The only thing that has changed is the list of agencies that have taken an interest, with little success, in the activities of the company \u2013 the police, the Dutch Fiscal Intelligence and Investigation Service (FIOD), the Ministry of Justice and Europol. That list has only grown longer, research by NRC<\/em> has shown. Meanwhile, Ecatel\u2019s owners continue to earn large sums of money from the cesspool of the internet in a data centre in the province of Noord-Holland. <\/p>\n Several times a week, two distinctive individuals from The Hague arrive in a car at an industrial site in Wormer, a town about thirteen kilometres north-west of Amsterdam. They are Bap K., a 75-year-old man wearing tinted glasses, and his 34-year-old business partner in The Hague, Reinier van E., a large, bald, muscular figure in a tracksuit. They often bring two dogs with them to work. They bark at passers-by from the data centre\u2019s front garden. <\/p>\n The story begins on 13 May 2002. Bartholomeus Johannes K., then aged 56, forms a company that he calls Colinks, describing it as an \u2018automation service agency\u2019. Bap, as he calls himself, was born in The Hague, lived for a while in South Africa, and now plans to earn his money in the rapidly growing hosting business. The Netherlands is a stable country and an excellent location for the business with its reliable energy network and the large deep-sea internet cables that come ashore in the country. Bap quickly hires Reinier van E., a teenager from The Hague, to take care of the technology. <\/p>\n Together they start a hosting company, with Bap handling the administration and Reinier the computers. For a fee, clients can rent a server from them on which to run their internet service. Bap and Reinier arrange the computers, the energy and the internet access \u2013 a little like a landlord letting a room \u2013 and the clients operate their own online business from that location. What customers do with their rented server is entirely up to them. Some cut up their space on the server into hundreds of units and sublet them to others. <\/p>\n In the ensuing years, Bap and Reinier build a complex web of private companies in various countries. Reinier has only just reached adulthood when he and Bap form the British limited company Ecatel, at an address in Kent that also houses hundreds of other shell companies. Their other hosting companies, or variations of them, are given names like Novogara, DataZone, Reba Communications, FiberXpress, B&R Holding, iQarus, Incrediserve and Linkup. Some of the companies carry on precisely the same activities from the same address, but under a different name. Some of the companies offer to sublet servers, as though the men were their own clients. Other companies surface \u2013 according to the authorities \u2013 belonging to the men \u2013 such as Quasi Networks and IP Volume, with anonymous directors in the Seychelles. Years after its establishment, a British company is registered in the name of the data centre\u2019s caretaker, who lives in a flat in Zaandam. <\/p>\n Almost from the beginning there are complaints about the two men. If equipment they order is not available they are immediately at the door with a complaint, one dealer wrote on a website in 2004. \u201eUnfortunately not in a normal fashion, so I\u2019m finished with them.\u201d Another grumbles that Bap and Reinier will not listen to complaints about spam \u2013 unwanted, bulk emails usually sent with the intention of persuading people to part with their money \u2013 originating from their servers. \u201eAnd we have a whole laundry list of other junk that is hosted by those guys,\u201d someone writes. \u201eI have already tried a number of times to contact them via their abuse reporting centre and helpdesk, but that\u2019s like sending mail into a black hole.\u201d <\/p>\n The crude style of doing business continues. After a dispute over an unpaid energy bill in 2011, Bap and Reinier leave a data centre in Alphen aan den Rijn to start one of their own. They move into the former Regional Computer Centre for Health Insurers in Wormer, twenty minutes north of Amsterdam. The unobtrusive building is hidden away at the end of a cul de sac on the local industrial site. The corridors and halls in the enormous computer centre are large and empty and only a small area of the building is occupied.