Netherlands Seizes 800 Servers and Arrests Two Men for Supporting Russian Cyber Operations
In one of the most significant cybercrime enforcement actions to come out of Europe in recent years, Dutch authorities have arrested two men and seized approximately 800 servers tied to a network of IT infrastructure used by Russia to conduct cyberattacks, disinformation campaigns, and influence operations across the European Union. The operation marks a major milestone in the ongoing effort by Western governments to dismantle the technical backbone supporting Russian state-sponsored cyber aggression.
Who Was Arrested and Why
The Dutch financial crime agency known as FIOD — the Tax Intelligence and Investigation Service — carried out the arrests on May 18, detaining a 57-year-old man from Amsterdam and a 39-year-old man from The Hague. The two men are co-owners of two closely related Internet hosting companies. According to reporting by Dutch daily newspaper de Volkskrant, they have been charged with violating European Union sanctions law by directly or indirectly making economic resources available to sanctioned entities.
The hosting companies operated by the two men had taken over the technical infrastructure of Stark Industries Solutions, an Internet service provider that was sanctioned by the EU last year for repeatedly serving as a staging ground for cyberattacks and influence operations orchestrated by Russia's intelligence agencies. The connection between the Dutch hosting companies and Stark Industries Solutions had been documented as early as 2025 in a detailed investigation published by KrebsOnSecurity, a widely respected cybersecurity news outlet.
By assuming control over Stark Industries' technical infrastructure, the two men effectively allowed sanctioned Russian cyber operations to continue functioning under a new corporate umbrella — shielding those activities from immediate scrutiny while keeping the underlying attack infrastructure operational.
What Is Stark Industries Solutions?
Stark Industries Solutions is an Internet service provider that gained notoriety for its role in supporting Russian state-linked hacking groups. The EU sanctioned the company for being a frequent and reliable resource for Russian intelligence agencies looking to route cyberattacks, launch distributed denial-of-service operations, and spread disinformation across European networks.
The company's infrastructure has been linked to a range of malicious activities, including attacks on government systems, critical infrastructure targets, and media organizations in EU member states. Despite being sanctioned, the operational continuity of this infrastructure — enabled in part by its alleged takeover by the Dutch hosting firms — meant that the threat did not simply disappear when sanctions were imposed.
This case highlights a growing pattern in which sanctioned entities find ways to remain operational by transferring or obscuring their infrastructure through third-party companies, often registered in jurisdictions with more permissive oversight environments.
The FIOD Raid: Scale and Scope
The scale of the FIOD operation was substantial. Investigators seized approximately 800 servers during the raid, representing a significant blow to the physical and virtual infrastructure supporting these operations. The seizure disrupts not just the current activities running through those servers, but also degrades the capacity for future operations that relied on this hosting ecosystem.
FIOD, which typically focuses on financial and economic crimes, has increasingly expanded its mandate to include cybercrime investigations with financial dimensions — particularly those involving sanctions violations. The involvement of a financial crimes agency rather than a purely cyber-focused unit underscores the legal strategy being pursued: treating the provision of IT infrastructure to sanctioned entities as a financial crime, which carries its own distinct set of legal consequences under EU law.
Why This Case Matters for European Cybersecurity
The arrests and server seizures come at a time of heightened concern across the EU about Russian hybrid warfare tactics, which blend conventional military pressure with cyber operations, propaganda, and economic interference. Influence operations and disinformation campaigns in particular have become a central concern for European governments ahead of elections and during periods of geopolitical tension.
By targeting the infrastructure layer — the physical and virtual servers that make these operations possible — Dutch authorities are pursuing a strategy that goes beyond arresting individual hackers. Dismantling the hosting ecosystem that supports these activities creates a more durable disruption than simply taking down a single threat actor or piece of malware.
This approach also sends a clear message to companies and individuals operating in the EU's hosting and Internet services sector: providing infrastructure to sanctioned entities, even indirectly, carries serious legal risk. The charges filed against the two Dutch men make it explicit that ignorance or corporate distance from the end use of hosted services is not a sufficient defense against sanctions violations.
The Broader Context: Hosting Companies as Cybercrime Enablers
The Netherlands has long been a major hub for Internet infrastructure in Europe, home to one of the continent's largest internet exchange points. That makes it both a critical piece of the global internet and a potential weak point if hosting companies operating within its borders are willing — knowingly or otherwise — to serve malicious actors.
Cybersecurity researchers and law enforcement agencies have repeatedly flagged so-called "bulletproof hosting" providers as key enablers of cybercrime at scale. These are hosting companies that either turn a blind eye to the activities of their clients or actively market themselves as resistant to law enforcement takedown requests. While it has not been confirmed that the Dutch companies in question operated explicitly as bulletproof hosters, the end result — providing reliable infrastructure to sanctioned Russian cyber operations — was functionally similar.
- 800 servers were seized during the raid conducted by FIOD on May 18.
- Two Dutch nationals were arrested and charged with sanctions violations.
- Their companies had assumed operational control of infrastructure tied to Stark Industries Solutions.
- Stark Industries Solutions was sanctioned by the EU for supporting Russian intelligence-linked cyberattacks.
- The case was first surfaced publicly by KrebsOnSecurity in a 2025 investigation.
What Happens Next
The two arrested men are expected to face prosecution under EU sanctions law, with potential penalties that could include significant fines and imprisonment. The seized servers will likely be forensically analyzed to map out the full extent of the operations they supported, potentially providing investigators with leads into other individuals, companies, or state actors involved in the broader cyber influence network.
For the cybersecurity community and European policymakers, this case reinforces the importance of treating infrastructure providers as accountable participants in the cyber threat ecosystem — not neutral bystanders. As Russian hybrid operations continue to evolve, enforcement actions like this one will remain a critical tool in Europe's defensive arsenal.