Two men arrested in the Netherlands this week were running the digital backbone of Russia’s cyberattack machine inside Europe—800 servers that authorities say funneled malware, influence operations, and disinformation campaigns directly into EU networks.
The arrests represent a rare enforcement victory against the infrastructure layer that makes state-sponsored hacking possible. While most headlines focus on the hackers themselves, the real chokepoint is the hosting companies that rent them server space, knowing exactly what those servers will do. The two men arrested were the co-owners of Internet hosting companies that had taken control of technical infrastructure previously operated by Stark Industries Solutions, an Internet service provider the EU sanctioned last year for serving as a staging ground for Russian intelligence cyberattacks.
- Infrastructure Scale: Dutch authorities seized 800 servers actively conducting cyberattacks and disinformation campaigns across EU networks.
- Criminal Liability: The arrests mark a shift from sanctions to criminal prosecution for hosting providers who knowingly enable state-sponsored hacking.
- Supply Chain Targeting: Law enforcement focused on infrastructure providers rather than hackers themselves, creating a new enforcement precedent.
According to KrebsOnSecurity, which first reported on these hosting operations in 2025, the two men knowingly provided the infrastructure. The servers seized by Dutch authorities were actively being used to conduct cyberattacks, run influence operations, and distribute disinformation across European Union member states. By arresting the operators rather than simply seizing equipment, Dutch law enforcement signaled that providing the pipes for state-sponsored hacking carries criminal liability—not just a fine or a server shutdown.
The scale matters. Eight hundred servers is not a small operation. That’s enough infrastructure to support sustained, multi-target campaigns across dozens of organizations and countries simultaneously. Each server can host malware command-and-control systems, phishing pages, fake news distribution networks, or data exfiltration pipelines. For a criminal or intelligence operation, reliable hosting is as essential as weapons are to a military.
• 800 servers – Total infrastructure seized by Dutch authorities
• 27 EU countries – Potential targets within the operational range
• Multiple attack vectors – Malware, phishing, disinformation, and data exfiltration capabilities per server
How Does This Mirror Cambridge Analytica’s Playbook?
What makes this case structurally significant is how it mirrors the data-harvesting playbook that emerged from the Cambridge Analytica scandal. In that case, a political consulting firm built infrastructure—psychological profiles, microtargeting databases, automated ad delivery systems—designed to manipulate voters at scale. The data was collected without meaningful consent, aggregated into behavioral profiles, and weaponized for influence. Here, the infrastructure is different (servers instead of databases), but the operational logic is identical: build a platform, populate it with stolen or coerced data, automate the delivery, and target specific populations. Cambridge Analytica’s infrastructure was designed to influence elections through behavioral microtargeting; Russia’s infrastructure, according to Dutch authorities, is designed to influence EU politics through cyberattacks and disinformation. Both require a supply chain of enablers willing to look the past what their systems are being used for.
The hosting companies arrested in the Netherlands were that supply chain. They didn’t write the malware or create the fake news. They rented space to people who did, and according to Dutch authorities, they did so with full knowledge of the purpose. That’s the critical distinction from a legitimate hosting company that accidentally hosts malicious content and takes it down when notified. These operators were allegedly active participants in the infrastructure of influence operations.
Why Are Criminal Charges More Significant Than Sanctions?
The EU’s 2025 sanctions against Stark Industries Solutions had already flagged this ecosystem as compromised. By arresting the two men who took over that infrastructure, Dutch authorities moved from sanctions—which are largely symbolic and often ineffective—to criminal prosecution. That’s a higher bar and carries real consequences: jail time, asset seizure, and a precedent that operating hosting infrastructure for state-sponsored hacking is a prosecutable crime under Dutch law.
The broader implication is that the weakest link in a cyberattack chain is often not the attacker but the infrastructure provider. Hackers need somewhere to host their command servers, their phishing pages, their data. If that supply chain becomes criminally liable, the cost of launching attacks rises dramatically. Attackers have to find new hosting providers, move infrastructure constantly, or operate in jurisdictions with no law enforcement cooperation—all of which degrades operational effectiveness.
• Cost Escalation: Criminal liability forces attackers to constantly relocate infrastructure, increasing operational costs
• Jurisdiction Shopping: Hosting providers must operate in non-cooperative jurisdictions, limiting effectiveness
• Deterrent Effect: Other hosting companies may refuse similar arrangements to avoid prosecution risk
What Does This Mean for EU Cybersecurity Enforcement?
What remains unclear from the arrests is whether other hosting providers across Europe are knowingly operating similar infrastructure, and whether this case will trigger broader enforcement action. The Netherlands’ move suggests that at least some EU member states are willing to prosecute, not just sanction. Whether that becomes a coordinated EU-wide enforcement strategy will determine whether this case becomes a one-off victory or the beginning of a sustained campaign against the infrastructure layer of state-sponsored hacking.
The connection to cyberattack protection extends beyond just technical infrastructure. Organizations across the EU now face the reality that state-sponsored attacks operate through commercial hosting providers within their own borders, making traditional perimeter defenses insufficient against threats that originate from seemingly legitimate European infrastructure.