<\/p>\n From the front, the data centre looks like a normal business, with a neat path leading up to a glass entrance with the bright-blue logo of DataOne above it. A handful of people are hired for the technology and maintenance. <\/p>\n But things are not so slick behind the fa\u00e7ade, according to people who visited the company<\/p>\n<\/blockquote>\n But things are not so slick behind the fa\u00e7ade, according to people who visited the company. The muscular Reinier can often be found behind the stove in the enormous industrial kitchen frying a pan of eggs for himself. Items regularly catch fire in a barrel beside the waste containers. The atmosphere is usually cheerful, as the older Bap again starts bragging about flying adventures and all the women he has slept with. At their ease, the two discuss threatened legal actions. But the tone can change suddenly. \u201cThen it is immediately a stream of curses, \u2018fuck off, fucking this, fucking that\u2019\u201d, says one source. <\/p>\n One client tells of the time that the super-fit Reinier chased after him waving an axe. He had come to remove his computers and Reinier felt he was entitled to a large sum of cash. The client did not report the incident to the police because he himself had then given Reinier \u2018a sharp nudge\u2019 with his car. <\/p>\n Bap and Reinier\u2019s business model has also not changed over the years. That model is: know nothing, respond to no one, be obstructive. <\/p>\n And it works, because Dutch law states that a hosting company cannot be prosecuted for the actions of those who hire its servers. It is impossible for a hosting company to know the content of every byte on those servers. But hosting companies are required to take action if they are informed of the presence of illegal content. The question is how quickly and how actively they do so. <\/p>\n For a fee \u2013 generally in anonymous cryptocurrencies like bitcoin \u2013 customers are actually shielded by Bap and Reinier, according to sources. When the hoster receives an official request from the US to remove copyrighted materials \u2013 a DMCA takedown notice \u2013 the men do nothing about it, says a person who saw it happen. \u201eDMCAs are just tossed in the wastepaper basket.\u201d Subletters even advertise this \u2018service\u2019. \u201eDMCA ignored<\/em>\u201d reads one advertisement offering space in the \u201estate of the art Ecatel DataCenter, located in Amsterdam<\/em>\u201d. Spammers who keep sending unwanted bulk mailings have no reason to worry, says anti-spam organisation Spamhaus. It stops briefly after a complaint, but \u201eafter three days\u201d it resumes from another location in the network, says data analyst Carel Bitter, who sent a list with more than 1,500 reports of spam, malware and other malicious material originating from the men\u2019s network. <\/p>\n The Dutch Centre of Expertise for Online Child Abuse (EOKM) also comes up against a brick wall in confrontations with the two men. When the EOKM\u2019s hotline learns of dubious material on the duo\u2019s network, it sends a notification to their company. It has been agreed in the sector that material must be taken offline after a notification. But it regularly occurs that the hotline first has to prove to the client of The Hague duo that the child in the image is actually a minor. If the notifications in fact arrive, that is, since the staff of the EOKM have found that they sometimes end up in the spam folder or that the hotline\u2019s email address has suddenly been blocked. For reasons that are unclear, the web form that the two men drew up for reporting gruesome images is designed in such a way that the system can only handle five reports an hour. That is unworkable, according to the hotline. <\/p>\n Foot-dragging and obstruction are the tactics they employ, agrees Jos Klaus, a lawyer who brought a case against Ecatel for a consortium of watchmakers in 2013. His clients had found that various fake versions of their expensive watches were being sold on sites hosted by the company. Communication with the company proved a struggle. Bap only replied to the first letter after a week, says Klaus. When Bap received the IP addresses that he had asked for, he replied that he would only accept the letter in Word format, not in PDF, says Klaus. \u201eThe reason was that he wanted to \u2018cut and paste\u2019.\u201d Nothing more happened after that, leaving Klaus with no choice but to institute proceedings and Ecatel had to be ordered to remove the websites by the court. <\/p>\n Tim Kuik, director of copyright organisation BREIN, says he was told by the men that he had to stop sending legally formulated letters of complaint. \u201eThey wanted a meeting where I would tell them what was wrong in a jovial tone, and then they might look at it.