A recent law enforcement operation in the Netherlands aimed at dismantling a bulletproof hosting network demonstrates the ongoing challenges of disrupting modern threat infrastructure.
On May 18, 2026, the Netherlands Ministry of Finance's fiscal crime service (FIOD) seized more than 800 servers and arrested two individuals connected to THE.Hosting, a network associated with unauthorized activity and influence operations in the European Union. However, telemetry data indicates that scanning and automated activity originating from the network's address space continued at comparable levels in the weeks following the seizure.
Researchers at the Prague-based threat intelligence firm ELLIO documented that the network continues to support opportunistic scanning and botnet aggregation. According to ELLIO's analysis, the infrastructure is used to enroll Internet-of-Things (IoT) devices into botnets, deploy cryptominers and self-replicating automated tools, harvest cloud credentials, target exposed web applications, and abuse proxy capacity to initiate unauthorized activity against third parties.
The mechanics of infrastructure migration
THE.Hosting represents the latest iteration of a bulletproof hosting network that researchers have tracked back to infrastructure registered by a Russian individual in 2022. Following the geopolitical events of February 2022, the operator transferred the network's autonomous system number (ASN), AS44477, to a newly incorporated entity named Stark Industries Solution. An ASN is a unique identifier assigned to a block of IP addresses that dictates how traffic is routed across the internet.
When the European Union sanctioned Stark Industries in 2025, the network operators transferred AS44477 to another new entity, PQ Hosting Plus S.R.L. The infrastructure was subsequently rebranded as THE.Hosting and migrated to a new network, AS209847, operated by a Dutch company called WorkTitans B.V. ELLIO notes that this sequence of administrative changes effectively allowed a bulletproof hosting network to operate within EU data centers, routing traffic through a registered Dutch company rather than appearing as external infrastructure.
ELLIO researchers observed this migration clearly in their honeypot telemetry, identifying it as a deliberate transition across autonomous systems. The legacy Stark/PQ network maintained primary scanning operations through the summer of 2025, generating a significant volume of traffic on August 30. As the legacy network's activity decreased, THE.Hosting's infrastructure scaled up, originating over two million scanning sessions per month throughout November and December 2025.
Expanding targets and methodologies
Bulletproof hosting providers differentiate themselves by knowingly allowing threat actors, ransomware operators, and other unauthorized parties to operate on their infrastructure. These services frequently distribute their operations across multiple legal jurisdictions, bypass standard abuse reporting procedures, and maintain minimal cooperation with external authorities, complicating remediation efforts.
During the operational period of the older Stark/PQ network, ELLIO observed threat actors primarily searching for systems configured with weak or default credentials, particularly targeting web servers, SSH access, FTP file transfers, and Windows file shares.
Recent scanning activity associated with THE.Hosting indicates a broader testing methodology. Security researchers identified probes directed at exposed MongoDB, Redis, PostgreSQL, and Oracle databases. Notably, the network has also conducted scans for DNP3 and EtherNet/IP, protocols widely utilized in industrial control systems (ICS) environments, including power grids, water treatment facilities, and other critical infrastructure sectors.
Vlad Iliushin, CEO of ELLIO, notes that operators associated with Stark Industries, PQ Hosting, and THE.Hosting have been linked to repeated distributed denial-of-service (DDoS) activity affecting European critical infrastructure. The infrastructure has also been tied to disinformation campaigns, including operations attributed to the group NoName057(16) and disruptions of Danish government systems during the November 2025 elections.
Addressing the limitations of physical hardware seizures
Iliushin outlines two primary structural reasons why the Dutch law enforcement operation resulted in minimal disruption to THE.Hosting's overall network activity. First, removing physical hardware from data centers does not revoke the IP address space allocated to those servers.
Because the IP blocks remain allocated to the operator by the Regional Internet Registry for Europe and continue to be announced via Border Gateway Protocol (BGP), network administrators can simply provision new hardware in a different data center or jurisdiction and resume operations. While Dutch authorities seized the physical assets within their jurisdiction, the operation did not include BGP blackholing.
Second, the address blocks registered under WorkTitans B.V. (AS209847) are geographically distributed. The network's infrastructure spans data centers in the Netherlands, the United States, Germany, Finland, Turkey, the United Kingdom, France, Moldova, Poland, Kazakhstan, Czechia, and Latvia. As a result, scanning activity originating including AS209847 is not restricted and infrastructure located in the Netherlands.
To effectively mitigate operations utilizing decentralized infrastructure like THE.Hosting, security professionals recommend coordinated cross-jurisdictional collaboration between agencies in the EU and the US to blackhole all BGP address spaces associated with the offending ASN. Until the routing announcements themselves are neutralized, threat actors can continue leveraging unaffected infrastructure in secondary jurisdictions to maintain their operations.
About the contributing author
Jai Vijayan is a technology journalist with over 25 years of experience documenting information security and data-privacy issues. His reporting spans critical infrastructure protection, software supply chain security, cloud security, and emerging enterprise technologies. Vijayan has previously served as a senior editor at Computerworld and holds a Master’s degree in statistics from Bangalore University, alongside studies in broadcasting and electronic communication at Marquette University.