Dutch Raid Fails to Dent Russian Bulletproof Host TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityAgentic AI Isn't Risky; the Way Orgs Deploy It IsAgentic AI Isn't Risky; the Way Orgs Deploy It IsbyNate NelsonMay 28, 20265 Min ReadThreat IntelligenceAI-Assisted Exploit Development Outpaces Scanner DetectionAI-Assisted Exploit Development Outpaces Scanner DetectionbyElizabeth MontalbanoMay 27, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite PapersHeard It From a CISOReporters' NotebookDark Reading's 20thPartner PerspectivesMeet the EditorsAdvertise With Us About UsDark Reading Resource LibraryCyber RiskCyberattacks & Data BreachesThreat IntelligenceNewsDutch Raid Fails to Dent Russian Bulletproof HostDutch law enforcement seized 800 servers and arrested two operators of THE.Hosting but left the hosting provider's core IP address space intact.Jai Vijayan,Contributing WriterMay 28, 20264 Min ReadSource: Viktollio via ShutterstockA recent Dutch law enforcement operation to dismantle a bulletproof hosting network appears to have done little to disrupt its ongoing malicious activity, highlighting the resilience of modern cybercriminal infrastructure against takedown efforts.On May 18, the Netherlands Ministry of Finance's fiscal crime service (FIOD) seized more than 800 servers and arrested two people connected to THE.Hosting, a network tied to Russian cybercrime and influence operations in the European Union. THE.Hosting Scanning Activity Continues UnabatedBut more than a week later, scanning activity from the network has remained at almost the same levels as before, according to researchers at Prague-based threat intelligence firm ELLIO."The traffic is broad, opportunistic attack and botnet-building," ELLIO said in a report this week. "It recruits Internet-of-Things devices into botnets, drops cryptominers and self-replicating bots, steals cloud credentials, exploits exposed web applications, and abuses proxy capacity to attack third parties."Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping SecurityTHE.Hosting is the latest incarnation of a bulletproof hosting network that researchers trace back to infrastructure originally controlled by a Russian individual registrant in 2022. Shortly after Russia invaded Ukraine in February 2022, the individual transferred the network's autonomous system number (ASN), AS44477, to a newly incorporated company called Stark Industries Solution. An ASN is a number assigned to a network's block of IP addresses that tells the rest of the Internet how to route traffic to and from those addresses.When the EU sanctioned Stark Industries in 2025, the operators transferred AS44477 to another newly created entity called PQ Hosting Plus S.R.L. They later rebranded it yet again, to THE.Hosting, and moved operations to a new network, AS209847, under a Dutch company called WorkTitans B.V. The net effect of all the maneuvering was having a Russian bulletproof hosting network sitting inside EU data centers with traffic reaching the Internet from a legitimate Dutch company rather than Russian, ELLIO said."The company history reads like a relay race run to stay ahead of sanctions," the threat intelligence firm said in an accompanying blog post. "In our honeypot telemetry, this corporate relay shows up cleanly as a migration across autonomous systems, the numbered networks that announce IP address space to the internet."The old Stark/PQ network drove the scanning through the summer of 2025, according to ELLIO, and "threw one last enormous punch" on Aug. 30. After it faded, THE.Hosting suddenly ramped up in its place, generating more two million scanning sessions per month in November and December 2025.Related:Verizon DBIR: Healthcare Fends Off Increased Social Engineering AttacksA Resilient and Resourceful AdversaryA bulletproof hosting (BPH) service knowingly provides its infrastructure for cybercriminals, ransomware operators and other threat actors. The services typically operate across multiple jurisdictions, ignore abuse complaints, and don't cooperate with law enforcement, making it difficult for authorities to take action against the criminals renting their infrastructure. Cybercriminals use such services to host malware, run botnets, distribute spam, and conduct cyberattacks while avoiding take down efforts.According to ELLIO, threat actors using the old Stark/PQ network were mainly focused on finding systems with weak or default passwords across services like web servers, SSH access, FTP file transfer, and Windows file shares. The scanning activity associated with THE.Hosting's is broader and more concerning because it involves databases and industrial control systems (ICS). ELLIO researchers said they observed probes for exposed MongoDB, Redis, PostgreSQL, and Oracle databases alongside scans for DNP3 and EtherNet/IP, which are protocols commonly associated with power grids, water systems, and other industrial facilities.Related:Content Delivery Exploit Opens Websites to Brand HijackingVlad Iliushin, CEO of ELLIO, says the operators of Stark Industries, PQ Hosting and THE.Hosting have been publicly tied to repeated distributed denial-of-service (DDoS) attacks on European critical infrastructure. They have also been linked to disinformation campaigns, including activity attributed to the pro-Russian group NoName057(16) and the attacks on Danish government systems during the November 2025 elections. Iliushin points to two reasons why the recent Dutch law enforcement operation has had little effect on THE.Hosting. First, taking physical servers off the rack doesn't take away the address space those servers were using, he says. "The blocks are still allocated to the operator by the Regional Internet Registry for Europe, [are] still announced via BGP, and as soon as the operator puts new hardware behind those addresses in another data center, in another country, the scanning resumes," Iliushin says, adding that Dutch authorities seized things they could legally seize but there was no BGP blackholing, he says.The other reason is that THE.Hosting's address blocks, registered under the Dutch firm WorkTitans B.V., are geolocated across the Netherlands, the United States, Germany, Finland, Turkey, the UK, France, Moldova, Poland, Kazakhstan, Czechia and Latvia. "So, the scans we observe are originating from the address blocks assigned to AS209847 but are not necessarily coming from the Netherlands," he says.The best-case scenario for taking down an operation like THE.Hosting would be collaboration between law enforcement agencies across the European Union and US and to blackhole all address spaces belonging to AS209847, Iliushin notes. "The FIOD raided servers in Dutch data centers, which means the infrastructure hosted by THE.Hosting and its customers in the Netherlands was affected," he says. "[But] just like legitimate hosting providers, THE.Hosting is reselling VPS in multiple countries, not only in the Netherlands. Infrastructure hosted in other countries is unaffected."About the AuthorJai VijayanContributing WriterIllinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies. Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders. Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee. See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceCybersecurity Operations20 Leaders Who Built the CISO Era: 2 Decades of Change20 Leaders Who Built the CISO Era: 2 Decades of ChangebyDark Reading Editorial TeamMay 12, 202641 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedTuesday, June 23, 2026 1:00 PM EDTBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

