When Infrastructure Becomes a Liability: The Fall of Stark Industries

If there's one thing we've learned from recent cybercrime prosecutions, it's that rebranding doesn't equal reinvention. On May 22, 2026, Dutch financial crime investigators (FIOD) executed a series of raids that dismantled what many in the security community knew was simply Stark Industries Solutions Ltd.—a carefully constructed facade designed to obscure the true nature of a bulletproof hosting operation.

What makes this case particularly instructive for the legitimate hosting and domain industry is how it demonstrates the lengths criminals go to hide their identity—and how quickly that cover falls apart when proper oversight is applied.

The Anatomy of a Shell Company

Stark Industries Solutions Ltd. was incorporated on February 10, 2022—just 14 days before Russia's invasion of Ukraine. That timing alone raises red flags. The company's stated purpose was transparently deceptive: provide a "neutral name" for resellers so that IP addresses wouldn't be traceable back to PQ Hosting, an earlier venture in the Neculiti brothers' infrastructure portfolio.

Founded by Ivan and Iurie Neculiti from Transnistria (a pro-Russian breakaway region of Moldova), the operation represented the latest iteration of a cybercriminal infrastructure business that had been running since at least 2008. Ivan had operated under various identities—including the username "dfyz" on Russian cybercrime forums—selling what the industry calls "bulletproof servers": infrastructure explicitly designed to host illegal content with minimal accountability.

This is where things get interesting from a technical perspective. The Neculitis didn't just spin up new hardware. They leveraged existing infrastructure built around PQ Hosting, which at its peak served over 120,000 customers across 38+ countries. Stark Industries became a reseller layer—a middle company that obscured ownership while maintaining the same underlying physical infrastructure.

How Two ASNs Betrayed Them

Here's the security lesson embedded in this case: Digital forensics don't lie, even when companies do.

When the EU sanctioned Stark Industries in May 2025, the brothers executed what they likely believed was a clever maneuver: they transferred operations to a new Dutch entity called WorkTitans B.V., operating under the brand "THE.Hosting." New company, new website, new branding.

What they didn't account for was JA4T fingerprinting—a method security researchers use to identify network traffic patterns and hardware signatures across autonomous systems. By matching JA4T fingerprints across both the original Stark ASN and the new WorkTitans ASN, researchers confirmed they were examining the same physical servers. The rebrand was just a paper exercise. The hardware was identical. The infrastructure was unchanged.

This is a critical failure point that every legitimate hosting provider should understand: in an age of network-level forensics and SSL/TLS fingerprinting, obscuring infrastructure requires more than a new company registration. It requires actual infrastructure migration—something these operators apparently never attempted or were unwilling to do.

What Was Actually Running on These Servers?

The seized 800 servers weren't hosting legitimate web properties. Law enforcement and security researchers documented that Stark Industries infrastructure was used to support:

• NoName057(16): Pro-Russian DDoS operations
• Sandworm: The Russian GRU cyber unit
• Callisto Group (SEABORGIUM): Linked to Russian intelligence
• FIN7: One of the most prolific cybercriminal groups targeting financial institutions
• Doppelganger Campaign: A sophisticated disinformation operation spreading Russian-aligned fake news to European audiences

The Doppelganger discovery is particularly notable. CORRECTIV's 2024 investigation documented how the brothers' infrastructure in the Netherlands directly hosted the technical backbone of a state-sponsored disinformation campaign. This wasn't just criminal hosting—it was infrastructure supporting information warfare against European citizens.

The Legal Precedent That Changes Everything

The arrests and charges under the Dutch Sanctions Act set an important precedent: providing infrastructure to sanctioned entities is now treated as a criminal act, not a regulatory gray area.

Two men were arrested: a 57-year-old company director and a 39-year-old who managed internet connectivity operations. A third arrest related to Mirhosting signaled that Dutch prosecutors view infrastructure provision as direct culpability, not passive hosting service.

This distinction matters enormously for the legitimate hosting industry. It means that due diligence on customer identity and use case isn't optional. It means that knowing your customer (KYC) and sanctions list screening aren't bureaucratic overhead—they're foundational security practices that separate legitimate providers from criminal networks.

What This Means for Your Infrastructure Business

If you're running a hosting company, domain registry, or cloud platform, the Stark Industries case offers three critical lessons:

1. Technical sophistication is no substitute for legal compliance. The Neculitis operated a network spanning dozens of countries with six-figure customer bases. They understood DNS, IP allocation, and ASN management. None of that protected them from law enforcement equipped with modern forensic techniques.

2. Rebranding without infrastructure migration is useless. Changing company names, registrars, or billing entities doesn't change the physical reality of your servers. Network-level forensics can identify identical hardware across different ASNs and companies. Any serious operator understands this, which is why legitimate providers don't attempt such tricks.

3. Jurisdiction matters, and it's tightening. The Netherlands has positioned itself as hostile to bulletproof hosting. If you're operating infrastructure within EU borders, expect regulatory scrutiny. If you're operating legitimate services, this should be welcome news.

The Bigger Picture

What's fascinating about this case from a cybersecurity perspective is how it demonstrates the convergence of multiple investigative disciplines: financial crime investigation, network forensics, open-source intelligence, and traditional law enforcement. The raid wasn't a lucky break. It was the culmination of a year-long surveillance operation following the EU sanctions decision.

This convergence is becoming the standard for international cybercrime prosecution. Bulletproof hosting providers operate in the assumption that they're playing a jurisdictional game—that law enforcement in one country can't touch them if they're operating in another. The Stark Industries case proves that assumption is increasingly obsolete.

The 800 seized servers represented hundreds of millions of dollars in potential criminal infrastructure value. More importantly, they represented the technical backbone of operations that affected millions of Europeans through disinformation, cyberattacks, and financial fraud.

For the legitimate hosting industry, this case is actually good news. Every successful prosecution of bulletproof operators makes it harder for criminals to find hosting partners. Every seized server is one fewer available for rent to malicious actors. And every legal precedent that strengthens sanctions enforcement makes it more expensive for criminals to operate—expense that gets passed to their customers.

In the end, Stark Industries learned what countless shell companies have learned before them: you can't rebrand your way out of forensic evidence. The servers don't forget what they've hosted, and modern digital forensics won't let them either.