May 27, 2026 21:00:00

Hosting company executives arrested on suspicion of supporting Russia-linked cyberattacks; Dutch authorities seize more than 800 servers.

Since Russia's invasion of Ukraine, the EU has become increasingly vigilant against 'hybrid attacks,' including cyberattacks, disinformation campaigns, and election interference. On May 18, 2026, the Dutch Financial Information and Investigation Office (FIOD) arrested a 57-year-old man from Amsterdam and a 39-year-old man from The Hague on suspicion of providing economic resources to an organization subject to EU sanctions. More than 800 servers, ledgers, laptops, and mobile phones were seized in total.

FIOD houdt twee verdachten aan wegens overtreding sanctiewetgeving | FIOD Fiscale Inlichtingen en OpsporingsDienst

https://www.fiod.nl/fiod-houdt-twee-verdachten-aan-wegens-overtreding-sanctiewetgeving/

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks – Krebs on Security
https://krebsonsecurity.com/2026/05/netherlands-seizes-800-servers-arrests-2-for-aiding-cyberattacks/

According to FIOD, the hosting provider under investigation was established on February 10, 2022. This was approximately two weeks before Russia's invasion of Ukraine, and it is believed to have been used subsequently for cyberattacks targeting the EU, disinformation campaigns, and interference activities. A hosting provider is a company that leases space and network connections to run websites and servers on the internet. When misused, it can be used as a stepping stone for DDoS attacks or as a platform to conceal the identity of attackers.

While FIOD has not publicly disclosed the company's name, KrebsOnSecurity, run by security researcher Brian Krebs, has reported that the company under investigation is Stark Industries Solutions. Stark Industries Solutions was previously sanctioned by the EU Council in May 2025 for 'enabling information manipulation, interference, and cyberattacks by Russian government-backed or Russian-linked attackers.'

According to KrebsOnSecurity, the two arrested individuals were linked to WorkTitans BV, which allegedly took over the technical infrastructure of Stark Industries Solutions, and MIRhosting, which provided internet connectivity to WorkTitans BV. Stark Industries Solutions' technical infrastructure was transferred to WorkTitans BV, and MIRhosting provided internet connectivity to WorkTitans BV.

FIOD itself has not publicly disclosed the specific companies that were investigated, but it has provided an explanation that supports KrebsOnSecurity's report, stating that 'a newly created Dutch company functioned as a front for the sanctioned organization, and another Dutch company was responsible for connecting the servers to the internet.'

Andrey Nesterenko, the founder of MIRhosting and one of those arrested, claims he 'did not know the servers were being exploited by pro-Russian cybercriminals.' He also stated that MIRhosting does not support cybercrime or sanctions evasion, and that the migration related to Stark Industries Solutions was not intended to evade sanctions.

FIOD stated that the incident 'is suspected of supporting actions by the Russian Federation that undermine democracy and security through information manipulation and disruption of public and economic systems.' The infrastructure supporting cyberattacks does not consist solely of servers directly managed by the attackers, but involves a complex interplay of hosting providers, internet service providers, anonymization services, and more. This arrest suggests that even after the names of sanctioned organizations disappear from public view, related companies and operators can still be investigated by tracing the relocation of servers and networks.