Digital Shadows: Dutch Authorities Dismantle Hosting Network Linked to Russian State Cyber Operations

In a high-stakes operation targeting the digital infrastructure underpinning Russian hybrid warfare, Dutch financial crime investigators have arrested the co-owners of two prominent Internet hosting firms. The arrests mark a significant escalation in the European Union’s efforts to neutralize the technical backbone used by Kremlin-linked actors to conduct cyberattacks, disseminate disinformation, and influence democratic processes across the continent.
The Dutch Tax Intelligence and Investigation Service (FIOD) confirmed the arrests of a 57-year-old Amsterdam resident and a 39-year-old from The Hague on May 18. The suspects are accused of flagrant violations of EU sanctions law by providing critical economic and technical resources to entities already blacklisted for their role in facilitating cyber-espionage and state-sponsored digital disruption.
The investigation centers on the symbiotic relationship between these Dutch-based entities and the notorious hosting provider "Stark Industries Solutions," a firm that has served as a primary staging ground for Russian intelligence-backed cyber mischief since the initial stages of the invasion of Ukraine.
The Anatomy of an Investigation: A Chronology
The collapse of this hosting network did not happen overnight; it was the result of a long-term intelligence-led investigation fueled by persistent investigative reporting.
2022: The Birth of Stark Industries
Just two weeks before the full-scale Russian invasion of Ukraine in February 2022, Stark Industries Solutions materialized. It quickly established itself as a "bulletproof" host, providing the infrastructure for massive Distributed Denial of Service (DDoS) attacks against European government institutions and private sectors.
2024: Identifying the Conduits
By May 2024, deep-dive investigations—including detailed reports by KrebsOnSecurity—began to map the supply chain of these attacks. The investigations identified the Moldovan-linked PQHosting and brothers Ivan and Yuri Neculiti as key facilitators providing connectivity to Stark.
2025: Sanctions and Evasion
In May 2025, the European Union formally sanctioned PQHosting and the Neculiti brothers. However, as the net tightened around the Moldovan connection, the infrastructure showed remarkable resilience. Investigations revealed that the network had pivoted. Assets from the PQHosting-linked infrastructure were surreptitiously transferred to a new entity, "the[.]hosting," controlled by the Dutch firm "WorkTitans BV."
2026: The Raid
The evasion tactics ultimately failed. On May 18, 2026, FIOD agents executed search warrants at three business locations in Enschede and Almere, as well as two high-security data centers in Dronten and Schiphol-Rijk. The authorities seized more than 800 servers, along with a trove of digital evidence, including laptops and mobile devices, effectively forcing the network offline.
The Players: Behind the Scenes of MIRhosting and WorkTitans
The case has drawn significant attention not only for its geopolitical implications but for the colorful and suspicious backgrounds of the individuals involved.

Andrey Nesterenko: From Piano Prodigy to Infrastructure Architect
Andrey Nesterenko, a 39-year-old Russian native operating out of the Netherlands, has found himself at the center of the storm. Nesterenko, who had a background as a concert pianist in his youth, founded the parent company Innovation IT Solutions Corp in 2004. This entity notably hosted stopgeorgia[.]ru in 2008, a portal used to coordinate cyberattacks against Georgia during the simultaneous military and cyber conflict—an event often cited as the first "modern" hybrid war.
Youssef Zinad: The Shadow Operator
The 57-year-old Youssef Zinad, Nesterenko’s associate, maintained a significantly lower profile. As the pressure from investigators mounted, Zinad retreated from public view, deleting his professional footprint on LinkedIn and avoiding all formal communications. His disappearance from his registered address in Almere, marked by drawn blinds and abandoned property, mirrored his firm’s attempt to vanish into the digital noise. Despite Nesterenko’s claims that Zinad was merely an external contractor, internal documents and email records suggest Zinad was deeply embedded in the company’s legal and operational hierarchy.
Supporting Data: The Digital Fingerprints of Influence
The nexus between these hosting providers and state-aligned aggression is supported by granular data. According to reports from the Dutch daily de Volkskrant, logs show that WorkTitans and MIRhosting were the most-used network providers for cyberattacks targeting Danish government bodies during the week of the November 2025 municipal elections.
The traffic patterns associated with these servers suggest they were not merely passive hosts but were actively used as nodes for botnets and proxy services. These services allowed malicious actors to mask their origins, creating the illusion of domestic discontent or administrative failure, thereby eroding public trust in the electoral process.
The seizure of 800 servers by the FIOD provides law enforcement with a massive dataset. Investigators are currently analyzing this cache to map the full extent of the network’s influence, potentially unmasking previously unidentified intelligence assets and their specific operational targets.
Official Responses and Denials
Following the raid, the tone from the involved parties has been one of indignation and denial.
The MIRhosting Stance
In an official statement released via LinkedIn, MIRhosting claimed that it initiated an internal investigation into the allegations regarding the Danish elections. The company stated:
"Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections. No anomalies or spikes were observed in our network traffic… had large-scale DDoS attacks occurred, such activity would have been evident."
MIRhosting maintained that it had severed ties with the Neculiti brothers following the May 2025 sanctions and argued that its operations were being unfairly maligned due to the actions of others.

Nesterenko’s Defense
In email correspondence, Nesterenko reiterated his innocence:
"The transition to the[.]hosting was not intended to evade sanctions. The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions appeared. Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong."
Nesterenko argues that the legal action is "extremely harmful" to a company he characterizes as a legitimate provider caught in the crossfire of international geopolitical tensions.
Implications: The New Frontier of Sanctions Enforcement
The arrest of Nesterenko and Zinad signals a shift in how the European Union handles the "bulletproof" hosting industry. Historically, hosting providers operating in the "gray zone" of international law were often treated as simple intermediaries, insulated from the actions of their clients by Terms of Service agreements and "safe harbor" protections.
However, the Dutch authorities’ actions underscore a new legal reality: if a company provides the essential infrastructure for sanctioned entities to operate, that company itself becomes a target for sanctions enforcement.
The "Stark" Reality
The case of Stark Industries and its associated Dutch conduits proves that state-aligned cyber actors are becoming increasingly sophisticated in their evasion of sanctions. By moving assets between shell companies and leveraging the legal protections of EU-based data centers, they have managed to persist long after the initial sanctions were applied.
The closure of these servers, however, sends a chilling message to the "hosting-as-a-service" providers who have turned a blind eye to the provenance of their clients. For the cybersecurity community, the seizure is a tactical victory. It forces the operators of these networks to scramble, burning their assets and losing their accumulated data, which in turn disrupts the operations of the state-sponsored hackers they once hosted.
As the legal proceedings against Nesterenko and Zinad begin, the international community will be watching closely. This case will likely serve as a precedent for how future investigations will handle the intersection of private digital infrastructure and national security, setting a standard for the accountability of those who, for a price, provide the digital stage upon which modern wars are fought.