\u201d At the same time, they hid behind their web of companies. In 2017, Kuik had to issue a writ against the men to get them to provide information about one of their international companies. They denied any involvement and referred the matter to their caretaker, who was named as the company\u2019s director. He appeared nervous as he told his story in court. <\/p>\n Throughout the years, the complaints keep on coming. Zeus, a large botnet used to steal bank details and to install ransomware on computers, is found to be running partly on servers managed by them. Football matches in the English Premier League are being streamed via their network without the organisation\u2019s consent. Clients that have been turned away by legitimate internet companies switch over to Ecatel. A former employee of competitor LeaseWeb: \u201eWe would then see them resurfacing on Ecatel.\u201d<\/p>\n The Dutch police\u2019s High Tech Crime Team knows that things are not right at Ecatel. Around the time of Jart Armin\u2019s visit to Driebergen in 2012, they turn up at the former computer centre in Wormer with notable frequency. International investigative services are regularly looking for a client of the two men and at their request the Dutch police have come to copy a server at the men\u2019s company. <\/p>\n Bap and Reinier are usually unconcerned about the arrival of the police. They feel invulnerable. On one occasion the police had arrived in response to a request from the US, says a source. Would they like a cup of coffee? A guided tour? During an inspection of a diesel generator, Reinier told the police with a smile that he had programmed it himself and given the electrician a few hundred euro to attach a seal to it. <\/p>\n There are other times when the visits proceed less smoothly and the police officers have to threaten to break down the front door unless it is quickly opened. But it remains a game of cat and mouse without any consequences. According to sources, the Public Prosecution Service had no interest in a serious criminal investigation to show malicious intent on the part of Bap and Reinier. <\/p>\n However, a growing number of agencies start to take an interest in Ecatel during this period. The company\u2019s name regularly crops up at meetings of a working group that oversees the \u2018notice and takedown\u2019 code of conduct. This voluntary code was drawn up by the internet sector in 2008 at the request of the government and provides that in the event of a report of child pornography or other banned material, hosting companies must immediately take the information offline. <\/p>\n The code of conduct works well, says the chair of the working group, Maarten Simon of domain registration agency SIDN, but the volume of child pornography in the Netherlands has remained appallingly high. \u201eOne name that always came up over the years was Ecatel. It had never endorsed the code of conduct and did not adhere to it. That undermined the code.\u201d Why is nothing being done about this, Simon asked at a meeting with representatives of the police, the prosecution service and the ministry of Justice. \u201eIt is difficult,\u201d they said. \u201eIf we issue an order to remove material, they remove it just in time.\u201d Alex de Joode, now a compliance officer with the internet hub AMS-IX, attended those talks. \u201eEveryone said: we have to do something about them. But it was not a priority. It was apparently not an exciting project.\u201d <\/p>\n In 2015, the High Tech Crime Team approached professor of cybersecurity Michel van Eeten at TU Delft. \u201eThe top of the police force was sick and tired of being criticised at international police conferences about all the garbage standing on servers in the Netherlands,\u201d they said. \u201eEveryone knows about Ecatel,\u201d they added. But it was all anecdotal evidence. Gossip, rumour and poor statistics. The question was whether we could prove which Dutch hosters were spreading the most garbage.\u201d<\/p>\n Van Eeten helped the police by providing a list in which he compared the volume of harmful activity from a network \u2013 child pornography, cyberattacks, spam and phishing \u2013 with the size of the company, he said via Teams. Ecatel was in the top ten. \u201eBut that doesn\u2019t actually help at all. You have to measure how willing a company is to remove the nasty material. And even that tells you nothing, because a consciously malicious hoster will in fact do his best to look good and will react to notifications, while in the background helping his client, by quickly relocating a site for example.\u201d You actually have to show that a company is consciously cooperating with criminal behaviour, says Van Eeten. \u201eBut that is very difficult to prove. This has frustrated the police for years.\u201d<\/p>\n The state of affairs changed when Ferd Grapperhaus of the conservative party CDA took office as minister of Justice in 2017. It quickly became clear to everyone that Grapperhaus was thunderstruck by the Netherlands\u2019 position in the worldwide rankings of countries hosting child pornography. He was determined to do something about it. He told The New York Times<\/em>, which had identified the men in Wormer in an investigation into three notorious child pornography websites: \u201eI did not realise the extent of the cruelty, or how far it goes.