Dutch Raid Fails to Dent Russian Bulletproof Host THE.Hosting
A Dutch law enforcement raid on THE.Hosting, a Russian bulletproof hosting provider, seized 800 servers but failed to disrupt its core IP infrastructure, leaving malicious scanning activity largely intact.
A recent Dutch law enforcement operation to dismantle a bulletproof hosting network appears to have done little to disrupt its ongoing malicious activity, highlighting the resilience of modern cybercriminal infrastructure against takedown efforts.
On May 18, the Netherlands Ministry of Finance's fiscal crime service (FIOD) seized more than 800 servers and arrested two people connected to THE.Hosting, a network tied to Russian cybercrime and influence operations in the European Union. However, more than a week later, scanning activity from the network has remained at almost the same levels as before, according to researchers at Prague-based threat intelligence firm ELLIO.
"The traffic is broad, opportunistic attack and botnet-building," ELLIO said in a report this week. "It recruits Internet-of-Things devices into botnets, drops cryptominers and self-replicating bots, steals cloud credentials, exploits exposed web applications, and abuses proxy capacity to attack third parties."
THE.Hosting is the latest incarnation of a bulletproof hosting network that researchers trace back to infrastructure originally controlled by a Russian individual registrant in 2022. Shortly after Russia invaded Ukraine in February 2022, the individual transferred the network's autonomous system number (ASN), AS44477, to a newly incorporated company called Stark Industries Solution. When the EU sanctioned Stark Industries in 2025, the operators transferred AS44477 to another newly created entity called PQ Hosting Plus S.R.L. They later rebranded it yet again, to THE.Hosting, and moved operations to a new network, AS209847, under a Dutch company called WorkTitans B.V.
According to ELLIO, threat actors using the old Stark/PQ network were mainly focused on finding systems with weak or default passwords across services like web servers, SSH access, FTP file transfer, and Windows file shares. The scanning activity associated with THE.Hosting is broader and more concerning because it involves databases and industrial control systems (ICS). ELLIO researchers said they observed probes for exposed MongoDB, Redis, PostgreSQL, and Oracle databases alongside scans for DNP3 and EtherNet/IP, which are protocols commonly associated with power grids, water systems, and other industrial facilities.
Vlad Iliushin, CEO of ELLIO, says the operators of Stark Industries, PQ Hosting and THE.Hosting have been publicly tied to repeated distributed denial-of-service (DDoS) attacks on European critical infrastructure. They have also been linked to disinformation campaigns, including activity attributed to the pro-Russian group NoName057(16) and the attacks on Danish government systems during the November 2025 elections.
Iliushin points to two reasons why the recent Dutch law enforcement operation has had little effect on THE.Hosting. First, taking physical servers off the rack doesn't take away the address space those servers were using. "The blocks are still allocated to the operator by the Regional Internet Registry for Europe, are still announced via BGP, and as soon as the operator puts new hardware behind those addresses in another data center, in another country, the scanning resumes," Iliushin says. The other reason is that THE.Hosting's address blocks, registered under the Dutch firm WorkTitans B.V., are geolocated across the Netherlands, the United States, Germany, Finland, Turkey, the UK, France, Moldova, Poland, Kazakhstan, Czechia and Latvia.
The best-case scenario for taking down an operation like THE.Hosting would be collaboration between law enforcement agencies across the European Union and US and to blackhole all address spaces belonging to AS209847, Iliushin notes. "The FIOD raided servers in Dutch data centers, which means the infrastructure hosted by THE.Hosting and its customers in the Netherlands was affected," he says. "But just like legitimate hosting providers, bulletproof hosting providers can operate from multiple jurisdictions, and taking down one node does not take down the entire network."