Source: Krebs on Security — https://krebsonsecurity.com/2026/05/netherlands-seizes-800-servers-arrests-2-for-aiding-cyberattacks/
The seizure targets infrastructure, not just two suspects#
Dutch authorities have arrested the co-owners of two related Internet hosting companies and seized about 800 servers, according to Krebs on Security. The allegation is direct: the companies operated IT infrastructure used by Russia for cyberattacks, influence operations, and disinformation campaigns inside the European Union.
The names matter less than the pattern. Krebs ties the arrests to a 2025 investigation into how these hosting companies had taken over technical infrastructure from Stark Industries Solutions, an Internet service provider sanctioned by the European Union last year. The EU described Stark as a frequent staging ground for cyber activity linked to Russian intelligence agencies.
That makes this a continuity case. If the reporting and law-enforcement claims hold, the issue was not a single bad provider going dark. It was the migration or absorption of infrastructure from a sanctioned operator into related hosting entities that could keep parts of the same ecosystem alive.
For defenders, that is the practical point. Sanctions, takedowns, and seizures are only as strong as the follow-up mapping around ownership, customers, routing, IP space, reseller relationships, and operational control. Hosting abuse often survives by moving sideways before anyone outside the investigation has a clean public picture.
Why hosting providers are hard targets#
Infrastructure providers sit in a gray operating layer. A server can host ordinary customer workloads, criminal tooling, proxy relays, command-and-control nodes, phishing kits, botnet panels, fake media sites, or influence infrastructure. The machine itself rarely announces which role is decisive.
That ambiguity is why hosting cases are harder than simple malware stories. A provider can claim customer abuse, weak onboarding, resale opacity, or limited visibility. Investigators need to show more than the existence of bad traffic. They usually need evidence of knowledge, control, repeated tolerance, direct facilitation, or coordination.
The Krebs report says the Dutch action involved the co-owners of two related hosting companies. It also says authorities seized hundreds of servers. Those facts suggest investigators believed the infrastructure layer itself was central enough to disrupt physically or administratively, not just block at the edge.
Still, the public record in the source material does not prove the full legal case. Arrests and seizures are not convictions. The stronger statement is narrower: Dutch authorities are treating these providers as part of the support structure for Russian state-linked cyber and influence activity, and they acted at scale.
The Stark Industries connection is the important signal#
The most useful detail is the alleged link to Stark Industries Solutions. Krebs previously reported that the now-targeted companies had assumed control over Stark’s technical infrastructure. Stark had already been sanctioned by the EU as a recurring platform for Russian intelligence-linked cyber operations.
That kind of succession matters. Bad infrastructure does not always disappear when a company is sanctioned or exposed. It can be reannounced under different networks, managed through a new legal entity, sold to a nearby operator, or kept alive through the same people and customers with cleaner paperwork.
This is why defenders should be cautious about treating sanctions lists as static blocklists. A sanctioned name is a lead, not the whole map. The operational question is what happened next: where the IP ranges moved, who originated the routes, which autonomous systems changed behavior, which domains re-pointed, and which abuse clusters stayed intact.
If the Dutch case is built around inherited or controlled infrastructure from Stark, it shows a mature enforcement angle. Rather than only naming a bad node, authorities appear to have followed the technical afterlife of that node.
Why ordinary users and companies should care#
This is not only a state-on-state story. Infrastructure used for espionage and influence operations often overlaps with infrastructure used for credential theft, malware hosting, spam, proxy abuse, and phishing. The same permissive hosting conditions that help intelligence-linked operators can also help financially motivated crews.
Companies in Europe should care because local or regional hosting does not automatically mean clean hosting. Abuse-friendly infrastructure may sit inside familiar jurisdictions, use ordinary-looking providers, and blend into normal traffic until a campaign gives it away.
For security teams, the immediate value is not panic. It is review.
Check whether your environment has recent connections to networks, domains, or hosting entities named in the Krebs reporting or later Dutch law-enforcement releases. Do not rely only on company names. Look at ASN history, IP ownership changes, passive DNS, TLS certificate reuse, and recurring infrastructure fingerprints.
For media, civil society, and election-related organizations, the influence-operation angle matters. Infrastructure used for disinformation is not always technically exotic. It may support fake sites, bot traffic, account infrastructure, amplification services, or credential operations against people who manage public narratives.
What not to overclaim#
The source material does not establish every campaign allegedly supported by the seized servers. It does not provide a complete technical inventory of the 800 servers. It does not show, by itself, how much of the infrastructure was active at the time of seizure or what portion was tied to Russian intelligence operations versus other abuse.
It also does not mean every customer of the affected hosting companies was malicious. Bulk infrastructure seizures can sweep through shared environments. Until more technical indicators or court documents are public, defenders should avoid broad attribution from provider association alone.
The careful claim is enough: Dutch authorities disrupted a large hosting footprint and arrested two operators they accuse of enabling Russian cyberattacks, influence operations, and disinformation activity in the EU. Krebs connects the case to a previously sanctioned provider, Stark Industries Solutions, and to the broader problem of hostile infrastructure surviving through related operators.
What to watch next#
The next useful evidence will be technical, not rhetorical.
Security teams should watch for published indicators from Dutch authorities, EU bodies, trusted incident responders, and Krebs follow-up reporting. Network operators should watch BGP movement around any named autonomous systems or IP ranges. Abuse desks should preserve recent complaints and logs involving the providers if they are relevant to active investigations.
The strongest public outcome would be a clearer map of the infrastructure chain: which companies controlled what, how Stark-linked assets changed hands, which services were active, and which campaigns depended on the seized systems.
Until then, the lesson is already visible. Infrastructure enforcement has to follow continuity, not branding. A sanctioned provider can vanish from the press release and still survive in routing tables, customer panels, and adjacent corporate shells. That is where the real cleanup starts.