Netherlands Dismantles Bulletproof Hosting Network Behind Cyberattacks and Disinformation Campaign
- May 25
- 3 min read
Key Findings
Dutch authorities arrested two suspects and dismantled a bulletproof hosting network operating approximately 800 servers linked to cyberattacks, disinformation, and sanctions evasion
The operation, led by the FIOD financial crime agency, involved coordinated raids across multiple European countries targeting infrastructure used by sanctioned Russian and Belarusian entities
The hosting service, operating under the name Stark Industries and later rebranded as THE.Hosting and WorkTitans, was established just before Russia's 2022 invasion of Ukraine
Evidence indicates the infrastructure supported Russian-linked cyberattack groups including NoName057(16) and hosted disinformation campaigns targeting multiple countries
Additional arrests and infrastructure seizures are expected as forensic analysis of seized systems continues
Background
The investigation centers on a web hosting company established on February 10, 2022, just two weeks before Russia invaded Ukraine. Dutch authorities describe it as a "bulletproof hosting" service, a term for providers that ignore abuse complaints and allow criminal activity to continue operating online. These services are particularly attractive to ransomware groups, phishing operations, malware distributors, and disinformation campaigns seeking anonymity and protection from law enforcement takedown requests.
The company was founded by Moldovan Ivan Neculiti from Transnistria, with his brother Iurie involved as director. Intelligence reports and investigations by organizations like Correctiv have alleged links between the brothers and Russian intelligence services, though both deny the claims and call them defamation.
Sanctions Evasion Network
After the EU sanctioned Stark Industries in May 2025, the operators reportedly relocated much of the infrastructure to two Dutch-based companies controlled by the arrested suspects. One company, identified as WorkTitans B.V. in Enschede, is owned by a 57-year-old organizational consultant. A second firm in Almere, reportedly owned by a concert pianist, allegedly helped keep the servers connected to the internet.
The operation effectively created a sanctions circumvention scheme. Nine days after EU sanctions were imposed, one of Neculiti's companies, PQ Hosting, officially changed its name to THE.Hosting, using the same name under which WorkTitans was operating its hosting activities.
Cyberattack and Disinformation Infrastructure
Analysts have determined that Stark's infrastructure carried large volumes of pro-Russian cyberattack traffic, functioning as a proxy network that obscured the origins of attacks originating from Russian groups. The network was particularly associated with NoName057(16), a Russian hacking group, with evidence showing specific IP addresses used by the group for attacks on European targets were transferred from Stark to WorkTitans.
Dutch investigators linked the hosting service to cyberattacks targeting organizations across multiple countries, along with coordinated disinformation campaigns aimed at undermining the European Union. Authorities said the infrastructure provided support for what they described as destabilizing activities including interference operations and the dissemination of false information.
The Investigation and Raids
The FIOD, working with financial crime investigators, intelligence services, and police units from several European countries, launched coordinated raids at three business premises in Enschede and Almere, as well as two data centers in Dronten and Schiphol-Rijk. The operation resulted in the seizure of more than 800 servers, along with administrative records, laptops, and phones.
Investigators focused on whether the operators knowingly facilitated criminal activity and sanctions violations while continuing to do business with restricted parties. The technical infrastructure was dismantled, with several domains and IP addresses linked to the operation taken offline.
Ongoing Investigation
Authorities have not yet disclosed the full identities of the suspects, and the investigation remains active. Officials indicated that additional arrests and infrastructure seizures are possible as forensic analysis of the seized systems continues. Investigators are analyzing evidence to determine the full scope of customers using the service and the range of activities facilitated by the network.
The operation represents a significant escalation in European enforcement against bulletproof hosting providers and intermediary services enabling Russian cyber operations. However, cybersecurity researchers have long warned that even when such networks are identified and dismantled, operators frequently relocate services to new jurisdictions or establish replacement infrastructure to continue operations.
Sources
https://hackread.com/netherlands-busts-bulletproof-hosting-disinfo-cybercrime/
https://securityaffairs.com/192602/intelligence/dutch-authorities-dismantle-hosting-network-allegedly-used-for-cyberattacks-and-disinformation.html

Comments