In late May, Dutch investigators shut down a web hosting provider whose servers apparently served as a digital hub for several Iranian espionage campaigns. The case illustrates why, in cyber defense, it is not just individual IP addresses that matter, but entire infrastructure networks.
The seizure of around 800 servers from Dutch hosting provider WorkTitans by the Financial Crime investigation of Netherlands (FIOD) was more than a routine law-enforcement action. Based on the notes and current reporting, it disrupted an infrastructure that appears to have supported several active Iranian cyber operations at once.
At first glance, WorkTitans looked like just another internet infrastructure company. But the records suggest it was the successor to Stark Industries, a provider already sanctioned by the EU in 2025. Instead of shutting down, the operation appears to have continued under a new name, with the same technical assets and a different label.
What makes the case especially striking is that three Iranian threat groups reportedly used the same hosting environment. MuddyWater used it for command-and-control purposes, tying together phishing campaigns and custom malware such as BugSleep. Agrius, also known as UNC2428, used WorkTitans in a social-engineering campaign built around fake job offers, where victims were pushed to install a backdoor through a convincing hiring flow. Nimbus Manticore used the same infrastructure for recruiting lures aimed at people in aerospace and defense.
The case shows how cyber operations are organized today: not as isolated attacks, but as flexible partnerships between threat actors and infrastructure providers. That separation is exactly what makes the ecosystem so hard to disrupt. A single IP address may look harmless while the surrounding network has already been linked to phishing kits, malware delivery, and scanning activity.
For defenders, the real lesson is clear. Blocking individual IPs often only addresses the surface. More useful signals are patterns: repeated abuse across the same network, suspicious domain churn, and a hosting environment that keeps showing up in threat reporting. ASN reputation, passive DNS history, and behavioral signals from internal logs often provide the earliest warning.
What makes WorkTitans notable is that one enforcement action was enough to disrupt multiple campaigns at once. The case underscores how dependent state-linked cyber actors are on resilient hosting infrastructure, and how quickly an outage can throw their operations off balance.
The infrastructure was also reportedly used beyond espionage. According to the notes, WorkTitans was involved in scanning IP cameras in the Middle East, showing that it supported more than just headline-grabbing operations. In practice, hosting providers like this can support entire attack chains, not just traffic routing.
Sergey Shykevich, Group Manager of Threat Intelligence at Check Point Research, puts it this way: “The seizure of WorkTitans demonstrates how permissive hosting environments are quietly becoming a shared infrastructure for multiple state-sponsored actors operating completely independently of one another. The lesson for defenders applies not only to these specific groups—rather, it is that the reputation of a single hosting provider can be a more reliable threat indicator than any individual IP address. If you evaluate IPs in isolation, you miss the bigger picture.”
Conclusion
The seizure of WorkTitans was a success for law enforcement. However, it also made clear that the most persistent cyber threats rarely depend on a single vulnerability. They exploit the gaps between what defenders check individually and what they collectively overlook. Closing these gaps is where the real work begins.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de