Dutch Authorities Crack Down on Suspected Russian Cyber Operations
Dutch authorities have arrested two IT entrepreneurs suspected of violating European sanctions and providing hosting infrastructure used in pro-Russian cyberattacks and disinformation campaigns. The Dutch Fiscal Information and Investigation Service (FIOD) announced the arrests on Friday, revealing that the suspects — a 57-year-old from Amsterdam and a 39-year-old from The Hague — ran companies whose servers were allegedly used for cyberattacks, interference operations, and the spread of disinformation.
Investigators searched three business premises during the operation, along with two data centers, seizing administration records, laptops, phones, and more than 800 servers. The company under investigation was founded on 10 February 2022, two weeks before Russia launched its full-scale invasion of Ukraine.
Sanctions and Alleged Evasion
FIOD did not name the business in its announcement, but said it had been sanctioned by the European Union on 20 May 2025. Authorities allege that after the sanctions were imposed, part of the company’s technical infrastructure was shifted to a newly established Dutch firm designed to circumvent the restrictions. The 57-year-old suspect allegedly served as the director and indirect sole shareholder of that company, investigators said.
A second Dutch company, run by the 39-year-old suspect, allegedly provided internet connectivity for the infrastructure. While Dutch authorities did not publicly identify the suspects or the companies involved, investigations by the German nonprofit journalism group Correctiv and Dutch newspaper de Volkskrant reported that the case involves Andrey N., a concert pianist and operator of hosting provider MIRhosting, and business consultant Youssef Z., owner of WorkTitans.
Alleged Ties to Russian Cyber Operations
Correctiv reports that MIRhosting provided services to Moldovan brothers Ivan and Juri Neculiti, who operated the hosting firm Stark Industries — which Correctiv reports is at the center of the FIOD investigation. The EU sanctioned Stark Industries and its owners on 20 May last year, citing its role enabling “various Russian state-sponsored and state-affiliated actors to conduct destabilising activities including coordinated information manipulation and interference and cyber-attacks.”
According to the reports, Stark Industries offered internet infrastructure services, including dozens of VPN and proxy connections designed to help users operate anonymously online. Its infrastructure was reportedly used to host websites tied to Reliable Recent News, a network associated with the Russian-linked Doppelgänger disinformation campaign.
Denials and Ongoing Investigation
In a statement last week, MIRhosting denied the allegations and said it was cooperating with relevant authorities while conducting an internal investigation. The company added that it had temporarily suspended services to Work Titans, adding it only provided the firm with physical server space, power, and network connectivity through a third-party data center and had no access to the customer’s data or applications.
MIRhosting said its operations were continuing normally and that services for other customers had not been affected. In comments previously cited by de Volkskrant, Andrey N. also denied knowingly facilitating pro-Russian cyber operations and said he stopped cooperating with the Neculiti brothers after sanctions were imposed.
- MIRhosting and WorkTitans did not respond to Recorded Future News’ requests for comment by the time of publication.
- The investigation is ongoing, with Dutch authorities working to determine the extent of the suspects' involvement in Russian cyber operations.
Source: The Record