Netherlands seizes 800 servers of hosting firm enabling cyberattacks

Financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company that enabled cyberattacks, interference operations, and disinformation campaigns.

FIOD arrested a 57-year-old suspect, who was the company director, and a 39-year-old who headed a separate firm that provided internet connectivity.

According to the authorities, the suspects indirectly provided economic resources to Russian and Belarusian entities sanctioned by the European Union (EU).

The investigation focuses on the activities of web hosting firm Stark Industries, founded on February 10, 2022, shortly before Russia’s invasion of Ukraine.

“The [Dutch] web hosting company, according to the research team, provided support to actions by the Russian Federation that undermine democracy and security, including through information manipulation and disruption of public and economic systems,” FIOD says.

The EU added Stark Industries to the list of sanctioned entities last year on May 20. Following this restriction, the web hosting infrastructure was transferred to a newly created Dutch company that investigators believe acted as a front for the sanctioned entities.

In the recent action, FIOD conducted multiple raids in data centers in Dronten and Schiphol-Rijk, as well as searches in Enschede and Almere, where they seized 800 servers, laptops, phones, and administrative records.

From the FIOD raids
Source: FIOD

According to a report from the De Volkskrant publication, the name of this Dutch entity is WorkTitans B.V. and provides hosting services under the brand THE.Hosting.

The same outlet alleges that Danish authorities and infrastructure providers linked WorkTitans to attacks by the pro-Russian hacktivist group NoName057(16), which has previously targeted key organizations with distributed denial-of-service (DDoS) attacks.

Mirhosting, based in Almere, operated physical servers, provided colocation, and supplied high-capacity connectivity to major internet exchanges in Amsterdam and Frankfurt, acting as the transport layer through which Stark’s traffic entered Europe to reach the WorkTitans infrastructure.

It’s worth noting that WorkTitans did not respond to de Volkskrant’s requests for a statement, while Mirhosting denied knowingly supporting illegal operations, claiming they quickly intervened upon receipt of abuse complaints.