The Dutch Fiscal Information and Investigation Service (FIOD) has arrested two men and seized 800 servers linked to web hosting companies that provided infrastructure for Russian-linked cyberattacks, influence operations, and disinformation campaigns targeting the European Union. The arrests, announced on 22 May 2026, represent one of the largest law enforcement actions against cyber-enabling infrastructure in Europe this year.

The investigation centres on Stark Industries Solutions, a web hosting firm founded on 10 February 2022 - shortly before Russia's invasion of Ukraine. According to investigators, Stark Industries provided hosting services that supported actions by the Russian Federation intended to undermine democracy and security within the EU, including through information manipulation and disruption of public and economic systems. After Stark Industries was sanctioned by the EU in May 2025, its infrastructure was transferred to two Dutch front companies - WorkTitans BV (Enschede) and MIRhosting (Almere) - to continue operations in circumvention of the sanctions regime.

The two men arrested - a 57-year-old from Amsterdam and a 39-year-old from The Hague - are suspected of violating Dutch sanctions laws. The seized servers hosted infrastructure used for DDoS attacks, ransomware operations, phishing campaigns, and coordinated disinformation activities. The operation underscores the growing regulatory and law enforcement focus on the enablement layer of cybercrime - the hosting providers, registrars, and infrastructure operators that make large-scale cyber operations possible.

For organisations across Europe, the case is a reminder that threat actors rely on commercial infrastructure to operate, and that the distinction between criminal hosting and legitimate services can be deliberately blurred. The involvement of sanctioned entities operating through front companies also has compliance implications for any organisation that unknowingly contracts with such providers.

Acompli perspective: This case sits at the intersection of cybersecurity, sanctions compliance, and supply-chain risk. Organisations should ensure their third-party risk assessments extend to infrastructure providers - not just application-layer processors - and that their due diligence processes can identify corporate structures designed to obscure sanctioned ownership. A risk management framework that treats hosting and infrastructure providers as part of the data protection supply chain, rather than a procurement-only concern, is increasingly essential.