Dutch Authorities Seize 800 Stark Industries Servers in Sanctions Crackdown

Dutch financial crime investigators seized 800 servers tied to Stark Industries, a web hosting firm accused of enabling Russian cyberattacks, disinformation campaigns, and coordinated DDoS operations across Europe. The operation, carried out by the Netherlands' Fiscal Intelligence and Investigation Service (FIOD), resulted in two arrests and the removal of infrastructure that had been operating in plain sight, shielded behind a Dutch front company set up after EU sanctions hit Stark directly.

The raids took place across multiple sites, including datacenters in Dronten and Schiphol-Rijk and additional locations in Enschede and Almere. Alongside the 800 servers, investigators walked out with laptops, mobile phones, and extensive administrative records.

A Hosting Firm Built for Conflict

Stark Industries was founded on February 10, 2022, roughly two weeks before Russia launched its full-scale invasion of Ukraine. Researchers had flagged it for years as an abuse-tolerant hosting provider: one that accepted clients others refused and responded slowly, if at all, to abuse complaints.

The EU added Stark Industries to its sanctions list in May 2025, cutting off its access to the European financial system and prohibiting European entities from doing business with it. What happened next is a familiar pattern in sanctions enforcement: the operations didn't stop. They moved.

The Shell Company Structure

After sanctions landed on Stark Industries, its infrastructure was allegedly transferred to a Dutch entity called WorkTitans B.V., which provided hosting services under the brand THE.Hosting. WorkTitans continued running the same servers for the same clients under a new name. A 57-year-old Amsterdam man, identified as the company director, was arrested in connection with WorkTitans' role in the network.

The connectivity layer was handled by a third firm, Mirhosting, based in Almere. Mirhosting operated the physical servers, managed colocation, and supplied high-capacity links to internet exchanges in Amsterdam and Frankfurt. That access gave Stark's traffic legitimate-looking entry into European networks. The 39-year-old man arrested ran Mirhosting and has been identified as Andrey Nesterenko of The Hague. Mirhosting denied knowingly supporting illegal activity and stated it acted on abuse complaints when they arrived.

FIOD says both suspects indirectly provided economic resources to Russian and Belarusian entities under EU sanctions. It's a violation that carries serious legal weight under EU law.

Links to Pro-Russian Hacktivists

The Stark Industries server seizure exposed more than a sanctions workaround. Danish authorities and infrastructure providers had already linked WorkTitans to attacks carried out by NoName057(16), a pro-Russian hacktivist group with a well-documented history of DDoS campaigns against European governments, financial institutions, and critical infrastructure.

NoName057(16) has made a point of targeting NATO-aligned countries, coordinating attacks through Telegram channels and gamified participation platforms that recruit volunteers to join their operations. Having reliable, abuse-tolerant hosting underpins that kind of sustained campaign. Disrupting the infrastructure does not eliminate the group, but it raises the cost and complexity of its operations.

FIOD described the hosting network as having "provided support to actions by the Russian Federation that undermine democracy and security, including through information manipulation and disruption of public and economic systems."

What the Action Means

Law enforcement in Europe has spent much of 2026 targeting the infrastructure layer beneath state-aligned cybercrime rather than chasing individual actors. Taking down bulletproof hosting operations, seizing servers, and prosecuting sanctions violations is a different approach than indictments that rarely result in extradition. It removes the tools attackers depend on.

The Stark Industries case makes that logic concrete. Sanctioning a hosting firm is one step. Following the infrastructure as it migrates into a new legal entity, and then dismantling that too, is another. FIOD action suggests European authorities are prepared to do both.

The investigation is ongoing. Forensic analysis of the seized hardware and records is expected to identify further connections within the network.