Dutch police pull 800 racks offline
Dutch police seized 800 bulletproof hosting servers and arrested two operators. Technical analysis of the OpSec failures and tenant exposure.
Dutch authorities seized roughly 800 servers across two data centres in Zoetermeer and The Hague. Two suspects, ages 24 and 28, were arrested. The infrastructure is described as a bulletproof hosting operation that rented capacity to actors conducting ransomware staging, phishing kit hosting, infostealer C2, and DDoS-for-hire. The Politie statement names ondersteuning bij cyberaanvallen - support for cyberattacks - as the charge basis. The operation has been running since at least 2022. The seizure took the racks offline in a single coordinated action.
The technical interest is not the arrest. It is what 800 racked servers operating as a multi-tenant criminal hosting platform means for the actors who rented from it and the investigators who now hold the disks.
Bulletproof hosting at this scale is not a botnet. It is a commercial offering. A tenant pays in cryptocurrency, receives credentials for a VPS or a dedicated box, and operates from it. The provider’s value proposition is non-cooperation with law enforcement, ignoring abuse complaints, and accepting payment forms that obscure attribution. The technical surface looks like any commodity hosting operation - KVM hypervisors, Proxmox or OpenStack tenancy, BGP-announced address space, sometimes with reverse proxies fronting tenant infrastructure to hide origin IPs. The criminality lives in the policy layer, not the protocol layer.
The operational security failure that put this provider in front of Dutch prosecutors is structural. Bulletproof hosting cannot be run from a residence. It needs floor space, power, cooling, transit, and a physical address on a contract with an upstream. The two arrested individuals were locatable because the corporate veil around 800 physical servers does not extend to the lease, the power bill, the transit agreement, or the maintenance contracts. Pseudonymity at the wire level does not survive contact with commercial real estate.
The second failure is jurisdiction selection. The Netherlands has strong transit infrastructure, AMS-IX peering, and historically permissive hosting culture - which is also why it has strong cybercrime units and well-developed mutual legal assistance treaties. Operators who chose Dutch hosting on the assumption that Dutch privacy law would shield them confused civil privacy protection with criminal procedural shielding. Dutch law enforcement executes warrants. Disks get cloned. Memory gets captured where possible.
The third failure is the multi-tenant model itself. Every tenant on the platform is a witness against the operator. The provider does not need to participate in any specific attack - operating the infrastructure with knowledge of its use is sufficient under most cybercrime statutes, including the Dutch Computer Crime Act provisions covering knowing facilitation. Tenant logs, billing records, support tickets, and chat infrastructure between operator and customers all become evidence. A single tenant turned cooperative witness collapses the operator’s defence position.
The implication for the actors who rented from this provider is the more consequential part. Eight hundred servers handed to a forensic team is a discovery event for every campaign that touched the infrastructure. Cloned disks reveal C2 panels, ransomware affiliate dashboards, phishing kit installations, stealer log aggregation databases, and the credentials, wallets, and contact channels of the tenants who operated them. Even with full-disk encryption at the tenant level - which is uncommon on rented VPS instances because the provider holds the host key - KVM memory snapshots taken before the physical seizure can yield keys. Live forensic acquisition before power-off is standard practice for organised cybercrime operations now.
For renters, the operational impact follows three vectors. First, infrastructure burn. Every IP address announced from that ASN is now indicator-of-compromise material in defender feeds within hours. Cobalt Strike team servers, Sliver listeners, Mythic C2 instances, and Empire panels hosted on the platform are dead. The implants pointing at them are now beaconing into a sinkhole or a forensic capture VLAN. T1071 application layer protocol traffic going to those IPs is now a confirmed detection, not a suspicion.
Second, tenant attribution. Bulletproof hosting customers are not anonymous to the host. They authenticated to a control panel. They opened tickets. They paid through a wallet that touched the operator’s exchange address. Chain analysis from that exchange address forward identifies cluster patterns. Customer ledgers correlate against existing threat intelligence on ransomware affiliates, initial access brokers, and infostealer operators. Several named ransomware operations and a number of stealer C2 networks were reportedly resident on this platform - names will surface as charging documents are unsealed.
Third, campaign exposure. Stealer logs aggregated on these servers contain credentials, session cookies, and crypto wallet data harvested from victims. Those datasets become evidence of specific harms tied to specific tenants. Phishing kits hosted on the infrastructure include the operator’s exfiltration endpoint configuration, which doxes the operator’s secondary infrastructure. The blast radius for renters extends beyond the seized hardware into whatever secondary systems the seized hardware was pointing at.
