Authorities in the Netherlands have arrested two individuals accused of operating bulletproof hosting services that enabled Russian cybercriminals and state-sponsored hackers to launch attacks against European Union targets while evading international sanctions. The arrests, announced by the Dutch Fiscal Information and Investigation Service (FIOD), mark a notable step in the ongoing battle against cybercrime infrastructure that supports Kremlin-linked threat actors.

Details of the Arrests

On May 18, FIOD officers apprehended a 57-year-old man from Amsterdam and a 39-year-old man from The Hague. The suspects are believed to be the owners and directors of two Dutch companies that served as fronts for a sanctioned web hosting provider. During the operation, investigators searched three locations in the cities of Enschede and Almere, as well as two data centers in Dronten and Schiphol-Rijk. They seized laptops, mobile phones, and more than 800 servers, which are now being analyzed for evidence.

According to FIOD, the 57-year-old suspect owned a company that acted as a front for Stark Industries, a Moldovan-founded hosting provider that was placed under EU sanctions in May 2025. The sanctioned entity had been established just two weeks before Russia's full-scale invasion of Ukraine and was used to facilitate disinformation campaigns, election interference, and disruptive cyberattacks against EU member states. After the sanctions were imposed, the technical infrastructure of Stark Industries was transferred to the Dutch front company, allowing operations to continue under a new guise.

The second suspect, aged 39, is accused of running a firm that ensured the servers of the front company remained operational and accessible online. This involved maintaining the hardware, managing IP addresses, and obfuscating the true customers of the hosting services. Both suspects are currently in custody pending further investigation.

The Role of Bulletproof Hosting

Bulletproof hosting refers to web hosting services that ignore or actively facilitate illegal activity by their clients. These providers typically operate in jurisdictions with weak enforcement, use anonymous registration, and resist takedown requests from law enforcement or abuse departments. Cybercriminals rely on such services to host malware command-and-control servers, phishing sites, and botnet infrastructure without fear of disruption.

In this case, the hosting services were used by Russian threat actors, including the hacktivist group NoName057(16), which is known for launching distributed denial-of-service (DDoS) attacks against European government, media, and financial institutions. By providing a stable and protected environment, the Dutch companies enabled these attacks to persist despite international efforts to sanction and isolate Russian cyber operations.

Bulletproof hosting remains a critical enabler of cybercrime worldwide. The seizure of over 800 servers in this operation represents one of the largest takedowns of its kind in Europe this year. Authorities believe that the dismantled network supported not only DDoS attacks but also data theft, ransomware operations, and propaganda dissemination.

Investigation and Media Revelations

While FIOD's official announcement did not name the suspects or their companies, an extensive investigation by the Dutch newspaper de Volkskrant identified the two men as Youssef Z. and Andrey N. The report linked them to Stark Industries, which was founded by Moldovan nationals Iurie and Ivan Neculiti. The Neculiti brothers were themselves sanctioned by the EU in May 2025 for enabling Russian state-sponsored activities.

According to de Volkskrant, Andrey N. owned Mirhosting, a company that deployed physical servers in multiple data centers across the Netherlands. Those servers were then rented to Stark Industries, which in turn provided access to hacker groups like NoName057(16). The arrangement allowed the hackers to launch attacks without revealing their own infrastructure, while the hosting companies collected payments and shielded their clients from scrutiny.

When the EU sanctions made it illegal for European companies to do business with Stark Industries, the Neculiti brothers restructured their operations. They moved part of the business to Youssef Z.'s company, WorkTitans, based in Enschede. WorkTitans operated as a reseller of server space, purchasing capacity from larger data centers and subleasing it to clients under vague contracts. This structure made it difficult for investigators to trace the ultimate beneficiaries of the hosting services.

Sanctions Evasion and Legal Ramifications

The case highlights the challenges of enforcing sanctions against cybercriminal enterprises. Even after Stark Industries was officially blacklisted, its activities continued through a network of shell companies and proxy services. The Dutch arrests suggest that law enforcement is increasingly targeting the facilitators who help sanctioned entities avoid restrictions.

The EU sanctions imposed in May 2025 specifically prohibited European citizens and entities from providing any form of support to Stark Industries, including hosting, financial services, or technical assistance. The two arrested suspects allegedly violated these prohibitions by allowing their companies to serve as intermediaries. If convicted, they face significant prison sentences and fines under Dutch law, as well as potential additional penalties for money laundering and participation in a criminal organization.

FIOD has stated that the investigation is ongoing and that more arrests may follow. The agency is also working with Europol and other international partners to identify other individuals and companies that may have assisted Stark Industries and similar hosting providers.

Broader Implications for Cybersecurity

This operation is part of a wider trend of international law enforcement cracking down on infrastructure used by cybercriminals. In recent months, similar actions have been taken against bulletproof hosting providers in the United States, Germany, and Finland. The takedown of these services can temporarily disrupt malicious campaigns, but experts warn that new providers often emerge quickly to fill the void.

The case also underscores the importance of cooperation between European countries and investigative journalism. The de Volkskrant investigation provided crucial leads that helped FIOD build its case. Such partnerships between media and law enforcement are becoming more common in the fight against cybercrime, as they bring transparency to opaque digital markets.

For the cybersecurity community, the arrest of Youssef Z. and Andrey N. sends a clear message that hosting providers cannot hide behind corporate structures or legal loopholes when they facilitate illegal activities. However, the challenge remains significant: bulletproof hosting is a multi-billion-dollar industry that profits from the anonymity and lack of accountability in the global internet infrastructure.

As the investigation unfolds, more details are expected to emerge about the extent of the attacks launched from these servers and the identities of the Russian hackers who relied on them. The seizure of 800 servers provides a wealth of forensic data that could lead to further arrests and the disruption of additional cybercriminal networks.

Source: SecurityWeek News