Authorities in the Netherlands have arrested the owners of two Dutch companies that allegedly provided bulletproof hosting services to Russian threat actors and evaded sanctions imposed by the European Union. The arrests, announced by the Dutch Fiscal Information and Investigation Service (FIOD), mark a significant step in disrupting the infrastructure that supports state-sponsored cyberattacks against European targets.
The suspects—a 57-year-old from Amsterdam and a 39-year-old from The Hague—were taken into custody on May 18 after a coordinated operation spanning multiple cities and data centers. FIOD agents conducted searches at three locations in Enschede and Almere, as well as at two data centers in Dronten and Schiphol-Rijk. During the raids, they seized laptops, mobile phones, and over 800 servers that were part of the illicit hosting network.
The Front Company and Sanctions Evasion
According to FIOD, the 57-year-old suspect is the owner and director of a Dutch company that acted as a front for a sanctioned web hosting provider. This sanctioned entity was created just two weeks before the Russian invasion of Ukraine in February 2022. Its purpose was to provide technical infrastructure for disinformation campaigns, election interference, and disruptive cyberattacks against European Union member states.
The EU imposed sanctions on this company in May 2025, prohibiting any European citizen or entity from doing business with it. However, the sanctioned entity quickly restructured its operations. Most of its technical infrastructure was transferred to the arrested suspect’s Dutch company, effectively continuing the illicit activities under a new legal veneer.
The 39-year-old suspect, according to FIOD, is the director and owner of a firm that ensured the servers of the front company remained functional and online. His role was crucial in maintaining the uninterrupted operation of the hosting service, allowing Russian hacker groups to continue their attacks without disruption.
Investigation Details and Naming of Suspects
FIOD’s announcement did not initially name the two suspects or their companies, but an eight-month investigation by the Dutch newspaper de Volkskrant revealed their identities. The suspects are Youssef Z. and Andrey N. According to de Volkskrant, these individuals provided services to Stark Industries, a web hosting provider founded by Moldovan nationals Iurie and Ivan Neculiti.
Stark Industries was placed on the EU sanctions list in May 2025. The EU stated that the company had been “acting as enablers of various Russian state-sponsored and affiliated actors to conduct destabilizing activities including information manipulation, interference, and cyber-attacks against the Union and third countries.”
The Bulletproof Hosting Infrastructure
Bulletproof hosting services are notorious in the cybersecurity world for their willingness to ignore or actively conceal illegal activities conducted by their clients. These services typically operate from jurisdictions with lax enforcement, use anonymous payment methods, and provide technical countermeasures to prevent law enforcement from shutting down malicious servers.
In this case, Andrey N. owns Mirhosting, a company that had physical servers deployed at various data centers across the Netherlands. These servers were rented to Stark Industries, which in turn provided critical infrastructure for Russian hacker groups such as NoName057(16). This group is known for launching distributed denial-of-service (DDoS) attacks against European targets, including government websites, financial institutions, and critical infrastructure providers.
The DDoS attacks orchestrated by NoName057(16) are often politically motivated, targeting countries that support Ukraine or impose sanctions on Russia. By using bulletproof hosting, the group could maintain a persistent presence online even after their previous servers were taken down.
How the Evasion Scheme Worked
After the EU’s May 2025 sanctions, the two Moldovan brothers restructured Stark Industries to circumvent restrictions. They moved part of their activities to Youssef Z.’s company, called WorkTitans, based in Enschede. WorkTitans rents server space and resells it to clients, often obscuring the real customers. This approach makes abuse detection extremely difficult, as the hosting services appear legitimate on the surface.
The restructuring allowed Storm Industries’ clients—including Russian threat actors—to continue using the same server infrastructure without interruption. FIOD noted that the suspects’ actions not only violated EU sanctions but also facilitated ongoing cyberattacks against European interests.
Wider Implications and Enforcement Challenges
This case highlights the evolving challenges law enforcement faces in combating cybercrime. Bulletproof hosting services have become a linchpin of the underground economy, enabling everything from ransomware campaigns to state-sponsored espionage. By arresting the administrators of such services, authorities aim to dismantle the infrastructure that makes large-scale cyberattacks possible.
The Netherlands has emerged as a hub for both legitimate and illicit hosting services. The country’s robust internet infrastructure and strong data protection laws make it attractive for companies seeking to operate in a stable legal environment. However, criminals have exploited these same advantages to set up bulletproof hosting operations that are difficult to prosecute.
European Union authorities have been actively targeting such services. In recent years, similar arrests have been made in Germany, France, and the United Kingdom. The goal is to create a hostile environment for cybercriminals by increasing the risks of operating within the EU’s jurisdiction.
