On May 18, the Dutch Fiscal Information and Investigation Service (FIOD) raided two data centers in Dronten and Schiphol-Rijk, as well as three office locations, seizing over 800 servers and arresting a 57-year-old man from Amsterdam and a 39-year-old man from The Hague. The two men are the founders of hosting companies WorkTitans and MIRhosting respectively, suspected of violating EU sanctions laws by indirectly providing economic resources and services to sanctioned entities. According to the investigation, the core target of this operation was Stark Industries Solutions — a hosting company established on February 10, 2022, just two weeks before Russia’s full-scale invasion of Ukraine. The company is actually controlled by two Moldovan brothers, Iurie Neculiti and Ivan Neculiti, who were added to the EU sanctions list in May 2025. Data cited by the Dutch newspaper De Volkskrant indicates that WorkTitans and MIRhosting were the networks most frequently used for pro-Russian cyberattacks against Danish government agencies during the November 2025 Danish local elections.
According to Krebs on Security, the reason this crackdown was delayed until a year after the sanctions were imposed is that the Neculiti brothers learned of the impending sanctions about 12 days in advance. They then transferred their assets before the sanctions officially took effect, rebranding Stark’s network infrastructure and moving it under the name WorkTitans to continue operations. After the servers were seized, the hosting company notified customers that “the data cannot be recovered.” In a statement, the FIOD said the network was used to launch cyberattacks, carry out interference operations, and spread disinformation against EU member states, with the aim of “undermining democracy and security.”