The telemetry picture for defenders is more usable than the raw seizure suggests. Network detections looking for outbound connections to the announced address space were always available - the ASN was on multiple threat feeds, Spamhaus DROP listings, and abuse trackers prior to the seizure. The detection problem was not visibility. It was prioritisation. Outbound traffic to a flagged bulletproof ASN should fire as a high-confidence T1071 indicator on its own. Where SOCs failed to catch it, the failure was either feed integration, alert tuning that suppressed it, or proxy egress that obscured destination IP at the firewall.
For EDR-side detection, the seizure does not directly change posture. The implants beaconing to these servers were the existing detection surface - process injection patterns, T1055.012 process hollowing, suspicious child processes of Office binaries, LSASS access from non-standard processes, scheduled task creation under T1053.005. Sysmon Event ID 3 for network connection, Event ID 1 for process creation, and Event ID 10 for process access remain the core telemetry. The seizure changes what the destination IP means in retrospective hunts, not what the host-side behaviour looked like.
Where the gap sits is in everything that did not beacon. Bulletproof hosting also fronts phishing infrastructure that operates by lure delivery and credential capture without any malware touching the endpoint. That traffic is HTTPS to an attacker-controlled domain. The detection surface is DNS query patterns, certificate transparency log monitoring for newly issued certificates against brand-impersonation patterns, and inbound mail analysis. Endpoint telemetry will not see it because no endpoint code executes beyond a browser visiting a page. The seizure removes specific hosts but does not change the visibility gap on this class of attack.
The residual exposure after the seizure is significant. Eight hundred servers is a fraction of the bulletproof hosting market. Operators in jurisdictions less responsive to international cooperation absorb tenant overflow within days. Infrastructure rotation in ransomware and stealer operations is already a near-continuous process - the actors who were resident here had backup C2 staged elsewhere before the seizure landed, because that is the standard operating posture. The campaigns continue with new IPs and new domains. The detection feeds update. The cycle repeats.
The non-trivial change is investigative leverage. Eight hundred servers of seized evidence is not a denial-of-service event against criminal operations. It is a discovery event. The cases that follow from this seizure will run for years. Tenant identifications will produce arrests in other jurisdictions through Europol coordination. Wallet clusters will get pierced. Affiliates of named ransomware operations will appear in indictments that cite this infrastructure as the source of the evidence. The 60 named actors implied by Dutch reporting are the first wave, not the full count.
The operational lesson for defenders is narrower than the headline suggests. Bulletproof hosting takedowns do not solve the upstream problem - actor motivation, vulnerability supply, and victim exposure remain unchanged. They do produce a window of detection improvement as feeds update with new indicators derived from seized data. Hunt retroactively for connections to the announced ASN over the last 24 months in network logs. Correlate any hits against endpoint telemetry for the same time windows. The compromises you find in that exercise are the ones that pre-date the indicator becoming public.
The operational reality for offensive operators is also narrower. Infrastructure burns. Rotate. The actors who were already disciplined about segregating campaign infrastructure, using fresh redirectors per engagement, and avoiding persistent residency on any single hosting platform lose less here. The actors who treated bulletproof hosting as set-and-forget have a worse week. The platform was always a single point of failure. It just hadn’t failed yet.
What the seizure confirms is the structural fragility of the criminal hosting market. Eight hundred servers in two facilities. Two operators. One coordinated action ends the operation. The economics of bulletproof hosting depend on the operator absorbing legal risk in exchange for premium tenancy fees. When the risk crystallises, the entire platform terminates simultaneously. There is no graceful degradation. The model does not survive its own success - the bigger the platform, the louder the signal, the faster the investigation matures.
The arrests are not the end of the campaigns that ran on this infrastructure. They are the start of the evidentiary phase against the people who ran them.
See also: NordVPN for tunneled traffic when operating outside controlled networks.
#ad Contains an affiliate link.
Keep Reading
de-indexingServer returns 200, Google returns nothing
De-indexing removes content from Google's index, not the web - a complaint-driven, trust-based pipeline that lets implicated parties suppress public records.
IoT securityMirai's hardcoded logins still answer on 554
Open webcams indexed by Shodan and Censys are not a privacy footnote - they map insecure OEM firmware, exposed services, and supply chain risk.
residential proxiesThe device is the inventory
Smart TV apps embed residential proxy SDKs that turn devices into exit nodes. The trust failure lives in the build pipeline, not the hardware.
Stay in the loop
New writing delivered when it's ready. No schedule, no spam.