The Netherlands Fiscal Information and Investigation Service (FIOD) carried out a large-scale operation to seize more than 800 servers and detained two suspects for violating EU sanctions legislation. According to investigators, the confiscated hosting infrastructure was used to conduct cyberattacks and disinformation campaigns against European states. The operation affected data centers in several Dutch cities and led to widespread outages for customers of a number of hosting providers, some of whom reported the complete and irreversible loss of infrastructure in four countries.
Timeline of the operation and arrests
The operation was launched on 18 May 2025 and covered data centers in Dronten and Schiphol-Rijk, with searches also carried out in Enschede and Almere. Two individuals were arrested: a 57-year-old Amsterdam resident, the director of a hosting company, and a 39-year-old resident of The Hague, the head of a provider that supplied network infrastructure to the first company.
FIOD states that the detainees “indirectly provided economic resources” to organizations under European Union sanctions. The investigation concerns a hosting company founded on 10 February 2022—two weeks before Russia’s full-scale invasion of Ukraine. According to investigators, this company’s infrastructure was used for “destabilising activities against the EU,” including cyberattacks and the spread of disinformation.
Sanctions and attempted evasion
On 20 May 2025, the EU Council expanded the sanctions lists, adding 21 individuals and 6 entities in response to Russian hybrid threats. According to FIOD, after the hosting company was added to the sanctions lists, a significant part of its infrastructure was transferred to a new Dutch firm, which investigators believe is a front used to circumvent sanctions. It was this apparent attempt at evasion that likely triggered the authorities’ active measures.
This case sets an important precedent: European authorities are prepared to pursue not only entities directly under sanctions, but also intermediaries that ensure their continued operation by creating legal cover structures.
Alleged companies and links to threats
Although FIOD has not officially disclosed the names of the companies, Dutch outlet de Volkskrant conducted its own investigation and suggested that the case likely involves Stark Industries, WorkTitans and Mirhosting. According to journalists, the infrastructure of these companies was allegedly used to route traffic for the pro-Russian hacktivist group NoName057(16), known for DDoS attacks on European governmental bodies and organizations.
Reports indicate that after sanctions were imposed on Stark Industries, part of its infrastructure and IP address space was transferred to the Dutch company WorkTitans, which operated under the THE.Hosting brand. Mirhosting, according to the investigation, provided server hosting and connectivity to major European Internet exchange points (IXPs).
It is important to emphasize: identification of specific companies and the link between the infrastructure and NoName057(16) is based on journalistic investigation, not on official FIOD statements. Attribution requires further corroboration.
Mirhosting representatives told de Volkskrant that they did not knowingly support illegal activity and responded to complaints as they arose. WorkTitans did not respond to journalists’ inquiries.
Impact on customers
The FIOD operation had serious consequences for users of the associated hosting services. Starting 19 May, customers of THE.Hosting, UFO.Hosting and GEO.Hosting began reporting widespread disruptions: inaccessible VPS, non-functioning control panels and billing systems, and no responses from technical support.
Customers later received notifications about a “large-scale technical incident,” stating that infrastructure in the USA, Germany, the Netherlands and Austria had been “completely lost and cannot be restored.” The hosting providers promised automatic issuance of new servers in other locations and compensation; however, according to user reports, some customers never received replacements and faced data loss and difficulties obtaining refunds.
This information is based on user reports and should be treated with caution, but the volume of complaints indicates the problem is real.
Impact assessment and industry takeaways
This operation affects several levels:
- Sanctions enforcement: for the first time under the EU sanctions regime against Russian hybrid threats, such a large-scale confiscation of hosting infrastructure has been carried out alongside the arrest of its operators
- Crackdown on “bulletproof” hosting: the operation demonstrates that European jurisdictions are capable of reacting quickly to the transfer of infrastructure between front companies
- Collateral damage: legitimate customers of hosting providers not involved in illegal activity suffered real losses—from data to financial assets
Recommendations
For organizations using lesser-known hosting providers, especially those offering attractively low prices:
- Check the provider’s legal history: registration date, ownership changes, connections to sanctioned entities—all of this is available through public registries and WHOIS
- Ensure geographic diversification of backups: this incident showed that confiscation can simultaneously affect infrastructure in multiple countries
- Review your provider’s current ASN and IP blocks: migration of IP address space from sanctioned companies to new legal entities is a direct risk indicator
- Include compensation clauses in contracts with hosting providers for cases where infrastructure is confiscated by law enforcement agencies
The FIOD operation sets a new standard for law enforcement action against hosting infrastructure used for cyberattacks: the seizure of 800 servers coupled with the simultaneous disruption of an attempted sanctions-evasion scheme via front companies. Organizations hosting mission-critical services with smaller providers should immediately audit their hosting partners for links to sanctioned entities and ensure they maintain current external backups that do not depend on the primary provider’s infrastructure.