Technical Details of the Hosting Network
During the raids, investigators seized over 800 servers, a massive haul that underscores the scale of the operation. These servers were used to host not only DDoS command-and-control infrastructure but also phishing sites, malware distribution networks, and proxy services that anonymized the activities of Russian hackers.
Forensic analysis of the seized hardware is ongoing. Authorities expect to uncover connections to multiple threat actors and possibly identify new targets of past attacks. The data could also provide intelligence on the inner workings of Russian cyber espionage operations.
International Cooperation and Future Steps
The arrests were the result of close cooperation between Dutch authorities, Europol, and other international partners. The European Union has made combating cybercrime a priority, especially in the context of Russia’s war against Ukraine. Sanctions against entities like Stark Industries are part of a broader effort to cut off resources to Russian state-sponsored hacking groups.
Both suspects remain in custody pending further investigation. They face charges related to violating EU sanctions, money laundering, and participating in a criminal organization. If convicted, they could face significant prison sentences and fines.
Background on Russian Cyber Threat Actors
Russian state-sponsored hacking groups have long relied on third-party infrastructure to conduct their operations. By using bulletproof hosting services, they can evade attribution and maintain operational continuity. Groups such as APT28 (Fancy Bear), APT29 (Cozy Bear), and Sandworm have all been linked to similar hosting arrangements in the past.
NoName057(16), the group specifically mentioned in this case, has been active since 2022. It has claimed responsibility for numerous attacks against European targets, including the Polish government portal, Dutch financial websites, and the European Parliament’s online systems. The group often announces its attacks on Telegram channels, taking credit for disrupting public services.
EU Sanctions Regime and Cybercrime
The European Union has established a framework for imposing sanctions on individuals and entities that engage in cyberattacks. These sanctions can include asset freezes, travel bans, and prohibitions on providing economic resources to sanctioned parties. The case of Stark Industries demonstrates how entities try to restructure their operations to escape these measures.
The Netherlands has been proactive in implementing and enforcing these sanctions. The FIOD, which handles financial investigations, has developed specialized units to track illicit money flows connected to cybercrime. This case is one of the most significant enforcement actions since the sanctions were expanded in 2025.
Reactions from the Cybersecurity Community
Cybersecurity experts have welcomed the arrests, noting that they send a strong message to those who enable criminal activities. “Bulletproof hosting providers are the backbone of the cybercrime ecosystem,” said a analyst at a major threat intelligence firm. “Taking down their infrastructure disrupts multiple threat actors simultaneously.”
However, experts caution that new providers will likely emerge to fill the void. The battle against bulletproof hosting is a continuous cat-and-mouse game, requiring constant vigilance and international cooperation. The seized servers will provide valuable intelligence, but the underlying demand for such services remains high.
Broader Context of Dutch Cybercrime Enforcement
This arrest is part of a larger trend in the Netherlands, which has become a leader in cybercrime enforcement. The Dutch police have successfully taken down multiple dark web marketplaces, botnets, and ransomware operations in recent years. The country’s centralized Cybercrime Unit (Team High Tech Crime) is known for its technical sophistication and willingness to pursue complex cases.
The investigation into Youssef Z. and Andrey N. began in 2024 after intelligence from Europol and partner agencies pointed to suspicious hosting activities. Undercover operations and financial tracking eventually built the case leading to the arrests.
The Dutch legal system allows for extensive seizure of digital assets, which is critical in cases involving large-scale hosting infrastructure. The 800 servers will be analyzed for evidence, and authorities hope to trace cryptocurrency payments and other financial transactions linked to the scheme.
Impact on Russian Cyber Operations
While the immediate effect of these arrests is the shutdown of the specific hosting services, the impact on Russian cyber operations is likely to be temporary. Groups like NoName057(16) can quickly migrate to new providers, especially those located in jurisdictions with weak enforcement. However, the disruption forces them to rebuild infrastructure, which takes time and resources.
Moreover, the intelligence gained from the seized servers may help identify other enablers and infrastructure providers. Law enforcement agencies can use this information to pursue additional arrests and takedowns, gradually suffocating the support network for state-sponsored hacking.
The case also serves as a warning to other hosting companies that may be tempted to facilitate cybercrime. The risk of prosecution and asset seizure is real, especially in EU countries that prioritize tackling digital threats.
One of the key challenges in enforcing sanctions against cybercriminal enablers is the speed with which they can restructure. The Stark Industries case shows that within weeks of being sanctioned, the company had already transferred its core operations to a front company. This agility requires law enforcement to act quickly and decisively.
The FIOD has indicated that additional arrests are possible as the investigation continues. The two suspects currently in custody are not the only individuals involved; other parties who helped manage the infrastructure or launder money may still be at large.
Source: SecurityWeek News