Dutch financial crime investigators executed raids at data centers in Dronten and Schiphol-Rijk on May 22, 2026, seizing 800 servers, laptops, phones, and administrative records from the hosting company known as WorkTitans B.V. — which operated as THE.Hosting — and arresting a 57-year-old company director and a 39-year-old internet connectivity provider linked to the firm.
FIOD Raids Dronten and Schiphol-Rijk, Seizes 800 Servers from WorkTitans
The Dutch Fiscal Information and Investigation Service (FIOD) coordinated the simultaneous operations against the two data center locations. WorkTitans B.V. was identified by investigators as a successor entity created to continue operating the infrastructure of Stark Industries after EU sanctions were placed on that entity.
Stark Industries was founded on February 10, 2022 — two weeks before Russia’s invasion of Ukraine — and was placed under EU sanctions on May 20, 2025 for supporting Russian information warfare operations. WorkTitans was incorporated after the sanctions to continue running the same infrastructure under a new corporate name, allowing the underlying hosting business to circumvent the sanctions by operating under a different legal entity.
WorkTitans Infrastructure Linked to NoName057(16) DDoS Campaigns
Danish authorities and infrastructure providers linked the seized server infrastructure to NoName057(16), a pro-Russian hacktivist collective responsible for large-scale distributed denial-of-service campaigns against European government websites, transportation systems, and critical infrastructure across NATO member states. The connection between the hosting infrastructure and the DDoS operations forms part of the basis for the FIOD investigation.
The two arrested suspects face charges of violating EU sanctions legislation by indirectly providing economic resources to Russian and Belarusian sanctioned entities — the sanctions-violations charges rather than direct cybercrime charges reflect the legal strategy deployed here. Direct attribution of specific cyberattacks to individuals is legally complex to prosecute in European criminal courts, whereas demonstrating that suspects knowingly operated infrastructure in circumvention of EU sanctions against named entities is a more direct evidentiary path.
Sanctions Prosecution as a Tool Against Russian Cyber Infrastructure
The FIOD action follows a broader European law enforcement approach in which disrupting the financial and corporate infrastructure supporting Russian cyber operations is treated as a parallel objective alongside direct cybercrime prosecution. Bulletproof hosting providers that shield C2 servers, DDoS attack infrastructure, and disinformation campaign assets from takedown have been a persistent challenge for law enforcement because they operate in jurisdictions that provide legal cover or simply ignore requests from Western agencies.
How WorkTitans Continued Stark Industries Operations After EU Sanctions
WorkTitans’ corporate structure was designed specifically to maintain continuity of operations after the sanctions cut off Stark Industries. By creating a new entity with new directors while continuing to operate the same physical infrastructure at the same data center locations, the scheme allowed the underlying hosting business to continue serving sanctioned entities without directly triggering the asset freeze provisions against Stark Industries. The FIOD charges address that specific evasion mechanism, making the sanctions violation itself the prosecutable act.
The seizure removes approximately 800 servers from the bulletproof hosting ecosystem. Threat intelligence firms had previously documented Stark Industries infrastructure appearing in reports covering C2 servers, DDoS attack infrastructure, and disinformation campaign assets.
