A Stark connection
From Seychelles to Netherlands, a bulletproof hosting journey
From time to time, I revisit my previous findings to follow up on them and see if there are any updates worth mentioning. Affected by the subject of my previous post about the AEZA related bulletproof hosting provider, I wanted to check up on an old report I wrote about Stark Industries Solutions, and that idea did not disappoint.
TL;DR Version
Intro - Stark Industries
Stark Industries was a controversial hosting provider linked to Russian state sponsored actors as well as various financially motivated threat actors. The company was created around the time Russia invaded Ukraine and it was seen by many as a strategic move to facilitate influence and various malicious operations. However, after multiple cybersec companies reported on Stark Industries, the company showed some willigness to fight against the malicious actions that were taking place in their infra and complied with takedown requests.
That being said, on May 20, 2025 the EU council decided to impose additional restrictive measures against 21 individuals and 6 entities responsible for Russia’s destabilising actions abroad, including the Neculiti brothers (CEO & Owner).
Adapt Improvise Overcome
You would expect this would be the end of that provider but actually, that’s where things start to get interesting.
To avoid any business disruptions the company’s operators took actions days before the aforementioned actions. These actions included the infra move from Stark Industries to an entity named PQ Hosting SRL, a company that was tied to the Neculiti brothers through the Pandora papers. Reading the linked report also tied the Neculiti brothers to yet another bullet proof hosting provider called Morenehost.
The connection from Stark to PQ Hosting was through an opsec mistake, the reuse of the same phone number on one of their ASN registrations which tied the old infra to PQ hosting.
Furthermore, on my previous post about Stark I found that many of the malicious traffic was originating or pointing back to the ASN44477, previously registered to Stark Industries and currently named as “The-Hosting” which is associated with PQ Hosting.
Move to the Netherlands
I guess the company’s operators figured out the same thing that I did. Starting a business in the Netherlands is very easy and the taxes aren’t that bad, that’s probably why they decided to create their new entity here in the Netherlands. Digging a little deeper on the company’s registrations and IP netblocks, I found that almost all of the networks are now under a Dutch company called “WorkTitans B.V” registered to the chamber of commerce which raises a question.
The previous infra was hosted in countries that do not need to comply with EU sanctions, however, that’s not the case for the Netherlands. So I am left wondering what pushed them to that decision.
Wrapping Up
I am sure there are things I have missed so please feel free to reach out and follow up on this. I will start tracking the netblocks to see if any malicious traffic flows to or from these networks and I will also try to track and associate campaigns.
My main question remains however: Why Netherlands? Is there a regulatory gap that we are missing? Please share if you have any insights.
As always, hope you are all doing well. Take care!
Sources
https://correctiv.org/faktencheck/russland-ukraine/2024/05/16/hacks-und-propaganda-zwei-brueder-aus-moldau-tragen-russlands-digitalen-krieg-nach-europa/#:~:text=web%20hosting%20service%2C-,Morenehost,-%2C%20writes%20the%20IT
https://www.consilium.europa.eu/en/press/press-releases/2025/05/20/russian-hybrid-threats-eu-lists-further-21-individuals-and-6-entities-and-introduces-sectoral-measures-in-response-to-destabilising-activities-against-the-eu-its-member-states-and-international-partners/
https://offshoreleaks.icij.org/nodes/240120865