Dutch FIOD Server Seizure: AS209847 Continues Scanning Despite Action

💬 A week after Dutch FIOD seized 800+ servers, the hosting network's ASN (AS209847) is still scanning at its normal daily rate. The ELLIO research team reports that scanning activity from AS209847 (WorkTitans / THE.Hosting) has continued largely uninterrupted, despite some IP ranges being withdrawn from global routing. The remaining active ranges are targeting databases (MongoDB, Redis, PostgreSQL, Oracle, LDAP) and ICS/SCADA systems (DNP3, EtherNet/IP), along with known vulnerabilities like CVE-2017-17215 and WinRM. Two related ASNs (AS213999 and AS33993) remain routed but inactive.