Dutch Authorities Dismantle Stark Industries. The Rebrand Didn’t Save It.

The Short Version

• On May 22, 2026, Dutch FIOD investigators raided data centers in Dronten and Schiphol-Rijk, seizing 800 servers and arresting two men
• The target was Stark Industries Solutions Ltd., founded February 10, 2022, two weeks before Russia’s invasion of Ukraine
• Founded by brothers Ivan and Iurie Neculiti from Transnistria. Ivan also runs PQ Hosting (founded around 2019) and has been active in the bulletproof hosting business since at least 2008
• Infrastructure was used by NoName057(16), Sandworm, Callisto Group/SEABORGIUM, FIN7, and the Doppelganger disinformation campaign
• When the EU sanctioned Stark in May 2025, the brothers transferred the infrastructure to a new Dutch entity: WorkTitans B.V. / THE.Hosting
• Researchers confirmed it was the same physical hardware by matching JA4T fingerprints across both ASNs
• The arrest of a Mirhosting director signals that Dutch prosecutors treat infrastructure provision to sanctioned entities as a criminal act

On May 22, 2026, Dutch financial crime investigators (FIOD) raided data centers in Dronten and Schiphol-Rijk, seizing 800 servers along with laptops, phones, and administrative records. Two men were arrested: a 57-year-old company director and a 39-year-old who headed a connected internet connectivity firm. Both are charged with violating the Dutch Sanctions Act. Additional searches were conducted in Enschede and Almere. The operation was the culmination of a case that had been building since at least 2022 and a surveillance operation that researchers believe ran for the full year between EU sanctions in May 2025 and the physical seizure.

The Brothers Behind It

Stark Industries Solutions Ltd. was founded on February 10, 2022, fourteen days before Russia’s invasion of Ukraine. The company was a shell: its purpose, as founder Ivan Neculiti later explained, was to give resellers a neutral name so that “our IP addresses no longer show that they belong to PQ Hosting.”

Ivan Neculiti is the operational architect. Born in Bender, a city in Transnistria, the pro-Russian breakaway region of Moldova, he has been active in the bulletproof hosting business since at least 2008, selling “bulletproof servers for any purpose” on Russian cybercrime forums under the username “dfyz.” He founded PQ Hosting in Chisinau, Moldova around 2019, and had previously operated Morenehost, incorporated in the Seychelles and exposed in the Pandora Papers. PQ Hosting expanded to a footprint of 38+ countries with over 120,000 active customers. His younger brother Iurie Neculiti nominally controls Stark Industries Solutions on paper.

The CORRECTIV investigative newsroom, in a 2024 investigation titled “Hacks and Propaganda: Meet the Two Brothers Bringing Russia’s Cyber War to Europe,” documented the infrastructure in detail. CORRECTIV’s reporting on the Doppelganger disinformation campaign, which ran fake news sites targeting European audiences with Russian-aligned content, established that the infrastructure was hosted on Neculiti-controlled servers in the Netherlands, not on Russian soil.

What the Infrastructure Was Used For

Stark Industries was not a passive provider that failed to police its customers. Its infrastructure appeared consistently in attribution reports for operations conducted by or on behalf of Russian state actors and affiliates.

NoName057(16) is the most documented connection. The pro-Russian DDoS hacktivist group has gamified attacks on European targets, paying participants in cryptocurrency rewards to run its DDoSia botnet software. Spamhaus found that half of 48 detected NoName057 botnet control scripts over a two-month period in early 2024 were deployed on Stark Industries servers. NoName057 campaigns attributed to Stark infrastructure across 2023-2025 targeted European government, transport, and military infrastructure, including operations against Swiss federal services, German government and defence sites, Moldovan government websites, and Italian ministries during high-profile diplomatic visits.

Sandworm, the GRU-linked Russian military intelligence APT, used Stark servers to attack Ukrinform, Ukraine’s national news agency, in January 2023, according to Ukrainian government attribution.

Callisto Group (also tracked as SEABORGIUM), a Russia-aligned espionage group linked to the FSB by the UK government, used Mirhosting as a supporting host for phishing infrastructure targeting NGOs, think tanks, journalists, and defense officials, per Recorded Future’s December 2022 profile.

