Full Report
Financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company that enabled cyberattacks, interference operations, and disinformation campaigns. [...]
Analysis Summary
# Incident Report: Takedown of Stark Industries / WorkTitans Infrastructure
## Executive Summary
Dutch financial crime investigators (FIOD) dismantled a major hosting infrastructure used to facilitate Russian-state-sponsored cyber warfare, DDoS attacks, and disinformation campaigns. The operation resulted in the arrest of two individuals and the seizure of 800 servers that provided the backbone for sanctioned entities and hacktivist groups like NoName057(16). This action disrupts a significant "bulletproof" hosting pipeline that funneled Russian cyber interference into European networks.
## Incident Details
- **Discovery Date:** Investigation peaked with raids on May 22, 2026.
- **Incident Date:** February 2022 – May 2026.
- **Affected Organization:** Stark Industries, WorkTitans B.V. (THE.Hosting), Mirhosting.
- **Sector:** Information Technology / Web Hosting / Telecommunications.
- **Geography:** Netherlands (Dronten, Schiphol-Rijk, Enschede, Almere); Connectivity to Amsterdam and Frankfurt exchanges.
## Timeline of Events
### Initial Access
- **Date/Time:** February 10, 2022.
- **Vector:** Formation of Stark Industries just prior to the Ukraine invasion.
- **Details:** The firm established infrastructure designed to bypass EU sanctions and provide a platform for pro-Russian cyber operations.
### Lateral Movement
- **Economic/Infrastructure Shift:** Following EU sanctions on May 20, 2025, the infrastructure was laundered through a new Dutch front company, WorkTitans B.V., to maintain operational continuity.
### Data Exfiltration/Impact
- **Details:** The infrastructure was used to host disinformation campaigns and launch massive Distributed Denial of Service (DDoS) attacks against European public and economic systems.
### Detection & Response
- **Detection:** Collaborative investigation by FIOD, Danish authorities, and infrastructure providers linking the firms to NoName057(16).
- **Response:** Simultaneous raids on data centers and private residences on May 22, 2026; seizure of 800 servers and digital evidence.
## Attack Methodology
- **Initial Access:** Provisioning of "bulletproof" hosting services to malicious actors.
- **Persistence:** Use of shell companies (WorkTitans B.V.) to evade sanctions and maintain presence in EU data centers.
- **Defense Evasion:** Transferring assets to newly created Dutch entities to bypass EU blacklists; use of legitimate transport layers (Mirhosting) to mask traffic.
- **Impact:** Facilitation of high-capacity DDoS attacks and information manipulation aimed at undermining democracy and security.
## Impact Assessment
- **Financial:** Violations of EU sanctions legislation; seizure of significant corporate assets.
- **Data Breach:** Compromised administrative records, laptops, and phones of the suspects.
- **Operational:** Massive disruption to the NoName057(16) hacktivist group and Russian disinformation botnets.
- **Reputational:** Exposure of Dutch hosting firms as fronts for state-sponsored interference.
## Indicators of Compromise
- **Network Indicators:**
- ASN/Infrastructure associated with Stark Industries (Sanctioned).
- Traffic originating from WorkTitans B.V. / THE.Hosting IP ranges.
- Connectivity routes through Mirhosting (Almere/Frankfurt).
- **Behavioral Indicators:**
- Rapid transition of assets between hosting entities following legal/sanction updates.
- High-volume DDoS traffic patterns targeting EU government/utility infrastructure.
## Response Actions
- **Containment:** Physical seizure of 800 servers in Dronten and Schiphol-Rijk to immediately halt traffic.
- **Eradication:** Arrest of the 57-year-old director and 39-year-old connectivity lead.
- **Recovery:** Analysis of seized administrative records to identify further interconnected malicious actors.
## Lessons Learned
- **Sanction Evasion:** Malicious actors use "front" companies and shell entities to quickly re-home infrastructure once a specific brand is sanctioned.
- **Intermediary Responsibility:** Organizations acting as the "transport layer" (like Mirhosting) may inadvertently provide the bandwidth necessary for state-sponsored attacks if they do not perform rigorous "Know Your Customer" (KYC) checks.
## Recommendations
- **Enhanced KYC:** Hosting providers must implement stricter vetting for high-capacity clients, especially those with ties to sanctioned regions or those re-homing large server blocks.
- **Public-Private Cooperation:** Continued sharing of telemetry between connectivity providers and national investigators to identify command-and-control (C2) hubs.
- **Monitoring for Shell Activity:** Financial and security audits should flag newly created IT firms that suddenly acquire large-scale infrastructure formerly owned by sanctioned entities.