Dutch authorities arrested two suspects and seized 800 servers tied to Stark Industries, a hosting firm linked to cyberattacks and disinformation.Dutch financial crime investigators arrested two men and seized 800 servers connected to Stark Industries, a hosting provider accused of enabling cyberattacks, interference operations, and disinformation campaigns. Authorities said the suspects supported Russian and Belarusian entities under EU sanctions. Investigators launched the probe into the company, founded shortly before Russia invaded Ukraine. Authorities searched three business premises in Enschede and Almere, along with two data centers in Dronten and Schiphol-Rijk, seizing administrative records, laptops, phones, and more than 800 servers.“The criminal investigation focuses on a web hosting company that was established on February 10, 2022, two weeks before the Russian invasion of Ukraine.” reads the press release published by Dutch FIOD. “In the years that followed, this company was used, among other things, to facilitate destabilizing activities directed against the European Union, including interference, cyberattacks, and the dissemination of disinformation.”Dutch investigators said a web hosting company established on February 10, 2022, acted as a front for sanctioned hosting provider Stark Industries. After the EU sanctioned Stark Industries in May 2025, operators reportedly moved much of its infrastructure to a Dutch company controlled by a 57-year-old suspect. A second Dutch firm allegedly helped keep the servers connected to the internet.“The FIOD tracks down individuals and entities attempting to circumvent these sanctions or failing to comply with them.” continues the press release. “According to the investigation team, the web hosting company provided support to actions by the Russian Federation that undermine democracy and security, including through information manipulation and disruption of public and economic systems.” A report by De Volkskrant identifies the Dutch company WorkTitans B.V.“A confidential technical overview, seen by de Volkskrant and Denmark’s public broadcaster DR, shows the networks most used in pro-Russian attacks on Danish government bodies.” states De Volkskrant. “Between 13 and 19 November 2025 this was the infrastructure of two companies: the Enschede-based WorkTitans, owned by organizational consultant Youssef Z., and Mirhosting of Almere, owned by concert pianist Andrey N.”Stark was founded just before Russia’s 2022 invasion of Ukraine by Moldovan Ivan Neculiti from Transnistria, with his brother Iurie involved as director. Investigations by Correctiv and a 2024 intelligence report allege links between the brothers, their companies, and Russian intelligence, with Iurie described as a key link. They deny working for any security services and call the claims defamation. Analysts say Stark’s infrastructure carried large volumes of pro-Russian cyberattack traffic, including NoName057(16) activity, and functioned as a proxy network obscuring attack origins. Mirhosting in the Netherlands allegedly helped route this traffic via EU infrastructure. EU sanctions in 2025 targeted Stark and the Neculiti brothers for facilitating Russian cyber operations.“Nine days after the EU sanctions, one of Neculiti’s three internet companies, PQ Hosting, officially changed its name to THE.Hosting, the same name under which the Enschede-based WorkTitans operates its hosting activities. THE.Hosting was registered by a Russian network operator on behalf of the Neculiti brothers.” conlcudes the De Volkskrant.“In addition, de Volkskrant found that specific IP addresses used by the hacker group NoName057(16) for attacks on European targets, including at least one Danish municipal website, were transferred from Stark to WorkTitans.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, disinformation)