Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
Dutch authorities arrested two co-owners of Internet hosting companies accused of operating infrastructure used by Russia for cyberattacks, influence operations, and disinformation campaigns targeting the EU. The suspects controlled networks linked to Stark Industries Solutions, an EU-sanctioned ISP known for supporting Russia-backed cyber activities. Over 800 servers were seized during raids, and investigations revealed involvement in pro-Russian attacks on Danish government bodies during municipal elections. One hosting company, MIRhosting, temporarily paused services to a related entity while conducting an internal review. The arrests relate to violations of EU sanctions laws by providing economic resources to sanctioned entities. The hosting companies allegedly facilitated distributed denial-of-service attacks and proxy services used in cyberattacks. The suspects deny knowingly supporting cybercrime or sanctions evasion. This case highlights enforcement actions against infrastructure enabling state-backed cyber operations.
AI Analysis
Technical Summary
Authorities in the Netherlands arrested two men who co-owned Internet hosting companies implicated in providing IT infrastructure used by Russia to conduct cyberattacks and disinformation campaigns within the EU. These companies controlled technical infrastructure formerly operated by Stark Industries Solutions, an ISP sanctioned by the EU for facilitating cyber operations linked to Russian intelligence. The investigation uncovered that the hosting providers enabled large-scale distributed denial-of-service attacks and proxy services used by Russia-backed hacking groups, including attacks targeting Danish government bodies during elections. Dutch financial crime investigators seized over 800 servers and charged the suspects with violating sanctions laws by making economic resources available to EU-sanctioned entities. One hosting company, MIRhosting, has paused services to related entities and is conducting an internal investigation. The suspects deny intentional involvement in cybercrime or sanctions evasion. This enforcement action disrupts infrastructure supporting hybrid warfare cyber activities.
Potential Impact
The arrests and server seizures disrupt infrastructure used to facilitate cyberattacks, influence operations, and disinformation campaigns attributed to Russian state-backed actors targeting the European Union. The hosting companies provided critical services such as proxy and anonymity networks and were involved in large-scale distributed denial-of-service attacks against European government targets. The enforcement action impairs the operational capabilities of these cyber operations by removing key hosting resources and holding operators accountable for sanctions violations. There is no indication that the hosting companies themselves were compromised; rather, they are accused of knowingly or unknowingly enabling sanctioned entities. The impact includes loss of data stored on seized servers and potential interruption of services for customers of the affected hosting providers.
Mitigation Recommendations
This threat is addressed through law enforcement actions including arrests and seizure of physical infrastructure. There is no software patch applicable. Organizations should monitor for any residual activity related to these hosting providers and assess exposure if they used these services. The hosting company MIRhosting has paused services to implicated entities and is conducting an internal investigation. No further mitigation actions are specified or required from end users based on the available information. The vendor (hosting providers) do not provide a patch; remediation is through legal enforcement and infrastructure seizure.
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
Description
Dutch authorities arrested two co-owners of Internet hosting companies accused of operating infrastructure used by Russia for cyberattacks, influence operations, and disinformation campaigns targeting the EU. The suspects controlled networks linked to Stark Industries Solutions, an EU-sanctioned ISP known for supporting Russia-backed cyber activities. Over 800 servers were seized during raids, and investigations revealed involvement in pro-Russian attacks on Danish government bodies during municipal elections. One hosting company, MIRhosting, temporarily paused services to a related entity while conducting an internal review. The arrests relate to violations of EU sanctions laws by providing economic resources to sanctioned entities. The hosting companies allegedly facilitated distributed denial-of-service attacks and proxy services used in cyberattacks. The suspects deny knowingly supporting cybercrime or sanctions evasion. This case highlights enforcement actions against infrastructure enabling state-backed cyber operations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Authorities in the Netherlands arrested two men who co-owned Internet hosting companies implicated in providing IT infrastructure used by Russia to conduct cyberattacks and disinformation campaigns within the EU. These companies controlled technical infrastructure formerly operated by Stark Industries Solutions, an ISP sanctioned by the EU for facilitating cyber operations linked to Russian intelligence. The investigation uncovered that the hosting providers enabled large-scale distributed denial-of-service attacks and proxy services used by Russia-backed hacking groups, including attacks targeting Danish government bodies during elections. Dutch financial crime investigators seized over 800 servers and charged the suspects with violating sanctions laws by making economic resources available to EU-sanctioned entities. One hosting company, MIRhosting, has paused services to related entities and is conducting an internal investigation. The suspects deny intentional involvement in cybercrime or sanctions evasion. This enforcement action disrupts infrastructure supporting hybrid warfare cyber activities.
Potential Impact
The arrests and server seizures disrupt infrastructure used to facilitate cyberattacks, influence operations, and disinformation campaigns attributed to Russian state-backed actors targeting the European Union. The hosting companies provided critical services such as proxy and anonymity networks and were involved in large-scale distributed denial-of-service attacks against European government targets. The enforcement action impairs the operational capabilities of these cyber operations by removing key hosting resources and holding operators accountable for sanctions violations. There is no indication that the hosting companies themselves were compromised; rather, they are accused of knowingly or unknowingly enabling sanctioned entities. The impact includes loss of data stored on seized servers and potential interruption of services for customers of the affected hosting providers.
Mitigation Recommendations
This threat is addressed through law enforcement actions including arrests and seizure of physical infrastructure. There is no software patch applicable. Organizations should monitor for any residual activity related to these hosting providers and assess exposure if they used these services. The hosting company MIRhosting has paused services to implicated entities and is conducting an internal investigation. No further mitigation actions are specified or required from end users based on the available information. The vendor (hosting providers) do not provide a patch; remediation is through legal enforcement and infrastructure seizure.
Technical Details
- Article Source
- {"url":"https://krebsonsecurity.com/2026/05/netherlands-seizes-800-servers-arrests-2-for-aiding-cyberattacks/","fetched":true,"fetchedAt":"2026-05-26T19:40:53.881Z","wordCount":1904}
Threat ID: 6a15f7466b9ae66727f4dbbc
Added to database: 5/26/2026, 7:40:54 PM
Last enriched: 5/26/2026, 7:41:07 PM
Last updated: 5/26/2026, 9:52:16 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.