Dutch investigators have arrested two men and seized hundreds of servers in a sanctions-related investigation into infrastructure allegedly used by Russian-linked cyber actors to target European governments, public services and companies.

Dutch financial crime investigators have seized about 800 servers in an operation targeting hosting infrastructure allegedly used by Russian-linked cyber networks to conduct attacks against European targets. The Dutch Fiscal Information and Investigation Service carried out searches at data centres in Dronten and Schiphol-Rijk, as well as at business premises in Enschede and Almere, according to reports on the Dutch operation.

The investigation is being treated as a sanctions-enforcement case rather than a direct prosecution of hackers. Dutch authorities arrested a 57-year-old man from Amsterdam and a 39-year-old man from The Hague on suspicion of making economic resources available to sanctioned entities. Investigators also seized laptops, phones, administrative records and other equipment, in addition to the servers.

The seized infrastructure has been linked in reporting to WorkTitans and MIRhosting, two hosting companies alleged to have provided services connected to entities associated with Iurie and Ivan Neculiti. The two Moldovan brothers were placed under EU restrictive measures in May 2025, when the Council of the EU sanctioned Stark Industries, Iurie Neculiti and Ivan Neculiti for allegedly enabling Russian state-sponsored and affiliated actors to conduct information manipulation, interference and cyberattacks against the EU and third countries.

The Dutch case appears to concern what happened after those sanctions were imposed. According to cyber-security reporting, investigators suspect that infrastructure linked to the sanctioned hosting network was transferred to a newly established Dutch company, which allegedly operated as a front to keep the services available despite EU restrictions. The case therefore places the hosting market, not only the hackers themselves, at the centre of Europe’s response to Russian hybrid activity.

The infrastructure has been associated with NoName057(16), a pro-Russian cyber group known for distributed denial-of-service attacks. DDoS attacks work by overwhelming websites with traffic until they become unavailable. They do not necessarily involve the theft of data, but they can disrupt government portals, banking services, transport systems, postal services and other public-facing platforms.

NoName057(16) has been active since Russia’s full-scale invasion of Ukraine and has repeatedly targeted countries that support Kyiv. Europol described the group in 2025 as a pro-Russian cybercrime network when it announced Operation Eastwood, an international action that disrupted more than 100 servers and involved authorities from several European states and the United States.

US prosecutors have also linked NoName057(16) to Russian state-sponsored cyber activity. The Department of Justice said the group used a DDoS tool known as DDoSia, recruited volunteers, published leaderboards and rewarded some participants with cryptocurrency. The US case described NoName057(16) as part of a wider set of Russian cyber operations targeting Ukraine and countries supporting it, according to the Justice Department’s announcement.

The reliance of such groups on servers located in Western jurisdictions creates both a vulnerability and a challenge. Western hosting infrastructure is attractive because it is fast, reliable and well connected. At the same time, it can be seized when investigators can trace ownership, identify sanctions breaches and obtain the necessary legal authority. The Dutch seizure shows that cyber infrastructure can be disrupted without direct access to the individuals directing attacks from Russia or other jurisdictions.

The case also illustrates the enforcement difficulties facing the EU. Sanctions can prohibit companies and individuals in the Union from making funds or economic resources available to listed persons or entities. However, enforcement depends on detecting transfers, front companies and indirect arrangements that may allow sanctioned actors to continue operating through new corporate structures.

For European governments, the significance of the Dutch operation lies in the intersection between cyber security, sanctions enforcement and private digital infrastructure. The immediate targets of the investigation are alleged facilitators within the hosting industry, not only the operators of pro-Russian cyber campaigns. That distinction matters because many disruptive cyber operations rely on ordinary commercial services: servers, connectivity, domain registration, payment systems and technical support.

The suspects remain presumed innocent unless proven guilty. However, the seizure of about 800 servers indicates that European authorities are increasingly prepared to treat cyber-enabling infrastructure as part of the broader Russian hybrid threat environment. The case is likely to draw attention in Brussels and other European capitals as governments examine how sanctioned actors may continue to use European-based services to support hostile activity.