The Netherlands’ Fiscal Intelligence and Investigation Service, known as the FIOD, seized more than 800 servers in coordinated raids on May 18, targeting a web hosting operation with suspected ties to Russian cyberattacks, disinformation campaigns, and sanctions evasion.

Two individuals were arrested. Youssef Zinad, a 57-year-old from Amsterdam linked to a company called WorkTitans B.V. (operating under the name THE.Hosting), and Andrey Nesterenko, a 39-year-old from The Hague associated with MIRhosting. The raids hit data centers in Dronten and Schiphol-Rijk, with additional searches carried out at business locations in Enschede and Almere.

A sanctions evasion playbook, dismantled

The investigation centers on a Dutch front company that allegedly picked up where a sanctioned entity left off. Stark Industries Solutions was hit with EU sanctions in May 2025 for facilitating what European authorities described as Russian hybrid warfare operations. Think DDoS attacks, malware distribution, and coordinated disinformation, the digital toolkit of geopolitical aggression.

WorkTitans B.V. allegedly absorbed Stark’s assets after those sanctions landed. The FIOD’s case suggests this wasn’t a subtle pivot. It was allegedly the same servers, the same operations, the same clients, just wearing a fresh corporate mask.

The seized infrastructure is believed to have enabled cybercriminal operations run by pro-Russian groups. That includes DDoS attacks, which flood websites and systems with junk traffic to knock them offline, and other malicious programs used in broader information warfare campaigns tied to Russia’s ongoing actions in Ukraine.

This latest operation also isn’t the FIOD’s first move on this network. Back in November 2025, Dutch authorities confiscated approximately 250 servers in a separate but related cybercrime investigation. The May 2026 action, more than tripling the scale of the prior raid, signals a sustained campaign to dismantle these networks rather than just disrupt them.

The bulletproof hosting problem

At the center of this case is a business model that cybersecurity researchers have been warning about for years: bulletproof hosting. These are hosting providers that, by design or negligence, look the other way when their clients engage in illegal activity. They resist takedown requests, ignore abuse complaints, and offer a safe harbor for everything from phishing operations to state-sponsored cyberattacks.

What this means for investors in digital infrastructure

The regulatory logic being applied here, that corporate restructuring can’t be used to dodge sanctions, has direct parallels to enforcement trends in crypto. European regulators have been increasingly willing to look through corporate structures to find the beneficial owners and operators of sanctioned infrastructure.

The Markets in Crypto-Assets Regulation (MiCA) framework already imposes obligations on crypto service providers to screen for sanctioned entities. As enforcement actions like this one establish clearer precedents for what sanctions evasion looks like in the hosting context, expect similar standards to tighten around crypto infrastructure providers.

The November 2025 raid grabbed 250 servers. Six months later, the FIOD came back for 800 more. Anyone building or investing in hosting services, validator infrastructure, or data center capacity in European jurisdictions should be mapping their compliance exposure accordingly.