Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 24, 2026 · 9 min read

The Netherlands Just Seized 800 Servers From Stark Industries—the Bulletproof Hoster That Already Got EU Sanctioned a Year Ago for Renting Infrastructure to Russian Hacktivists, Disinformation Operations, and a DDoS Campaign Against a Danish Water Utility

On May 22 the Dutch financial crime unit FIOD raided data centres in Dronten and Schiphol Rijk, arrested the 57 year old director of Stark Industries and a 39 year old connectivity broker, and walked off with 800 servers. Brussels sanctioned the company exactly twelve months and two days earlier. The intervening year tells a story about how slow the gap between a sanctions designation and an actual enforcement is.

A Dutch police evidence room with confiscated rack mounted servers and cables laid out on metal tables, representing a financial crime seizure of bulletproof hosting infrastructure

Key Takeaways

  • The Dutch FIOD seized 800 servers from Stark Industries on May 22, 2026, in coordinated raids on data centres in Dronten and Schiphol Rijk, with additional searches in Enschede and Almere.
  • Two suspects were arrested—the 57 year old company director of Stark Industries and a 39 year old who runs a separate firm that brokered the internet connectivity.
  • The EU sanctioned Stark Industries on May 20, 2025, for supplying infrastructure to Russian and Belarusian state aligned actors—the seizure came almost exactly twelve months later.
  • Customers using the seized infrastructure included the pro Russian hacktivist crew NoName057(16), which staged DDoS attacks on a Danish water utility and other Western critical infrastructure targets.
  • After the sanctions designation, Stark Industries' infrastructure was transferred to a successor company called WorkTitans B.V. operating as THE.Hosting—suggesting the operators tried to keep the network alive under a different brand.

What Is Stark Industries?

Stark Industries was a Dutch hosting company incorporated on February 10, 2022—two weeks before Russia's full scale invasion of Ukraine. From the start, the firm built itself as a bulletproof hoster in the sense the term has acquired in the security industry: a provider whose business model is to ignore abuse complaints, decline to cooperate with law enforcement requests outside its own jurisdiction, and rent capacity to whoever pays.

The physical servers were hosted by Mirhosting, a Dutch infrastructure provider that does not appear to have been implicated by name in the criminal allegations, with connectivity routed through the Amsterdam and Frankfurt internet exchanges. The legal entity was registered in the Netherlands, but a substantial share of the customer base was Russian and Belarusian, including operators sanctioned by the EU as part of the response to Russia's invasion of Ukraine.

What Did Customers Use the Infrastructure For?

The FIOD's public statement names three categories of misuse. Cyberattacks, interference operations, and disinformation campaigns benefiting Russian Federation aligned entities. The phrasing—"support to actions by the Russian Federation that undermine democracy and security, including through information manipulation and disruption of public and economic systems"—is the regulatory language for everything from amplifying state propaganda to DDoSing a hospital.

The most cited customer is NoName057(16), a pro Russian hacktivist crew that has run a campaign of opportunistic DDoS attacks against Western critical infrastructure for the duration of the war. The group's targeting has included a Danish water utility, multiple European parliaments, and a long tail of municipal services that struggle to defend against even moderate volume floods. Researchers have repeatedly traced NoName057's command and control infrastructure to Stark Industries IP ranges.

The disinformation customers are less specifically named in the FIOD statement, but the EU's May 2025 sanctions notice described the company as renting infrastructure to entities that operate fake news websites, run social media bot farms, and host content used in election interference campaigns. Russia's APT cluster names—Doppelganger, RRN, the Storm-1516 cluster Microsoft has tracked—have all surfaced on Stark Industries IP space at one point or another.

The Twelve Month Gap Between Sanctions and Seizure

The EU sanctioned Stark Industries on May 20, 2025. The Dutch financial crime unit took physical action on May 22, 2026. That gap—two days short of a year—is worth examining.

