Netherlands FIOD arrests two over EU sanctions evasion for Stark Industries front; 800 servers seized; NoName057(16) DDoS plumbing dismantled

On 2026-05-18 the Dutch Fiscal Information and Investigation Service (FIOD) arrested two suspects — a 57-year-old man from Amsterdam and a 39-year-old man from The Hague, both connected to bulletproof-hosting operators (WorkTitans B.V. and MIRhosting) named in the related corroborating coverage — raiding four locations including data centres in Dronten and Schiphol-Rijk plus the suspects' residences in Enschede and Almere, and seizing 800 servers, laptops, phones and administrative records (FIOD, 2026-05-22 · BleepingComputer, 2026-05-22 · DutchNews.nl, 2026-05-22). The charges are filed under the Dutch Sanctions Act: the two firms are accused of sustaining bulletproof hosting infrastructure for Stark Industries Solutions Ltd, designated by the EU in May 2025 for facilitating Russian and Belarusian destabilisation operations. Recorded Future's Insikt Group had already documented the sanctions-evasion playbook last year — Stark Industries migrated its ASN (AS44477) to AS209847 (WorkTitans) and rebranded the operating brand to THE.Hosting while retaining the same RIPE maintainer objects under Dmitrii Miasnikov, a transparent shell concealing ownership continuity (Recorded Future Insikt Group, 2025-06).

This is one of the first publicly reported criminal enforcement actions in the EU directed at a bulletproof hoster acting as a proxy for a designated Russian entity, and the operational nexus to Switzerland is direct: per De Volkskrant reporting carried by BleepingComputer, Danish authorities have alleged that WorkTitans infrastructure supported NoName057(16) DDoS campaigns against EU and NATO member-state websites — Swiss federal and cantonal public-sector sites included. Defender vantage: the seized intelligence will generate lead packages on the criminal-customer book, but the immediate hunt value is at network level. AS44477 (legacy Stark) and AS209847 (THE.Hosting / WorkTitans) IP space has appeared in blocklist feeds since mid-2024; review ingress rate-limiting and scrubbing SLAs for any remaining traffic from this AS pair and from BGP-adjacent peers, and re-check application-layer rate limits on the citizen-facing portals NoName057(16) historically targeted.

Why it matters to us: Swiss public-sector portals have been a recurring NoName057(16) target; the takedown is a chance to re-baseline scrubbing capacity and re-check AS-level blocklists, not a sign that the threat is over (DDoS-for-hire reorganises quickly).