\u201d Among the large quantities of photos of laughing children in sexy poses, the sites also contained explicit and violent images with babies and infants.<\/p>\n In March 2018, a large group assembled for a meeting chaired by the Dutch ministry of Justice and Security. The national public prosecutor for child pornography was present, as well as representatives of the working group for the hosting sector\u2019s code of conduct, the internet sector, the ministry of economic affairs, the EOKM, the police\u2019s child abuse team in Zoetermeer and professor Van Eeten from TU Delft. <\/p>\n Among the large quantities of photos of laughing children in sexy poses, the sites also contained explicit and violent images with babies and infants<\/p>\n<\/blockquote>\n Grapperhaus instituted a number of measures. A technical system for detecting child pornography \u2013 a hashcheckserver<\/em> \u2013 would be set up that hosting companies could join. Images, discovered during criminal cases in the Netherlands and elsewhere, that were stored by hosting companies and appeared in the system would have to be removed immediately. Civil servants would explore the possibility of establishing a \u2018content authority\u2019 with powers to impose fines on recalcitrant hosters. The code of conduct would also be less voluntary in nature. Companies would have to respond to a notification from the child pornography hotline without discussion within 24 hours and Van Eeten would be asked to monitor compliance by companies. At the urging of the Dutch House of Representatives, Grapperhaus would publish Van Eeten\u2019s list of companies that did not comply: naming and shaming<\/em>.<\/p>\n This led to the appearance of a first public report at the end of 2020, in which the hosting company IP Volume came alternatively second and third in the rankings of the principal sources of child pornography in the Netherlands. Despite its registration in the Seychelles, the agencies all assumed that IP Volume operates from the Netherlands and is one of the maze of small internet companies built up around the two men from The Hague. <\/p>\n But Van Eeten was unable to tell how quickly IP Volume responded to notifications from the child pornography hotline. In a letter to parliament in October 2020, Grapperhaus explained that IP Volume \u201edoes not cooperate and even erects (technical) obstacles\u201d to the hotline. The notifications are therefore being sent by the police in order to increase their \u201ebinding nature\u201d. But, Grapperhaus also observes, none of this really helps \u2013 IP Volume remains lax.<\/p>\n In the wake of his roundtable meeting, the minister instructs his officials to explore what measures can be taken under criminal law against malicious hosting companies. It proves very difficult. It not only has to be shown that a company is consciously facilitating the client, the exceptional international character of the internet is also an obstacle. The question is always who is responsible for the illegal content and whether the content is on a site that has been sublet or has been diverted to another country. What if the country where a client is registered will not cooperate with a criminal investigation? And what if the client cannot be found? The internet is everywhere and nowhere at the same time. <\/p>\n At the end of 2019, another agency appears on the list of authorities that are interested in the men from The Hague. That is the European police agency, Europol. <\/p>\n It becomes involved through the work of internet activist and investigator Ron Guilmette, who is watching angrily from the other side of the world in the United States. Guilmette is an internet veteran, who worked on the world wide web when it was still called ARPAnet in the 1980s. In the following decade, he observed with dismay as the fantastic scientific project, based on voluntary agreements between well-meaning parties, filled up with filth and spam. He has a particular hatred for spam. \u201eIt is a strange fascination,\u201d he says via Skype. \u201eI simply wanted to preserve email for humanity. Spammers are destroying that.