Sanctioned, Seized, Still Scanning: Inside a Russian Bulletproof Hosting Network Targeting the EU

The Takedown

On 18 May 2026, the Dutch fiscal crime service FIOD seized more than 800 servers, along with laptops, phones and administrative records, in raids on data centres in Dronten and Schiphol-Rijk and searches of businesses in Enschede and Almere. Two people were arrested: a 57-year-old company director from Amsterdam, and a 39-year-old from The Hague who ran a separate firm supplying internet connectivity. De Volkskrant, which had been investigating the network, described them memorably as a consultant and a concert pianist.

The target was a hosting operation that prosecutors say helped Russia run cyberattacks, influence operations and disinformation inside the European Union. The Dutch front was WorkTitans B.V., trading as THE.Hosting. A second Dutch company, Mirhosting in Almere, provided the colocation and the high-capacity connectivity into the Amsterdam and Frankfurt internet exchanges, the transport layer that carried the traffic into Europe. Danish authorities have tied the infrastructure to the pro-Russian hacktivist group NoName057(16) and to attacks on Danish government bodies during the November 2025 municipal elections.

If those brand names look like a shell game, that is because they are. We had spent the previous year watching the same operation from the other side: the ELLIO deception network was logging the reconnaissance and mass-exploitation attempts coming from it, and not only from it. Here is what the takedown looked like from the inside, and the part that should worry defenders most.

One operator, a parade of names

The company history reads like a relay race run to stay ahead of sanctions:

• Stark Industries Solutions appeared two weeks before Russia invaded Ukraine and became a notorious bulletproof host. The EU sanctioned it, and the Moldovan Neculiti brothers behind it, on 20 May 2025.
• PQ Hosting Plus S.R.L., a Moldovan entity, took over Stark's main network number just four days before the sanctions landed.
• THE.Hosting, announced nine days after the sanctions, runs on a brand-new autonomous system operated by the Dutch company WorkTitans B.V.

In our honeypot telemetry, this corporate relay shows up cleanly as a migration across autonomous systems, the numbered networks that announce IP address space to the internet.

+----------+--------------------------+--------------------------------------------------------------+
|   ASN    |       Organization       |                             Role                             |
+----------+--------------------------+--------------------------------------------------------------+
| AS44477  | Pq Hosting Plus S.r.l.   | the original Stark network, relabelled to PQ after sanctions |
| AS209847 | WorkTitans B.V.          | THE.Hosting, the post-sanction primary                       |
| AS213999 | WorkTitans B.V.          | THE.Hosting, a secondary                                     |
| AS33993  | UFO Hosting LLC (Moscow) | a steady, 100 percent Russia-based side channel              |
+----------+--------------------------+--------------------------------------------------------------+

When we saw each one, and the handoff

The honeypot data gives precise first and last sightings. AS44477 was already active when our tracking window opened, so its true start is older than the dates shown here.

+------------------------+-------------------+---------------+---------------------------+
|          ASN           |    First seen     | Last activity |       Last 90 days        |
+------------------------+-------------------+---------------+---------------------------+
| AS44477 (Stark / PQ)   | before 2025-01-01 | October 2025  | nothing                   |
| AS209847 (THE.Hosting) | 2025-08-05        | 2026-05-26    | active, ~107 distinct IPs |
| AS213999 (THE.Hosting) | 2026-03-29        | 2026-04-25    | dormant                   |
| AS33993 (UFO, Moscow)  | 2025-04-16        | 2026-05-24    | low                       |
+------------------------+-------------------+---------------+---------------------------+

The old Stark/PQ network (AS44477) carried the scanning all through the summer of 2025, then threw one last enormous punch: on 30 August 2025, more than 7,300 distinct addresses from AS44477 swept our sensors in a single day, mostly on web and SSH ports. Within weeks it went quiet. By November its primary run was over, and we have seen nothing genuine from it since. Its address blocks did not vanish, though.

At almost the same moment, the new THE.Hosting network (AS209847) woke up. It first touched our sensors on 5 August 2025, then climbed fast, peaking in November and December 2025 at over two million scanning sessions a month. The baton passed in plain sight between August and October 2025, roughly three months after the sanctions.

