The Dutch Financial Crime Investigation Service (FIOD) has arrested two men and seized 800 servers during raids on data centers in Dronten and Schiphol-Rijk that hosted infrastructure for cyberattacks, disinformation, and influence operations tied to sanctioned Russian and Belarusian entities. The 57-year-old company director and a 39-year-old connectivity provider face charges of indirectly providing economic resources to EU-sanctioned parties. The web hosting company Stark Industries was sanctioned by the EU last May; investigators say its infrastructure was simply transferred to a newly created Dutch company called WorkTitans B.V., trading under THE.Hosting. Mirhosting, which provided physical colocation and connectivity, denies knowingly supporting illegal operations.
Hunt.io has mapped 1,350+ command-and-control servers spread across 98 providers in 14 Middle Eastern countries over three months. Saudi Telecom Company (STC) hosts 981 of them - 72.4% of all observed regional C2 - the largest single-provider concentration the researchers have seen globally. Most of STC's hosting appears to be compromised customer systems rather than deliberate bulletproof hosting, but the effect is the same. Other heavy hosts include SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Iraqi provider Regxa, which Hunt.io flags as the highest bulletproof-hosting profile observed. Named campaigns hosted on this infrastructure include Eagle Werewolf espionage, DYNOWIPER attacks on Poland's energy sector, and RondoDox.