Law enforcement authorities in the Netherlands have arrested two suspects who are being accused of operating IT infrastructure used by Russia to carry out cyberattacks, influence operations, and disinformation campaigns within the EU.
-
A 57-year-old from Amsterdam and a 39-year-old from The Hague were arrested for allegedly hosting servers used by pro-Russian hacking group NoName057(16).
-
After web host Stark Industries Solutions was sanctioned in May 2025, its infrastructure was transferred to Dutch front companies WorkTitans BV and MIRhosting to continue operations.
-
Authorities searched business premises and data centers, seizing servers suspected of enabling DDoS attacks against European governments and institutions supporting Ukraine.
The suspects, a 57-year-old consultant from Amsterdam and a 39-year old concert pianist from The Hague, are alleged to have played key roles in the hosting infrastructure used by NoName057(16), a pro-Russian hacking collective that has repeatedly targeted Ukraine and its allies.
The investigation by law enforcement authorities focuses on Stark Industries Solutions, a web hosting company that was founded on February 10th, 2022, two weeks before the Russian invasion of Ukraine.
In the following years, the company was used to facilitate destabilizing activities directed against the European Union, including cyberattacks, influence operations, and the distribution of disinformation.
In May 2025, Stark Industries Solutions was placed on a sanctions list by the EU. Around the same period, significant parts of the company’s technical infrastructure were transferred to a newly established company in the Netherlands.
An investigation by the FIOD, the Netherlands' financial and tax crime investigation service, revealed that this company acted as a front for the sanctioned web hosting company. This company, the Enschede-based WorkTitans BV, was led by a consultant.
In addition, the Almere-based MIRhosting, which played a facilitating role, was owned by a concert pianist from The Hague. This company ensured that WorkTitans BV's servers were connected to the internet.
MIRhosting has clarified to Cybernews that it acted solely as an infrastructure and colocation provider, offering physical server space, power, and network connectivity in third-party data centers, while operational control of hardware, software, and data remained with its customers. The company further states that it does not consider itself to have acted as a “front company” and denies any involvement in sanctions evasion or unlawful activity, noting that it followed standard customer verification and compliance procedures.
The two men were placed under arrest on May 18th during a raid that was orchestrated by the FIOD.
The suspects are accused of making financial and technical resources available to entities sanctioned by the EU. Three business premises in Enschede and Almere were searched, as well as two data centers in Dronten and Schiphol-Rijk.
During the searches, records, laptops, telephones, and over 800 servers were seized. Investigators suspect the infrastructure enabled distributed DDoS attacks against governments, institutions, and organizations across Europe that supported Ukraine after Russia’s invasion.
MIRhosting is denying all allegations.
“We have taken note of the content of the publication and firmly deny that we played an active role in this matter. As part of the investigation, we are fully cooperating with the competent authorities and are providing them with all necessary information,” the hosting company said in a statement.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked