moltenbitMay 27
BrianKrebs

New, by me:

Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a frequent staging ground for cyber mischief from Russia’s intelligence agencies.

https://krebsonsecurity.com/2026/05/netherlands-seizes-800-servers-arrests-2-for-aiding-cyberattacks/

Previous reporting on Stark Industries:

May 2024: Stark Industries Solutions: An Iron Hammer in the Cloud: https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

July 2024: The Stark Truth Behind the Resurgence of Russia's Fin7: https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/

September 2025: Bulletproof Host Stark Industries Evades EU Sanctions: https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/

#russia #cybercrime #arrest #sanctions

May 25 at 1:28pmWeb
Show threadBrianKrebsJun 1

Checkpoint has an interesting update to this story about the Dutch hosting company WorkTitans that operated infrastructure inherited from the EU-sanctioned bulletproof host Stark Industries Solutions: It was also the backbone for some of Iran's most active cyber espionage operations.

"Based on our tracking of threat actor infrastructure, the WorkTitans takedown likely had an impact on Iranian cyber operations. Three separate Iranian threat actor groups, each running their own campaigns against different targets, were observed using WorkTitans infrastructure for core operational purposes."

https://blog.checkpoint.com/security/the-server-seizure-that-affects-also-irans-cyber-operations/

In some ways, this is unsurprising. Our original 2024 deep-dive on Stark Industries concluded with a quote about netflow data showing that the biggest share of traffic going over Stark's far-flung networks was proxied mobile requests (mostly to Facebook) from Iran.

https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

Show threadDaniel DemmelMay 25
@briankrebs amazing work 👏
Show threadAlison MeeksMay 25
@briankrebs Yay on that. Have been getting hack attacks on client sites from them for years. Just have to say, finally!
Show threadSomeVeganCheeseIsOkMay 25
@briankrebs that has to give you such a sense of satisfaction, seeing your work pay off for a better world. Man. That's fantastic.
Show threadBrianKrebsMay 25
@SomeVeganCheeseIsOk Thanks. Yes, although I would not be surprised to see them wriggle out of this effort as well. If that happens, I'm looking forward to writing about it again :)
Show threadWilliam JohnsonMay 25
@briankrebs “Just hosting” stops being an argument when the infrastructure is systematically used for attacks and disinformation. At some point, responsibility for what runs on it still has to be taken
Show threadToni AittoniemiMay 25
@briankrebs A vatnik bonk operation extraordinaire!! 😃👌
#nafofella
Show threadVincent 🌻🇪🇺 en 🌹☘️May 25

@briankrebs Dutch newspaper De Volkskrant did a writeup where your name was mentioned, looking forward to reading your take

(That may sound silly given your most recent linked blog is from late 2025 but haven’t read them yet)

Show threadSig. Ug.May 25
@briankrebs While the arrests in the Netherlands are good news, it is disappointing to see the Neculiți brothers once again weasel their way out of accountability.
Show threadBradPitt382May 27
@briankrebs wow that's amazing good job 👍🏿