Authorities in the Netherlands have arrested two men accused of running bulletproof hosting services that enabled Russian cybercriminals and state-backed hackers to launch attacks against European targets while evading international sanctions. The Dutch Fiscal Information and Investigation Service (FIOD) announced the arrests on May 18, 2025, following a lengthy investigation that uncovered a sophisticated network of front companies and technical infrastructure designed to shield malicious activities.
The suspects, a 57-year-old man from Amsterdam and a 39-year-old man from The Hague, were taken into custody after simultaneous raids at three locations in Enschede and Almere, as well as two data centers in Dronten and Schiphol-Rijk. Investigators seized laptops, mobile phones, and over 800 servers during the operation, which marked one of the largest takedowns of illicit hosting infrastructure in recent years.
How the Scheme Operated
According to FIOD, the 57-year-old suspect owned and directed a Dutch company that served as a front for a sanctioned web hosting provider. That sanctioned entity, later identified as Stark Industries, was created just two weeks before Russia's full-scale invasion of Ukraine in February 2022. The company specialized in providing bulletproof hosting to Russian state-sponsored actors, allowing them to conduct disinformation campaigns, election interference, and disruptive cyberattacks against European Union member states.
When the EU placed Stark Industries on its sanctions list in May 2025, the company's technical infrastructure was rapidly transferred to the Dutch front company owned by the 57-year-old suspect. The 39-year-old suspect, described as the director and owner of a firm that managed server operations, ensured that the servers of the front company remained functional and online, effectively continuing the same illicit services under a new legal entity.
The FIOD's announcement did not initially name the suspects or their companies, but an eight-month investigation by the Dutch newspaper de Volkskrant identified them as Youssef Z. and Andrey N. According to the report, Andrey N. owned Mirhosting, a company that rented physical servers in multiple data centers to Stark Industries. These servers were used to host infrastructure for Russian hacker groups such as NoName057(16), which launched distributed denial-of-service (DDoS) attacks and other cyber operations against European targets.
The EU Sanctions and Evasion Tactics
The EU sanctions against Stark Industries, imposed in May 2025, explicitly prohibited European citizens and entities from providing any support to the company. In response, the two Moldovan brothers behind Stark Industries Iurie and Ivan Neculiti restructured their operations and moved a significant portion of their activities to a new Dutch company called WorkTitans, based in Enschede. WorkTitans rented server space and resold it to clients, effectively obscuring the identity of the real users and making abuse detection extremely difficult for law enforcement and cybersecurity researchers.
Bulletproof hosting refers to a type of web hosting service that ignores abuse complaints, takedown requests, and legal action. These services are typically located in jurisdictions with weak cybercrime laws or use legal loopholes to avoid accountability. The Dutch suspects exploited the country's robust internet infrastructure while hiding behind shell companies and complex corporate structures.
The case highlights the growing challenge that law enforcement faces in combating cybercrime facilitated by bulletproof hosts. Unlike legitimate hosting providers that respond quickly to abuse reports, bulletproof hosts actively shield their clients from investigation and prosecution. This has made them a critical enabler for ransomware gangs, botnet operators, and state-sponsored hacking groups.
Broader Implications and Related Operations
The arrests in the Netherlands are part of a wider crackdown on cybercrime infrastructure that has accelerated since the Russian invasion of Ukraine. In recent months, international law enforcement agencies have disrupted numerous services used by Russian hackers, including VPNs, botnets, and darknet marketplaces. For example, in April 2025, Canadian authorities arrested a man operating the Kimwolf botnet, which targeted critical infrastructure in Ukraine and NATO countries. Similarly, the 'First VPN' cybercrime service was shut down in March 2025, with its administrator arrested in a coordinated operation involving Europol and several national police forces.
In the Middle East and North Africa, a major operation in February 2025 led to the arrest of 201 individuals linked to various cybercrimes, including phishing, SIM swapping, and ransomware attacks. And just weeks before the Dutch arrests, the 'Crimenetwork' marketplace was taken down by German police, and its administrator was arrested. These actions demonstrate a global commitment to dismantling the infrastructure that supports cybercriminals, but experts warn that bulletproof hosting remains a persistent threat.
The Dutch investigation is notable for its focus on the business relationships between sanctioned entities and apparently legitimate companies. By following the money and infrastructure trail, investigators were able to uncover the intricate network that enabled hackers to continue their operations despite sanctions. The seizure of over 800 servers will likely provide valuable intelligence about the activities of Russian hacker groups and their methods.
The case also underscores the importance of international cooperation. The FIOD worked closely with Europol, the European Union Agency for Law Enforcement Cooperation, and other national authorities to coordinate the raids and share evidence. Such collaboration is essential because cybercriminals often operate across multiple jurisdictions, using legal systems to their advantage.
Whitney Maxwell, a cybersecurity researcher specializing in threat infrastructure, noted that bulletproof hosting providers are often the weak link that law enforcement can exploit. "Taking down the hosting providers that supply services to advanced persistent threat groups can significantly disrupt their operations, even if only temporarily," Maxwell said. "These groups rely on reliable, resilient infrastructure. When you seize their servers, you force them to rebuild, which is costly and time-consuming."
However, Maxwell cautioned that arrests alone may not be enough. "The individuals who run bulletproof hosting are often replaced quickly. The real challenge is to make the business model so risky and unprofitable that it deters others from entering the field." This requires not only law enforcement actions but also regulatory changes and better cooperation between hosting companies and authorities.
The two suspects in the Netherlands remain in custody pending further investigation. They face charges of participating in a criminal organization, money laundering, and violating EU sanctions. If convicted, they could face significant prison sentences. The investigation is ongoing, and authorities have not ruled out further arrests.
Source: SecurityWeek News