One of the two men arrested by Dutch investigators on May 18 is a concert pianist. The other is a business consultant. Together, authorities say, they ran a hosting company that provided servers, bandwidth, and tolerance to entities sanctioned by the European Union — and to infrastructure behind Russian cyberattacks and disinformation campaigns.

A hosting provider does not need to write malware to become part of the attack chain. Sometimes the most valuable service is bandwidth, routing, servers, and tolerance.

TL;DR

  • The Dutch Fiscal Information and Investigation Service (FIOD) arrested two suspects on May 18, 2026 and seized more than 800 servers in a sanctions investigation.
  • The official case concerns suspected indirect economic support to EU-sanctioned Russian and Belarusian entities.
  • Reporting and prior research connect the case to Stark Industries, WorkTitans B.V., THE.Hosting, and Mirhosting, but those details should be attributed carefully.
  • The defensive lesson is infrastructure intelligence: network ownership, IP ranges, colocation relationships, and rebrands matter as much as domains and malware hashes.

Why This Matters

Bulletproof hosting is infrastructure-as-a-service for abuse. A provider may host phishing kits, malware panels, DDoS (distributed denial-of-service) tooling, proxy services, VPN endpoints, or disinformation sites while responding slowly - or selectively - to complaints.

For defenders, this case is useful because it shows the business layer behind attack traffic. Malware can move. Domains can rotate. But network resources, corporate entities, upstreams, and colocation relationships leave longer trails.

What Is Confirmed

The Dutch Fiscal Information and Investigation Service (FIOD) says it arrested a 57-year-old man from Amsterdam and a 39-year-old man from The Hague on May 18, 2026. Searches covered company premises in Enschede and Almere and data centers in Dronten and Schiphol-Rijk. Authorities seized administration, laptops, phones, and more than 800 servers.

FIOD says the suspects are accused of violating sanctions law by indirectly making economic resources available to entities sanctioned by the European Union. FIOD also says the investigated hosting company was founded on February 10, 2022, two weeks before Russia’s full-scale invasion of Ukraine, and was later used to facilitate destabilizing activity against the EU, including interference, cyberattacks, and disinformation.

The official statement does not name every company involved. BleepingComputer, citing De Volkskrant, identifies the Dutch entity as WorkTitans B.V., operating under THE.Hosting, and describes Mirhosting as a Dutch provider of physical servers, colocation, and high-capacity connectivity.

This creates two related but separate threads. The official Dutch case is a sanctions investigation: whether economic resources were indirectly made available to sanctioned Russian and Belarusian entities. The Denmark election angle comes from media reporting and Mirhosting’s own response to that reporting: allegations that infrastructure was connected to cyber activity around the Danish elections in late 2025. Those should not be collapsed into a single confirmed claim.

The Stark Industries Pattern

This did not appear out of nowhere. In September 2025, KrebsOnSecurity wrote that Stark Industries had evaded EU sanctions by rebranding and transferring assets to other corporate entities. Recorded Future’s Insikt Group separately assessed that Stark preempted the May 20, 2025 EU designation through infrastructure and organizational changes.

Recorded Future reported that after the sanctions, Stark-related operations rebranded to THE.Hosting under Dutch entity WorkTitans B.V., with AS209847 created on June 24, 2025. An Autonomous System Number (ASN) identifies a network on the internet and is useful for tracking routing-level infrastructure. RIPE refers here to the European regional internet registry, whose records can show organization and IP resource changes. Recorded Future’s assessment was direct: regional sanctions alone are not enough when a threat activity enabler can shift legal entities, RIPE resources, ASNs, and customer-facing brands.

That is the core lesson. Infrastructure providers can be disrupted only if investigators and defenders track the operational substrate, not just the brand name.

Mirhosting’s Position

Mirhosting published a statement on May 22, 2026 denying an active role in the alleged activity and saying it is cooperating with authorities. The company said it temporarily suspended services to Work Titans because of the allegations.

Mirhosting also said it provided colocation services: physical server space, power, and network connectivity in a third-party data center. According to its statement, operational control of hardware, software, and data remained with the customer. The company further said its preliminary internal review found no signs that the services under its control were used to influence the Danish elections, and that it had not seen unusual traffic around the reported period.

That last point is important because it addresses the media-reported Denmark election allegation, not the entire sanctions case. Mirhosting’s claims should be treated as the company’s position, not as independent validation.

What Defenders Should Watch

Treat hosting infrastructure as a threat intelligence object, not just an IP list.

Track:

  • Autonomous System Numbers (ASNs) and upstream changes tied to suspicious providers.
  • RIPE organization objects, maintainers, and sudden transfers.
  • Rebrands that preserve the same prefixes, staff, customers, or abuse patterns.
  • High-volume DDoS, proxy, VPN, phishing, and malware hosting concentration by ASN.
  • Providers that appear repeatedly in incident response cases but rarely in normal business traffic.

Network controls should not rely only on domain blocklists. Add ASN reputation, first-seen infrastructure, hosting-provider clustering, and abuse-report history to triage. When a provider appears in multiple unrelated incidents, treat it as infrastructure risk.

What You Can Do Today

  1. Build infrastructure watchlists around ASNs, not just IPs or domains. When a provider rebrands, the ASN and IP prefixes often survive. Track those.
  2. Monitor RIPE for sudden resource transfers. Organization maintainer changes, new ASN registrations, and prefix transfers are early signals of rebrand activity.
  3. Flag traffic to providers with repeated abuse history — regardless of their current brand name. Colocation relationships outlast corporate identities.
  4. Preserve infrastructure evidence during incidents: IPs, ASNs, TLS certificates, DNS, HTTP headers, and hosting metadata.
  5. Avoid overclaiming attribution. Infrastructure overlap is a lead, not proof of actor identity.

The seizure matters because it targets the layer attackers rent, reuse, and hide behind. Taking down a server is tactical. Mapping the hosting ecosystem is strategic.

Sources