What was actually coming at us

The old network (AS44477) ran a classic brute-force profile: web (port 80), SSH (22), FTP (21), file shares (445) and remote desktop (3389). If you exposed those, you got credential stuffing and login guessing.

THE.Hosting (AS209847) cast a much wider net. It led with FTP and Telnet, swept alternate web ports, and went hunting for exposed databases: MongoDB, Redis, PostgreSQL, Oracle and LDAP. It even probed industrial control protocols, including DNP3 and EtherNet/IP. Mixed in were specific exploit attempts worth detecting:

• the Huawei HG532 router remote-code-execution bug (CVE-2017-17215), a long-running Mirai-family vector
• Windows Remote Management probes on port 5985
• Hazelcast cluster exposure checks
• Nmap and zgrab mass-scanning signatures

The part that should worry defenders

We expected the scanning to stop on 18 May, when FIOD pulled 800 servers out of the racks. It did not.

THE.Hosting's network (AS209847) kept hitting our sensors at its normal daily rate straight through the raid and the days after it: about 20 distinct attacking IPs on the 18th, 28 on the 19th, 32 on the 20th, and still going a week later.

We checked the addresses against the live routing table, and they are still announced by AS209847 (WorkTitans), including ranges inherited from the old Stark network.

So is the network already moving to its next number? We checked the live routing table on 26 May 2026, eight days after the raid. The old Stark system (AS44477) now announces zero routes; it is gone from the internet entirely. THE.Hosting (AS209847) still announces 484 IPv4 blocks and is still scanning. 

Of the ranges we had seen it use in the previous 90 days, roughly a third have been withdrawn from global routing since the seizure, including the legacy Stark blocks like 94.131.105.0/24 and 92.118.232.0/24, but the rest remain live, and not one of them has reappeared under a different network number. The siblings, AS213999 and the Moscow-based AS33993, are still routed and waiting. For now the operation has shrunk, not relocated. If its own history is any guide, the next number is only a rebrand away. 

Why Recon and Mass Exploitation are so dangerous

It is tempting to wave off scanning as background noise. In this case it is the engine of something much larger. The operators behind Stark Industries, PQ Hosting and THE.Hosting have been publicly tied to repeated distributed denial-of-service attacks on European critical infrastructure and to disinformation campaigns, including activity attributed to the pro-Russian group NoName057(16) and the attacks on Danish government systems during the November 2025 elections. What we logged is the groundwork for exactly that kind of operation.

Two intents run through everything the network sent us. First, it was building a fleet. It hunted for open proxies, issuing HTTP CONNECT requests that tunnel out to liveness-check targets, and it carried known exploitable vulnerabilities as live payloads, dropping Mirai loaders, a cryptominer and self-replicating bots onto anything that answered. Second, it was cataloguing easy targets: unauthenticated databases, exposed admin panels, and end-of-life devices.

Put those together and the purpose comes into focus. We assess that the operator was using its persistent, sanction-resistant infrastructure to assemble a fleet of compromised and proxy-capable hosts, and a fleet like that has direct, well-documented uses:

• Automation and influence operations. Large pools of proxies and bots are the raw material for fake account registration, disinformation amplification, bot farms and troll farms, the very capability these operators are publicly accused of supplying.
• Distributed denial of service. A botnet stitched together from vulnerable, exploited, EU-based servers and devices is ideal for attacking European targets, because the traffic originates from inside Europe rather than from an obviously hostile network.
• Ransomware and critical-infrastructure intelligence. The more recent shift toward database and industrial (SCADA) scanning points somewhere more serious: information gathering, ransomware staging, and the quiet assembly of a list of poorly secured critical-infrastructure systems to revisit later.

One important caveat, and it cuts to why bulletproof hosting is so valuable to its customers. We should not assume that the scanning we logged and the DDoS and disinformation campaigns in the headlines are the same hands. ELLIO's threat research team assesses that at least some of this activity is a separate customer of the same infrastructure, not NoName057. A bulletproof host rents the same address space, and often the same off-the-shelf tooling, to many tenants at once. That shared substrate is a feature, not a side effect: it blends unrelated operations together, so a defender or an investigator sees one noisy network and cannot easily tell which packets belong to which actor.

Report

Get the full 103-page analysis - twelve months of tracking, complete indicators, source-IP lists, network fingerprints, and the high-signal MuonFP value. Download the report