Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Dutch authorities arrested two men operating Internet hosting companies that provided critical infrastructure for Russian state-sponsored cyberattacks and disinformation campaigns targeting the European Union. The 800 seized servers had been used to stage attacks by Russia's intelligence agencies, with the hosts maintaining control over infrastructure previously operated by Stark Industries Solutions, an EU-sanctioned ISP.

The two co-owners ran hosting firms that knowingly or negligently enabled Russia to conduct cyber operations and information warfare within EU territory. The arrest follows a 2025 KrebsOnSecurity investigation documenting how these companies took over technical operations of Stark Industries Solutions after EU sanctions restricted the original provider's activities.

This seizure represents a direct law enforcement response to infrastructure-level support for state-sponsored cyber campaigns. Russia has long relied on compromised or complicit hosting providers and resellers to mask attack origins and maintain persistence across multiple operations. By controlling the underlying server infrastructure, threat actors avoid detection and simplify the logistics of coordinating attacks across multiple targets.

The arrested individuals operated as middlemen between Russian threat actors and the broader Internet ecosystem. Their hosting companies provided anonymity, bulletproofing services, and technical cover that enabled sustained campaigns against EU government and private sector targets. Removing 800 servers disrupts active operations and forces Russian operators to reconstitute their attack infrastructure elsewhere, creating temporary gaps in capability.

This action reflects strengthening Dutch and EU coordination on cybersecurity enforcement. Rather than simply blocking traffic or revoking domain names, authorities targeted the physical infrastructure and human operators enabling these campaigns. The approach acknowledges that disrupting state-sponsored cyber activity requires action beyond technical defenses.

Organizations across the EU should audit their network traffic and log data to identify suspicious connections that may have transited these servers. Government agencies and critical infrastructure operators represent the primary targets of Russian intelligence cyber operations, but third-party service providers and technology vendors also face elevated risk