Overview
Dutch Financial Crime Investigators (FIOD) have arrested two individuals and seized 800 servers belonging to a web hosting company that provided criminal infrastructure for cyberattacks, interference operations, and disinformation campaigns.
The operation represents one of the largest single-action takedowns of a hosting provider enabling cybercrime in 2026, dismantling a significant node in the underground infrastructure supply chain that enables threat actors to operate with reduced attribution risk.
The Operation
| Attribute | Detail |
|---|---|
| Executing agency | FIOD — Netherlands Financial Crime Investigators |
| Servers seized | 800 |
| Arrests | 2 men |
| Services disrupted | Cyberattacks, interference ops, disinformation |
| Hosting model | Bulletproof / criminal hosting |
The FIOD — the Dutch equivalent of financial crime investigative authorities — led the operation, likely in coordination with European partners including Europol and EUROJUST, which routinely support complex cross-border cybercrime infrastructure takedowns.
What Is Bulletproof Hosting?
Bulletproof hosting (BPH) refers to web hosting services that deliberately ignore abuse complaints, law enforcement requests, and takedown notices — providing persistent infrastructure to cybercriminals who would otherwise lose access when legitimate providers act on abuse reports.
BPH providers enable a wide range of criminal activity:
| Criminal Activity | How BPH Enables It |
|---|---|
| Ransomware operations | C2 servers, leak sites, payment portals |
| Phishing campaigns | Credential harvesting pages, redirect infrastructure |
| DDoS-for-hire | Botnet C2 nodes, amplification servers |
| Disinformation | Fake news sites, sock puppet infrastructure |
| Interference operations | Coordination servers for influence campaigns |
| Malware distribution | Payload hosting, update servers |
The hosting firm targeted by FIOD was providing exactly this kind of deliberately abuse-resistant infrastructure, making it a key enabler for criminal actors across multiple attack types.
Significance of 800 Servers
The scale of this seizure — 800 servers — is notable. For context:
- This is enough infrastructure to host thousands of malicious websites, C2 nodes, or disinformation outlets simultaneously
- A single ransomware group typically uses tens of servers for their operation; 800 servers could support dozens of criminal groups
- The simultaneous seizure denies criminal customers time to migrate their operations, potentially exposing active campaigns to disruption
Unlike domain seizures (where criminals can simply register new domains), server seizures provide investigators direct access to:
- Stored data — logs, databases, customer records, communications
- Cryptocurrency wallets — potential for asset seizure and tracing
- Operational intelligence — identifying which criminal groups used the service and for what
- Evidence for prosecution — server forensics supporting criminal charges
Intelligence Value
Seized servers from hosting providers have historically yielded significant intelligence for follow-on law enforcement actions. Past precedents include:
- Emotet takedown (2021) — seized infrastructure exposed thousands of bot operator identities
- REvil/Sodinokibi (2021) — server seizures contributed to subsequent member arrests
- LockBit disruption (2024) — hosting infrastructure provided victim lists and affiliate data
The 800 seized servers in this operation likely contain subscriber records, usage logs, and communications that will fuel downstream investigations against the criminal actors who were customers of this hosting firm.
Disinformation and Interference Operations
Notably, the hosting firm was not solely enabling traditional cybercrime — it was also providing infrastructure for interference operations and disinformation campaigns. This dual use highlights the convergence of:
- Cybercrime infrastructure (hacking, ransomware, fraud)
- Information operations (influence campaigns, election interference)
- State-adjacent activity (some interference operations have nation-state links)
European law enforcement agencies have increasingly targeted the infrastructure layer of disinformation operations, recognizing that shared hosting infrastructure creates a common point of intervention against otherwise disparate threat actors.
What Comes Next
Following server seizures of this scale, investigators typically:
- Forensically analyze seized hardware — extracting customer data, financial records, and operational logs
- Identify criminal customers — tracing which threat actors used specific servers and for what purpose
- Issue follow-on warrants — targeting identified criminals across jurisdictions
- Coordinate international arrests — working with Europol and Interpol for cross-border action
- Asset recovery — pursuing cryptocurrency funds linked to criminal proceeds
For security teams, this operation signals disruption to any threat actors who relied on this provider's infrastructure — which may cause temporary shifts in C2 addresses, phishing infrastructure, or other adversary tooling.
Sources
- BleepingComputer — Netherlands seizes 800 servers of hosting firm enabling cyberattacks