\u201d <\/p>\n In his nightly hunts for spammers, Guilmette came across something strange: a possible theft of an enormous series of IP addresses, with a street value in the millions of dollars. The addresses belonged to African companies and organisations, but seemed to be managed by a small company in Wormer. He wrote outraged posts about it on mailing lists of network operators, but there was no reaction. <\/p>\n Together with a South African journalist, Guilmette worked out how the putative theft must have occurred. In a technical journal they described how an Israeli businessman had falsified the information about the ownership of the IP addresses at the internet authority for Africa. They described how the addresses ended up with a businessman in the Dutch province of Limburg and then came to be managed by Bap and Reinier\u2019s network. <\/p>\n It is no coincidence that the African addresses acquired in this dubious fashion reached the two men, said Guilmette via Skype. \u201eEveryone, every website, every device connected to internet needs an IP address, otherwise the data doesn\u2019t arrive,\u201d he said. \u201eBut as everyone knows, the IP addresses are running out and are therefore worth a lot of money.\u201d Malicious individuals need even more IP addresses, he adds. \u201eTheir addresses are often blocked after some time and then they need new addresses for their spam and their attacks.\u201d <\/p>\n There was little follow-up to the articles, except that the African internet authority publicly acknowledged at the beginning of this year that there is something strange going on with those addresses and that it had lost 2.4 million IP addresses. <\/p>\n Frustrated, in September 2019 Guilmette personally contacted Europol about the company run by the two men from The Hague. They asked to meet him, together with the Dutch High Tech Crime Team and the FIOD. A Skype meeting was then arranged with a team of police officers and civil servants at which Guilmette laid out what he had discovered. \u201eThey wanted to know everything and said they would let me know what was being done with the information. But I never heard anything more from them.\u201d <\/p>\n On the morning of 22 September 2020, twenty cars and vans are lined up at the door to the data centre in Wormer. The car park is full. The FIOD is out in force. Bap and Reinier have to go with them, together with the caretaker, but he is released immediately after being questioned. He has not been seen since at the data centre. <\/p>\n A report of the visit later appears on the pubic prosecution service\u2019s website stating that the tax authorities had raided a \u2018bulletproof hoster<\/em>\u2019 with seven enterprises, including at least one based in the Seychelles. The public prosecution service believes that the business has avoided paying hundreds of thousands of euro in tax. \u201eMany clients pay in bitcoin and that income was siphoned off through veiled constructions.\u201d The FIOD seized the company\u2019s records, 70,000 euro in cash and hundreds of thousands in bitcoins, as well as five cars and two tasers. <\/p>\n Was this the best strategy? <\/p>\n Every route had run into a dead end and no one at the agencies knew what to do any more, according to a number of sources. So it was decided to set the FIOD on them. Various individuals referred separately to the case of American gangster Al Capone. \u201eHe could also not be caught for anything but tax evasion.\u201d<\/p>\n Whether the cesspool has now been cleaned up remains to be seen. People say it was very quiet around the former computing centre for a while, but cars have recently been seen coming and going again. <\/p>\n Bap and Reinier would not comment on the raid. \u201eHow do you reach the conclusion that the report on the public prosecution service\u2019s website refers to me or to companies associated with me?\u201d Bap said in a written reaction to NRC<\/em>.<\/p>\n The FIOD seized the company\u2019s records, 70,000 euro in cash and hundreds of thousands in bitcoins, as well as five cars and two tasers<\/p>\n<\/blockquote>\n The men were unwilling to be interviewed by the reporters. But Bap did send three written replies to questions, in which he denied that his network has been used to send malware, manage a botnet or sell fake watches. Above all, he wanted to emphasise that he and his companies play no role in the spread of child pornography. \u201eWhen anyone reports something that is prohibited by law, action is taken immediately,\u201d he wrote.<\/p>\n It is the child pornography hotline that is uncooperative, Bap asserts. It often sends false notifications with reference to images that are not on their servers and refuses to use a tool that he has had developed to report images. That tool can now handle more than five reports an hour, he wrote.<\/p>\n Bap feels that minister Grapperhaus was wrong to mention the name of IP Volume as a company that responds poorly to notifications of child pornography, blaming it on incorrect reports. \u201eIP Volume has demanded a rectification from the minister.