Dutch financial crime investigators have arrested two suspects and seized more than 800 servers connected to Stark Industries, a hosting network that threat intelligence researchers have linked to pro-Russian DDoS campaigns, disinformation operations, and attacks against European government and critical infrastructure targets.
The Dutch FIOD (Financial Intelligence and Investigation Service) confirmed it searched three business premises in Enschede and Almere and two data centres at Dronten and Schiphol-Rijk, seizing servers, laptops, phones, and administrative records. Authorities said the suspects had supported Russian and Belarusian entities under EU sanctions, and that the infrastructure was used to destabilise EU member states through cyberattacks, interference operations, and the spread of disinformation.
Background on Stark Industries
Stark Industries was founded on 10 February 2022 — two weeks before Russia’s invasion of Ukraine — by Ivan Neculiti, a Moldovan national from the Transnistria region, with his brother Iurie as a director. Investigations by multiple European outlets and intelligence assessments have alleged links between the Neculiti brothers and Russian intelligence services, claims both have denied.
The hosting provider built up a significant infrastructure footprint and carried large volumes of traffic associated with pro-Russian cyber operations, including activity from the hacktivist group NoName057(16). That group, which positions itself as retaliating against countries perceived as hostile to Russia, has conducted sustained DDoS campaigns against government websites, transport operators, financial services, and critical infrastructure across NATO member states since 2022.
When the EU imposed sanctions against Stark Industries in May 2025, operators did not cease operations. According to Dutch investigators and reporting by De Volkskrant and Danish broadcaster DR, infrastructure was transferred to two Dutch companies — WorkTitans B.V. in Enschede, controlled by a 57-year-old suspect, and Mirhosting in Almere — as a sanctions evasion mechanism. IP addresses previously associated with Stark and used in NoName057(16) DDoS attacks against Danish government targets were traced directly to WorkTitans after the transfer.
Nine days after the EU sanctions took effect, one of Neculiti’s internet companies changed its name to THE.Hosting — the same name under which WorkTitans operates its hosting services.
What this means for affected sectors
The primary targets of the NoName057(16) operations routed through this infrastructure have been European government services, transport sector websites, financial institutions, and port operators. DDoS attacks attributed to the group have disrupted public-facing services rather than compromising internal networks, but the volume and persistence of campaigns has caused service unavailability during sensitive periods — including elections, diplomatic events, and military aid announcements.
The seizure removes a significant slice of the operational infrastructure supporting these campaigns. However, pro-Russian hacktivist groups have demonstrated consistent ability to reconstitute after disruptions, moving to alternative hosting providers in jurisdictions with weaker enforcement. The pattern observed with Stark Industries — establishing legitimate-appearing companies in EU member states to circumvent sanctions — is likely to be repeated.
Recommended actions
Organisations in sectors historically targeted by NoName057(16) — government, financial services, transport, and public-sector communications — should review their DDoS mitigation posture regardless of this disruption.
Specific steps worth taking now:
- Confirm that DDoS protection is active and appropriately scaled for volume-based attacks targeting public-facing services
- Review allowlisting and rate-limiting configurations for critical APIs and authentication endpoints, which are frequently targeted alongside homepage disruption
- Verify that incident response plans cover service degradation scenarios, not just data breach scenarios — DDoS impacts operational continuity rather than data security, and requires a different response playbook
- Flag Stark Industries IP ranges and related infrastructure in threat intelligence platforms; some of these may continue appearing in attack traffic as operators migrate to new providers
The Dutch enforcement action is a meaningful disruption. It is not the end of the infrastructure story.