FIN7, the financially motivated cybercriminal group, was documented renting Stark IPs in 2024. Following discovery by security researchers, Stark cooperated with takedown efforts to remove the FIN7 infrastructure, the only documented instance of the company cooperating with abuse removal.

Beyond attack infrastructure, Stark’s network hosted 74 VPN services and 40 proxy services, including a significant share of Proxyline’s 1.6 million global proxy pool. Traffic analysis by Kentik’s Doug Madory found that 35% of traffic leaving Stark’s ASN was destined for Iran, the top destination by country, principally via VPN services routing Iranian users around the country’s internet blocks.

EU Sanctions and the Rebrand That Kept the Lights On

On May 20, 2025, the EU formally sanctioned Stark Industries Solutions, Ivan Neculiti, and Iurie Neculiti, imposing asset freezes and EU entry bans. The sanction package cited enabling Russian cyber operations and “destabilising hybrid activities targeting the EU and its partners.”

The Neculiti operation had advance warning. RFE/RL Moldova reported on May 8, 2025 that the brothers were slated for the upcoming sanctions package. Infrastructure migration began immediately. By May 16, 2025, four days before formal designation, ASN AS44477 had already been transferred to a newly created entity called PQ Hosting Plus S.R.L. Nine days after sanctions landed, on May 29, 2025, the public rebrand to THE.Hosting was announced. The legal entity behind it was WorkTitans B.V., registered in Enschede, Netherlands. IP prefixes migrated to a new ASN, AS209847, registered under WorkTitans.

The connection was not concealed at the network level. Augur Security, GreyNoise, and Recorded Future’s Insikt Group all documented the transfer. All newly created entities, including WorkTitans B.V., UFO Hosting LLC (a Moscow-based vehicle for the Russian portion of the traffic), and PQ Hosting Plus S.R.L., shared the same maintainer email in the RIPE database, attributed to a Russian network operator named Dmitrii Miasnikov. Recorded Future described the EU sanctions as “largely ineffective,” stating that “affiliated infrastructure remained operational and services were rapidly re-established under new branding, with no significant or lasting disruption.”

GreyNoise confirmed the continuity at the hardware level. Tracking both ASNs simultaneously from August to November 2025, they observed AS44477 declining while AS209847 ramped up. JA4T fingerprints, a forensic technique that identifies physical network hardware by its TCP packet characteristics (the fingerprint stays the same even when the corporate owner changes), showed identical signatures across both ASNs. Their conclusion: “Corporate paperwork may lie, but packets do not.”

Mirhosting and the Colocation Question

The 39-year-old arrested alongside the Stark director is the head of Mirhosting, a Netherlands-based hosting and connectivity provider founded in 2004. Mirhosting provided colocation and upstream peering for Stark Industries at Dutch data centers, including the same facility region raided on May 22. The Netherlands has been an active jurisdiction for hosting infrastructure takedowns, with Dutch police participating in the global LockBit ransomware seizure as part of Operation Cronos in February 2024.

Mirhosting’s operator had publicly characterized the relationship with Stark as a standard provider-customer arrangement and stated cooperation with Dutch authorities on NoName057 activity. The arrest suggests prosecutors did not accept that framing. For the hosting industry, the charge is the significant detail: providing colocation and connectivity to a sanctioned entity was treated as a violation of the Dutch Sanctions Act, not merely an abuse-handling failure. The question of where infrastructure provider liability begins and ends in a sanctions compliance context has rarely been tested at the criminal level. This case tests it.

The Year-Long Gap

The EU sanctioned Stark in May 2025. The physical seizure came in May 2026, exactly twelve months later. That gap was not inaction. GreyNoise tracked the full WorkTitans migration in real time from August through November 2025. Recorded Future published detailed analysis of the sanctions evasion in the same period. FIOD, which normally handles financial crimes and tax fraud, was the executing agency, reflecting a deliberate choice to pursue the case under sanctions law rather than cybercrime law. The year between designation and seizure appears to have been used to build a case around the evasion structure itself, with WorkTitans as the target rather than Stark.

The Neculiti brothers, both Moldovan nationals, were not among those arrested on May 22. Whether they face further proceedings, extradition requests, or separate charges has not been confirmed.