A sanctions designation is, in theory, immediate. Once the EU adds an entity to its consolidated list, member states are required to freeze its assets, prohibit transactions with it, and prevent the provision of any economic resources. In practice, enforcing a sanction against a hosting company is operationally complex. The servers were physically located in EU territory. The legal entity was an EU registered company. The customers were elsewhere. The infrastructure kept running.

Within weeks of the sanctions, researchers identified a successor entity called WorkTitans B.V. operating as THE.Hosting, taking over the same IP ranges and—reportedly—much of the same customer base. The pattern is familiar from earlier bulletproof hosting cases: the operators rebrand, the customers migrate, and the regulatory victory exists only on paper.

The seizure on May 22, 2026 is the moment the on paper victory becomes operational. Eight hundred physical servers are now in evidence bags. Two operators are in custody. The successor company's continued operation is now subject to scrutiny that—if past sanctions enforcement is any guide—will eventually pull it into the same legal frame.

Why This Matters for Email Security

Bulletproof hosters are the physical layer that keeps email phishing, malware command and control, and disinformation infrastructure running. Take down a phishing kit's domain registrar and the attacker buys another domain. Take down the hosting infrastructure and the attacker has to rebuild from physical hardware on up. Seizures of the Stark Industries type are the ones that matter operationally, because they remove capacity rather than just naming attribution.

Disinformation campaigns running on this infrastructure also overlap heavily with email based fraud. The fake news websites that get pushed through Russian aligned amplification networks are the same domains that get planted in business email compromise lures, in misleading newsletter spam, and in the social engineering pretexts that modern phishing platforms like Bluekit ship out of the box. Removing 800 servers' worth of infrastructure removes a real, measurable slice of that supply.

For journalists, the seizure also addresses a quieter problem. Stark Industries IPs have shown up repeatedly in the C2 infrastructure for the surveillance and tracking malware used against exiled Russian and Belarusian journalists. Belarus's state TV doxxing of 21 exiled reporters earlier this month was one operational tip of that infrastructure; removing the hosting layer makes the next campaign harder to stand up.

What Defenders Should Do

First, identify any business relationship—direct or via downstream providers—with Stark Industries, WorkTitans B.V., or THE.Hosting. The seizure includes 800 servers but the legal proceedings will produce a customer list, IP ranges, and probably the contents of unencrypted disks. If your company had a marketing contractor, an SEO vendor, or a domain reseller whose upstream provider was Stark Industries, that vendor may be about to lose connectivity without warning. Continuity planning matters.

Second, refresh your firewall block lists. Threat intelligence feeds that track Russian aligned hosting infrastructure have flagged Stark Industries' IP ranges for months. If your perimeter is not already blocking them, the seizure is a good prompt to do so. The same ranges, even after the seizure, may be transferred to successor operators—the FIOD investigation will name them as they identify them.

Third, review the integrity of any email security tools or mail filtering services that rely on commercial threat intelligence. The takedown of NoName057's hosting reduces the volume of DDoS noise in the global telemetry; sudden silence from a previously noisy actor is itself a signal that operational disruption has happened, and tuned threshold based detection may need to be recalibrated.

The Bigger Picture

The Stark Industries seizure is not the first western country action against a Russian aligned hosting operation. Europol's Operation Saffron pulled down First VPN last week—a multi server takedown that quietly surveilled customers for months before pulling the plug. The Dutch operation has a different operational character. First VPN's takedown was an intelligence operation that produced criminal identifications as a byproduct. The Stark Industries seizure is a financial crime enforcement that targets the corporate vehicle.

The two approaches are complementary. Intelligence led takedowns produce a pipeline of identified suspects. Financial crime led seizures remove capacity from the ecosystem. Together they begin to make the bulletproof hosting business model uneconomic—the operators are increasingly looking at criminal exposure rather than just sanctions friction—which is the only kind of pressure that has historically shifted that market.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.