A recent law enforcement operation by the Netherlands Ministry of Finance's fiscal crime service (FIOD) resulted in the seizure of over eight hundred servers and the arrest of two individuals connected to THE.Hosting, a network linked to Russian cybercrime and influence operations within the European Union. However, this action failed to disrupt the network's ongoing malicious activities, underscoring the resilience of modern cybercriminal infrastructure against takedown efforts. The core issue highlights how bulletproof hosting services knowingly provide infrastructure to cybercriminals, allowing threat actors to host malware, manage botnets, distribute spam, and conduct attacks while evading legal action by ignoring abuse complaints and refusing cooperation with law enforcement.

The infrastructure behind THE.Hosting demonstrates sophisticated maneuvers designed to circumvent sanctions, involving a complex migration of Autonomous System Numbers (ASNs). The network traced back to infrastructure originally controlled by a Russian individual registrant in 2022, which subsequently transferred its ASN, AS44477, to Stark Industries Solution following Russia's invasion of Ukraine. This ASN was then transferred again to PQ Hosting Plus S.R.L. during the 2025 EU sanctions, and eventually to THE.Hosting, which relocated operations under the entity WorkTitans B.V. and a new ASN, AS209847, moving operations to a network based in the Netherlands. Threat intelligence researchers noted that this corporate relay demonstrated a strategic migration across autonomous systems to maintain operational continuity, highlighting a system designed to stay ahead of sanctions.

Despite the law enforcement intervention, scanning activity from the network remained largely unaffected, indicating that the physical seizure of servers did not eliminate the threat. Researchers from ELLIO observed that the scanning activity continued at nearly the same levels, suggesting the resilience of the infrastructure. The scanning was characterized as broad, opportunistic, and focused on botnet creation, cryptomining, credential theft from web servers, SSH access, FTP transfers, and Windows file shares. More concerningly, the scanning probes extended to databases and protocols associated with industrial control systems, including DNP3 and EtherNet/IP, which are commonly used in power grid and water systems.

The persistence of the activity is attributed partly to the decentralized nature of the infrastructure. Threat intelligence firm researchers noted that while physical servers were seized in Dutch data centers, the address space blocks were allocated to the operator by the Regional Internet Registry for Europe and announced via BGP. As operators migrated to new hardware in different countries, scanning resumed. Furthermore, the address blocks were geolocated across numerous European and international jurisdictions, including the Netherlands, the United States, Germany, and numerous other countries. This dispersion meant that the observed scans originated from these varied address blocks, not necessarily from the location of the physical seizure. The researchers concluded that the best approach for dismantling such operations would require collaboration between law enforcement agencies across the European Union and the United States to implement comprehensive BGP blackholing across all relevant address spaces.