Volver al blog
CybercrimeNetwork Security

Netherlands Server Seizures Show Infrastructure Is Part of Cyber Defense

KrebsOnSecurity reported that Dutch authorities seized more than 800 servers and arrested two people accused of enabling Russian cyberattacks and influence operations.

Author
ECEvolving Cyber
Published
May 25, 2026
Reading Time
5 min read
Server room data center rendered in blue light
Supporting image: server room data center, Adobe Stock file #428944645.

On May 25, 2026, KrebsOnSecurity reported that Dutch authorities arrested two people connected to related hosting companies and seized more than 800 servers. According to Krebs, the investigation focused on infrastructure allegedly used to support cyberattacks, influence operations, and disinformation campaigns tied to Russia.

This is worth including because it highlights a part of cyber defense that is easy to overlook: infrastructure providers, hosting routes, proxy networks, and upstream connectivity can be central to hostile operations.

Krebs connected the case to Stark Industries Solutions, a hosting provider that had previously been sanctioned by the European Union as a staging ground for Russian cyber activity. The Dutch investigation focused on companies and people allegedly involved in keeping that infrastructure reachable after sanctions disrupted other parts of the network.

Why this belongs in the blog

Cyberattacks do not happen in empty space. They depend on domains, servers, bulletproof hosting, proxy access, payment rails, resellers, and network providers. Law enforcement actions against infrastructure can disrupt attacker operations even when the individual operators remain difficult to reach.

For defenders, the story reinforces why threat intelligence should include infrastructure patterns, not only malware names and IP addresses.

Why hosting providers matter

Abusive infrastructure often survives by moving between shell companies, resellers, upstream providers, and jurisdictions. A takedown that only removes one server may be temporary. A takedown that targets the business and network relationships behind the activity can have a larger effect.

Krebs reported that Dutch investigators searched businesses and data centers, seized laptops and phones, and took more than 800 servers. That kind of action disrupts not only active campaigns, but also the operational continuity attackers rely on: customer panels, proxy routing, staging servers, credential stores, and backup infrastructure.

What organizations should do

  • Track hosting providers, ASNs, and proxy networks that frequently appear in attacks against your sector.
  • Use threat intelligence to enrich alerts with infrastructure context.
  • Monitor for traffic to newly registered domains and suspicious hosting clusters.
  • Preserve logs that can help connect attacker infrastructure across incidents.
  • Work with legal, fraud, and abuse teams when infrastructure providers repeatedly appear in malicious activity.

The takeaway

Disrupting attacker infrastructure can be as important as identifying malware. The server, network, and hosting ecosystem is part of the battlefield.

Sources