The Digital Underworld: Dutch Authorities Dismantle Infrastructure Linked to Russian Hybrid Warfare

In a sweeping crackdown on the digital architecture underpinning Russian state-sponsored cyber operations, Dutch authorities have arrested two prominent figures in the Internet hosting industry. The raid, conducted by the Fiscal Information and Investigation Service (FIOD), marks a significant escalation in the European Union’s efforts to combat the weaponization of private IT infrastructure by foreign intelligence agencies.
The suspects—a 57-year-old resident of Amsterdam and a 39-year-old from The Hague—are accused of violating international sanctions by providing essential economic resources to entities actively engaged in cyberattacks, disinformation campaigns, and influence operations against the EU. The operation saw the seizure of over 800 servers, along with various electronic devices, effectively crippling a network that investigators allege was a primary staging ground for pro-Russian hacking collectives.
The Nexus of Cyber Mischief: Stark Industries and the Shadow Network
The investigation centers on a shadowy hosting provider known as Stark Industries Solutions. The entity surfaced with suspicious timing, appearing just two weeks before the Russian invasion of Ukraine in February 2022. Quickly establishing itself as a "bulletproof" host, Stark became a favorite for threat actors requiring anonymity and high-speed connectivity to launch large-scale distributed denial-of-service (DDoS) attacks against European government institutions and private infrastructure.
According to technical analysis, Stark Industries served as a critical supplier of proxy and anonymity services. These services are the lifeblood of Russian-backed hacking groups, allowing them to mask their origins while probing the digital defenses of Western nations.
The web of connectivity leading to these arrests began to unravel following an investigative deep-dive by KrebsOnSecurity in 2024. The investigation identified that Stark’s operations were facilitated by PQHosting, a company managed by Moldovan brothers Ivan and Yuri Neculiti. While the European Union officially sanctioned PQHosting and the Neculiti brothers in May 2025 for their role in Russia’s hybrid warfare efforts, the network did not disappear. Instead, it migrated, finding a new, protected harbor within the Netherlands through a hosting provider known as MIRhosting.
Chronology of an Evolving Threat
The timeline of this operation reveals a calculated attempt to evade detection through corporate restructuring:

- February 2022: Stark Industries Solutions is launched shortly before the invasion of Ukraine.
- May 2024: Investigative reports identify the ties between Stark Industries and PQHosting, highlighting their role in aggressive DDoS campaigns.
- May 2025: The European Union places formal sanctions on PQHosting and the Neculiti brothers. Sensing the tightening net, Stark’s assets are rapidly transferred to a new entity, the[.]hosting, controlled by the Dutch firm WorkTitans BV.
- September 2025: Further reporting exposes that WorkTitans is under the control of Andrey Nesterenko and Youssef Zinad, operating under the umbrella of MIRhosting.
- November 2025: Data analyzed by de Volkskrant indicates that WorkTitans and MIRhosting were the most-used networks during a series of cyberattacks targeting Danish government bodies during the week of municipal elections.
- May 18, 2026: The FIOD executes raids across Enschede, Almere, Dronten, and Schiphol-Rijk, resulting in the arrest of Nesterenko and Zinad and the seizure of the server infrastructure.
Supporting Data: The Anatomy of the Infrastructure
The infrastructure seized by the FIOD represents a significant blow to the "as-a-service" model used by Russian cyber-operatives. The 800 servers seized were not merely passive hardware; they were active nodes in a global botnet-for-hire ecosystem.
Investigations by de Volkskrant revealed that the networks operated by Nesterenko and Zinad were instrumental during the Danish municipal elections in late 2025. By providing the bandwidth and the obfuscation tools necessary to sustain high-volume traffic spikes, these companies enabled hackers to effectively paralyze official government websites, creating a climate of instability and mistrust during a critical democratic event.
The involvement of MIRhosting is particularly notable given its history. Founded in 2004 by Andrey Nesterenko—a former concert pianist turned tech entrepreneur—the company’s parent entity, Innovation IT Solutions Corp., was previously identified as the host for stopgeorgia[.]ru. This website, which appeared during the 2008 Russo-Georgian war, is historically significant for being one of the first instances where cyber-warfare and traditional military engagement were synchronized in real-time.
Official Responses and Denials
In the wake of the arrests, the atmosphere surrounding MIRhosting has been one of damage control. Following the seizure, the company issued a public statement claiming that it had "initiated an internal investigation" into the allegations.
"Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections," the statement read. The company further argued that no "anomalies or spikes" were detected in their network traffic during the relevant period, and that they had received no prior abuse reports or official requests for information.
Andrey Nesterenko, speaking via email before his arrest, maintained his innocence. He characterized the transition of assets from PQHosting to the[.]hosting as a standard business maneuver rather than an attempt to bypass sanctions. "Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime," Nesterenko asserted, claiming that the allegations had caused irreparable harm to his reputation and his business.

Conversely, Youssef Zinad has remained almost entirely unreachable. Once a visible figure in the company’s outreach, Zinad retreated from public life following initial scrutiny in 2025. Reports describe a man who systematically deleted his digital footprint, blocked his former associates, and eventually abandoned his residence in Almere, leaving behind signs of a sudden departure.
Implications for European Cyber-Security
The arrests of Nesterenko and Zinad signal a shift in how Western authorities view the operators of "bulletproof" hosting services. Previously, such companies often operated in a legal gray area, citing the "neutrality" of the pipe through which data flows. However, the application of EU sanctions law to these operators suggests that the authorities are now treating the provision of digital infrastructure as an act of complicity in the underlying crimes.
This case serves as a warning to other service providers operating within the EU that the "host-neutrality" defense is no longer a shield against prosecution. The ability of the Dutch government to trace the movement of assets from a sanctioned Moldovan entity to a Dutch-based provider demonstrates a growing sophistication in cross-border forensic investigations.
As European nations prepare for future electoral cycles, the dismantling of these networks is a necessary, albeit reactive, measure. The challenge remains that for every server seized, new infrastructure can be provisioned in jurisdictions less amenable to international legal cooperation. Nevertheless, the crackdown on MIRhosting and its partners underscores a vital reality: the digital battlefield is not remote. It is hosted on servers in our own backyards, and the architects of this chaos are finally facing the reach of the law.
