files may provide context about ownership, control, billing, and infrastructure transfers.
Help Net Security noted that authorities found the infrastructure had allegedly supported activities targeting the EU, while the connectivity company helped keep the servers online.
Forensic analysis could take time because infrastructure cases often involve many hosted systems, customer accounts, routing records, and cross-border legal requests.
| Seized item | Possible investigative value |
|---|---|
| Servers | Hosting records, logs, virtual machines, customer data, and traffic evidence |
| Administrative records | Ownership, billing, contracts, and infrastructure transfer details |
| Laptops | Internal communications, management tools, and operational files |
| Phones | Messaging records, contact networks, payment discussions, and coordination evidence |
| Data center records | Colocation, rack, routing, and connectivity information |
The case shows how cyber and sanctions enforcement now overlap
The seizure reflects a wider shift in cyber enforcement. Authorities are no longer focusing only on malware operators or direct intrusions. They are also targeting the infrastructure layers that help hostile actors stay online.
The EUR-Lex listing states that Stark Industries supported actions by the Russian government that threaten democracy, the rule of law, stability, and security in the EU and third countries. That language connects infrastructure services to broader hybrid operations, not only isolated hacking incidents.
For hosting providers, the message is clear. Abuse handling, sanctions screening, customer due diligence, and infrastructure transfer reviews now sit at the center of legal risk.
What hosting providers should learn from the seizure
Hosting and connectivity companies should review whether they serve customers, resellers, or related entities that appear on EU sanctions lists. They should also document abuse responses and investigate infrastructure transfers involving high-risk customers.
Providers should not treat sanctions compliance as a banking-only issue. Internet infrastructure can qualify as an economic resource if it helps a listed entity keep operating.
Companies that provide servers, colocation, connectivity, proxy services, or cloud infrastructure should build procedures for identifying sanctioned parties, screening beneficial ownership, and escalating suspicious requests.
- Screen customers and beneficial owners against EU sanctions lists.
- Review infrastructure transfers involving sanctioned or high-risk entities.
- Preserve abuse records and response timelines.
- Monitor for cyberattack, disinformation, and command-and-control abuse reports.
- Escalate suspicious connectivity requests to legal and compliance teams.
- Cooperate quickly with lawful requests from authorities.
The investigation remains ongoing
The two suspects have been arrested, but the case has not reached a final court judgment. The allegations will need to be tested through the Dutch judicial process.
Authorities may identify more individuals or entities as they examine the seized servers and records. The infrastructure may also reveal how sanctioned actors tried to maintain hosting capacity after the EU listing.
For now, the seizure marks a major disruption of Russia-linked hosting infrastructure in Europe and a clear warning that sanctions evasion through front companies can draw criminal enforcement.
FAQ
FIOD seized more than 800 servers, along with administrative records, laptops, phones, and other equipment during searches at business premises and data centers in the Netherlands.
The suspects were arrested on suspicion of violating Dutch sanctions law by indirectly making economic resources available to entities sanctioned by the European Union.
Investigators said the hosting company allegedly supported actions by the Russian Federation that undermine democracy and security, including information manipulation and disruption of public and economic systems.
Stark Industries Solutions Ltd. is a web hosting service named in EU sanctions in May 2025. The EU said it enabled Russian state-sponsored and affiliated actors involved in destabilizing activity, including cyberattacks and information manipulation.
No. The arrests are based on suspicion, and the investigation remains ongoing. Any criminal liability will need to be determined through the Dutch judicial process.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages