Dutch financial crime investigators from the FIOD (Fiscale Inlichtingen- en Opsporingsdienst) arrested two men and seized 800 servers in a coordinated operation on May 22, 2026, targeting a web hosting company accused of serving as a front for Russian and Belarusian entities under EU sanctions. The action marks one of the largest server seizures in a European cybercrime operation tied directly to sanctions evasion.

The hosting firm at the center of the case is WorkTitans B.V., which operated publicly under the brand THE.Hosting. Dutch prosecutors allege WorkTitans was created as a shell company to provide continued access to European hosting infrastructure for Stark Industries — a firm that had been sanctioned by the European Union after its infrastructure was repeatedly linked to cyberattacks, interference operations, and disinformation campaigns.

Stark Industries: From Sanctioned to Rebranded

The timeline here is telling. Stark Industries was founded on February 10, 2022 — roughly two weeks before Russia’s full-scale invasion of Ukraine. Over the following two years, its infrastructure became a documented resource for pro-Russian cyber activity. When the EU added Stark Industries to its sanctions list, the firm’s response — according to Dutch prosecutors — was not to shut down but to transfer its infrastructure to WorkTitans and continue operations under a new name.

The two men arrested reflect the operational structure of that workaround. A 57-year-old — the company director of WorkTitans — and a 39-year-old who headed a separate firm that provided the actual internet connectivity. Together they allegedly provided the operational foundation that kept Stark Industries’ capabilities available to sanctioned Russian and Belarusian entities even after the EU designation.

FIOD’s charges center on violations of EU sanctions regulations — specifically providing economic resources to sanctioned entities — rather than on the cyberattacks themselves. This is consistent with how European prosecutors have approached sanctions evasion cases: target the financial and corporate infrastructure rather than attempting to prosecute the underlying cyber operations, which would require different evidentiary standards and often different jurisdictions.

The NoName057(16) Connection

The practical consequences of this infrastructure weren’t abstract. Danish authorities and infrastructure providers linked WorkTitans to attack traffic from NoName057(16), the pro-Russian hacktivist group that has conducted sustained DDoS campaigns against European government agencies, critical infrastructure operators, and media organizations since early 2022.

NoName057(16) operates a volunteer DDoS platform called DDoSia — a crowdsourced attack tool that coordinates individual participants to amplify attack volume. The group has targeted organizations across NATO member states, framing its attacks as retaliation for support of Ukraine. Having reliable hosting infrastructure inside the EU, operated by entities that appeared to be legitimate Dutch businesses, gave the group both technical cover and a more stable platform than servers based in Russia or Belarus would provide.

The link to NoName057(16) elevates this from a sanctions evasion case to something with direct consequences for European critical infrastructure security.

The Raids

FIOD conducted simultaneous operations across multiple locations. Raids hit data centers in Dronten and Schiphol-Rijk — major colocation facilities where THE.Hosting’s servers were physically located. Searches were also conducted in Enschede and Almere, where the suspects were based.

In addition to the 800 servers, investigators seized laptops, mobile phones, and administrative records. The administrative records are likely the most forensically valuable: they may document the ownership chain back to Stark Industries and its principals, the financial flows that connected WorkTitans to sanctioned entities, and the client list for THE.Hosting’s services.

800 servers is a significant physical footprint. For context, large ransomware operations and criminal hosting providers typically run hundreds of servers; a 800-server seizure represents substantial operational capacity being removed from the criminal ecosystem in a single operation.

The Sanctions Evasion Pattern

This case fits a pattern that European prosecutors have identified and are increasingly targeting: Russian-affiliated cyber infrastructure using EU-based shell companies to evade sanctions. The model works because EU-based hosting provides lower latency for attacks targeting European organizations, greater legitimacy when victim networks attempt to block traffic by geography, and protection from the kind of unilateral infrastructure takedowns that Russian-hosted servers are vulnerable to when Western governments apply pressure on ISPs and hosting registrars.

The legal vulnerability of this model is the sanctions connection itself. Proving that a Dutch company provided services to a sanctioned Russian entity is a lower evidentiary bar than proving that servers hosted an attack — and it’s a charge that can be brought in European courts against defendants who can actually be arrested.

The two men arrested will face proceedings under Dutch law. Any intelligence gathered from the 800 seized servers will feed investigations in multiple countries with jurisdiction over the activities those servers supported.

Sources