\u201d Furthermore, he is not the director of IP Volume, he wrote. The director is in the Seychelles. The fact that his business partner Reinier handles the correspondence for IP Volume \u201edoes not automatically mean that he is the director.\u201d<\/p>\n Surely someone must be able to put an end to these two men\u2019s activities, Ron Guilmette grumbles on Skype. \u201eTwo men who allow so much sleaze to appear on the world wide web. I simply don\u2019t understand it. It is really a lack of interest on the part of the internet community and the authorities. And that in a decent country like the Netherlands.\u201d<\/p>\n For the time being, the internet community is doing little. On the internet, which is in fact a network of smaller networks, not everyone is connected to everyone else. Neighbours have to pass on data. If the companies that give IP Volume access to the rest of the internet were all to decide to stop doing so, the company could no longer operate on the internet. This is called de-peering<\/em>, and it does occur very sporadically. <\/p>\n But it is highly controversial, says Guilmette. It flies in the face of the voluntary, decentralised structure of the internet. That is why the largest hub, the Amsterdam Internet Exchange, say they won\u2019t do it. A spokesman for the exchange: \u201eWe are only a highway, we have nothing to do with the content. You surely can\u2019t expect us to paternalistically review what such a party is hosting?\u201d <\/p>\n The men have been listening a little more carefully recently, says Arda Gerkens, the director of the EOKM. The hotline has received 24 reports of child abuse this year. \u201eThat is significantly fewer than usual. Pressure works.\u201d But that pressure has to be maintained. Gerkens: \u201eEvery hosting provider faces this problem, some more than others. There are some that pull out all the stops to clean up their act as quickly as possible. Some could do better, but they do remove material without discussion within 24 hours. And then you have one that always causes trouble, and that is IP Volume.\u201d<\/p>\n They also listen a little to Spamhaus, says Carel Bitter. \u201eBecause if they are blocked, their data will no longer arrive.\u201d But the police should actually shut the place down, says Bitter. \u201eIt seems as though the public prosecution service does not have the will to conduct a proper investigation into this extremely bad host.\u201d Most of the cyber attacks do not affect Dutch targets. The victims of child pornography are generally not Dutch children. \u201eThe problem is apparently not serious enough.\u201d <\/p>\n Bitter wonders why a hoster is not required to know more about its clients. \u201eBanks have to know who they are doing business with.\u201d An email address as a contact detail should not be enough. <\/p>\n Internet activist Jart Armin is also frustrated. \u201eYou know, I have had some real successes. We harried the Russian Business Network. We brought down the notorious hosting company McColo. I see the fact that Ecatel still exists as one of my greatest failures.\u201d <\/p>\n \u201eYour self-image is simply wrong\u201d, he says. \u201eI was at a conference on cybersecurity years ago and met your minister of justice,\u201d \u2013 he vaguely recognises a photo of one of Grapperhaus\u2019s predecessors, Ivo Opstelten. \u201eI told him about Ecatel. \u2018That is incorrect,\u2019 the minister said. \u2018The Dutch internet is very clean. We check that every day.\u2019 You apparently still believe that.\u201d <\/p>\n Illustrations: Roland Blokhuizen<\/strong><\/p>\nComplex web<\/h2>\n
![](\"https:\/\/images.nrc.nl\/MP6R_G8Z-lVd59wKyDDBzLImE5w=\/1360x\/smart\/filters:no_upscale():strip_icc()\/s3\/static.nrc.nl\/bvhw\/files\/2021\/04\/data69269561-d5b42b.jpg%7C\/\/images.nrc.nl\/QAFby1FovWrJDd1e3yQuTgcrVjM=\/1920x\/smart\/filters:no_upscale():strip_icc()\/s3\/static.nrc.nl\/bvhw\/files\/2021\/04\/data69269561-d5b42b.jpg\")
<\/p>\nAttack with an axe<\/h2>\n
\n
Shielding clients<\/h2>\n
![](\"https:\/\/images.nrc.nl\/kzMlurCFdmsddurbu17OPCV0Fl8=\/1360x\/smart\/filters:no_upscale():strip_icc()\/s3\/static.nrc.nl\/bvhw\/files\/2021\/04\/data69269558-7a4ec9.jpg%7C\/\/images.nrc.nl\/7rScbcr_8WlBIWhK_QINK41KZcs=\/1920x\/smart\/filters:no_upscale():strip_icc()\/s3\/static.nrc.nl\/bvhw\/files\/2021\/04\/data69269558-7a4ec9.jpg\")
<\/p>\nJovial tone<\/h2>\n
Cat-and-mouse game<\/h2>\n
![](\"https:\/\/images.nrc.nl\/LIr4wBEd-gini_4Pd5Cv42ico5k=\/1360x\/smart\/filters:no_upscale():strip_icc()\/s3\/static.nrc.nl\/bvhw\/files\/2021\/04\/data69269557-5cc92f.jpg%7C\/\/images.nrc.nl\/znsMbT873GE8qOgUbECE-q6Pqqk=\/1920x\/smart\/filters:no_upscale():strip_icc()\/s3\/static.nrc.nl\/bvhw\/files\/2021\/04\/data69269557-5cc92f.jpg\")
<\/p>\nDetection system<\/h2>\n
\n
Theft of IP addresses<\/h2>\n
Raid<\/h2>\n
\n
Little action<\/h2>\n