Dutch investigators have seized more than 800 servers linked to Russian bulletproof hosting provider THE.Hosting, but researchers say the takedown left much of the operation’s core IP space untouched and still actively scanning networks across the European Union.
In an analysis of the infrastructure published after the raid, researchers at Ellio reported that Dutch authorities confiscated hundreds of servers from data centers in the Netherlands on 18 May 2026, disrupting a hosting network that prosecutors allege supported a wide spectrum of criminal operations targeting EU organizations.[source] According to the same report, two individuals believed to be operators of THE.Hosting were arrested, but the provider’s main IP blocks—registered to Russian entities—were not revoked and remain reachable on the public internet.
Ellio’s researchers describe THE.Hosting as a “bulletproof” provider that has advertised itself as a haven for customers whose services are likely to attract complaints or takedown requests, including phishing pages, malware command-and-control servers and content tied to information operations.[source] The network shows links to infrastructure previously associated with Russia-based Aeza Group, a bulletproof host sanctioned by the U.S. Treasury’s Office of Foreign Assets Control in 2025 for supporting ransomware gangs, dark‑web markets and other cybercrime-as-a-service offerings.[source] While researchers stop short of asserting that the same people control both operations, they note overlapping technical indicators and similar service profiles.
Despite the seizures, a large share of the IP addresses historically used by THE.Hosting continue to generate unsolicited traffic consistent with automated scanning, exploitation attempts and credential‑stuffing probes against web services, VPN endpoints and email infrastructure across Europe.[source] Ellio’s telemetry suggests that many of these systems are now operating from Russia or other jurisdictions beyond the reach of Dutch warrants, underscoring how bulletproof providers can rapidly reconstitute parts of their operations even after sizable law‑enforcement actions.
No specific vulnerabilities are highlighted as uniquely tied to THE.Hosting’s infrastructure, but Ellio notes that the network’s scanning patterns track closely with widely exploited, high‑severity bugs cataloged by authorities such as the U.S. Cybersecurity and Infrastructure Security Agency, which maintains a Known Exploited Vulnerabilities list populated with flaws like CVE‑2023‑23397 in Microsoft Outlook and other remote‑code execution and authentication bypass issues that are routinely abused by criminal and state‑linked actors.[source] The focus on mass scanning and opportunistic exploitation means that any unpatched, internet‑facing service is a potential target, regardless of sector or geography.
For defenders, the mixed outcome of the Dutch operation illustrates both the value and the limits of infrastructure takedowns against bulletproof hosts. Security teams are urged to monitor for connections to IP ranges historically associated with THE.Hosting, apply patches for known exploited vulnerabilities as soon as practicable, and enforce basic hardening measures such as multifactor authentication and network segmentation. Ellio’s researchers argue that sustained pressure—combining law‑enforcement seizures, financial sanctions like those imposed on Aeza Group by OFAC, and coordinated reporting by hosting providers and security vendors—will be needed to meaningfully erode the business models of Russian bulletproof networks that continue to provide safe harbor for high‑impact cybercrime.
