Background on Bulletproof Hosting

Bulletproof hosting services are a cornerstone of modern cybercrime, offering clients a safe haven where malicious activities can be conducted without fear of takedown or law enforcement interference. Unlike legitimate hosting providers that comply with abuse reports and court orders, bulletproof hosts ignore or actively obstruct such requests, often operating from jurisdictions with lax cybercrime laws or using complex corporate structures to conceal their true owners. These services are frequently used by ransomware groups, state-sponsored hackers, and disinformation campaigns to host command-and-control servers, phishing sites, and malware distribution infrastructure.

The arrest of two Dutch nationals on May 18 highlights the ongoing effort by European law enforcement to dismantle these enabling networks. The Dutch Fiscal Information and Investigation Service (FIOD) announced that a 57-year-old man from Amsterdam and a 39-year-old man from The Hague were taken into custody for allegedly providing bulletproof hosting services to Russian threat actors, including the notorious DDoS-for-hire group NoName057(16). The group has been responsible for a series of disruptive attacks against critical infrastructure, media outlets, and government agencies across EU member states, often in retaliation for political statements or sanctions against Russia.

Details of the Arrest

According to FIOD, the suspects were arrested on May 18 following an extensive investigation that uncovered their roles in evading EU sanctions imposed in May 2025. The 57-year-old suspect is believed to be the owner and director of a Dutch company that acted as a front for a sanctioned web hosting provider. This sanctioned entity, created just two weeks before Russia's invasion of Ukraine, had been instrumental in facilitating disinformation, interference, and disruptive cyberattacks against EU members. After the imposition of sanctions, most of its technical infrastructure was transferred to the arrested suspect's company, allowing Russian actors to continue their operations with minimal disruption.

The second suspect, a 39-year-old from The Hague, is the director and owner of a firm that ensured the servers of the front company remained functional and online. Investigators conducted searches at three locations in Enschede and Almere, as well as at two data centers in Dronten and Schiphol-Rijk, seizing laptops, phones, and over 800 servers. FIOD did not initially name the suspects or their companies, but an eight-month investigation by the Dutch newspaper de Volkskrant revealed their identities as Youssef Z. and Andrey N., who allegedly provided services to Stark Industries, a web hosting provider founded by Moldovan nationals Iurie and Ivan Neculiti.

Stark Industries and EU Sanctions

Stark Industries was placed on the EU sanctions list in May 2025 for its role in enabling Russian state-sponsored and affiliated actors to conduct destabilizing activities, including information manipulation, interference, and cyber-attacks against the Union and third countries. The EU statement highlighted that the company had been used by threat actors such as NoName057(16) to launch distributed denial-of-service (DDoS) attacks and other types of disruptive operations. Following the sanctions, European citizens and entities were prohibited from aiding Stark, prompting the Neculiti brothers to restructure their company and move part of their activities to other intermediaries.

According to de Volkskrant, Andrey N. owns Mirhosting, which operated physical servers deployed at various data centers. These servers were rented to Stark Industries, providing the infrastructure for Russian hackers to target EU organizations. The 39-year-old suspect’s role was critical in maintaining server uptime and ensuring that the DDoS attacks could continue even as law enforcement pressure mounted. The 57-year-old suspect, on the other hand, operated a company called WorkTitans based in Enschede, which rented server space and resold it to obscure the real customers, making abuse detection extremely difficult. This practice is a hallmark of bulletproof hosting: by acting as a middleman, the hosting provider can claim ignorance of the client's activities while collecting fees for the services rendered.

Impact on European Cybersecurity

The arrests represent a significant blow to the infrastructure supporting Russian cybercrime operations in Europe. DDoS attacks, such as those launched by NoName057(16), can cripple websites, overwhelm networks, and disrupt essential services, causing millions of euros in losses. Moreover, the use of bulletproof hosting services allows threat actors to maintain a persistent presence even after their main domains are taken down, as they can quickly migrate to new IP addresses and servers. By dismantling the web of shell companies and intermediaries, law enforcement agencies aim to starve these threat actors of the resources they need to operate.

This case also underscores the importance of international cooperation and the role of investigative journalism in exposing such networks. The de Volkskrant investigation, which ran for eight months, provided critical insights that likely assisted FIOD in building its case. Similar operations in the past have led to the disruption of other bulletproof hosting services, such as the takedown of the 'Double VPN' service and the arrest of administrators behind the 'Crimenetwork' marketplace. While these actions do not eliminate the threat entirely, they raise the cost and risk for cybercriminals seeking bulletproof hosting, potentially forcing them to use less reliable or more expensive alternatives.

As cyberattacks continue to evolve, law enforcement agencies are increasingly focusing on the infrastructure layer. The seizure of over 800 servers in this operation not only disrupts current attacks but also provides valuable forensic data that could lead to further arrests. The FIOD has indicated that the investigation is ongoing and that more details may emerge as the suspects are questioned. The outcome of this case could set a precedent for how European nations handle similar operations, emphasizing that even indirect support for sanctioned entities and cybercriminal groups will be met with severe legal consequences.

In the broader context of the war in Ukraine, the use of bulletproof hosting services by Russian hackers has become a critical component of hybrid warfare. Disinformation campaigns that spread false narratives about the conflict, combined with cyberattacks on critical infrastructure, aim to undermine public trust and destabilize governments. By cutting off the financial and technical enablers of these operations, the EU and its member states hope to weaken Russia's ability to conduct such activities in the future. While the arrests of Youssef Z. and Andrey N. are a step in the right direction, experts warn that the ecosystem of bulletproof hosting is vast and resilient, with many players still operating in the shadows. Continued vigilance and cross-border collaboration will be essential to stay ahead of these threats.

Source: SecurityWeek News