Netherlands Authorities Crack Down on Cyberattack Infrastructure
Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations, and disinformation campaigns inside the European Union.
The two men, a 57-year-old from Amsterdam and a 39-year-old from The Hague, were charged with violating sanctions law by directly or indirectly making economic resources available to EU-sanctioned entities. The Dutch financial crime agency, FIOD, conducted the raid and seized laptops, telephones, and more than 800 servers.
Background on the Investigation
The investigation focuses on Stark Industries, a sprawling hosting provider that materialized just two weeks before Russia invaded Ukraine. Stark quickly became the source of massive distributed denial-of-service (DDoS) attacks against European targets and emerged as a top supplier of proxy and anonymity services that showed up time and again in cyberattacks linked to Russia-backed hacking groups.
A 2024 deep-dive report identified two Moldovan brothers, Ivan and Yuri Neculiti, and their company PQHosting, who were providing one of Stark's two main conduits to the larger Internet. In May 2025, the EU sanctioned PQHosting and the Neculiti brothers for aiding Russia's hybrid warfare efforts.
Connections to MIRhosting and WorkTitans
However, the sanctions failed to target Stark's remaining connection to the Internet, an Internet service provider based in the Netherlands called MIRhosting, operated by Andrey Nesterenko, a 39-year-old Russian native. News that PQHosting and the Neculiti brothers were about to be sanctioned by the EU leaked in the media nearly two weeks before the sanctions were announced last year.
During that time, the Stark network assets were transferred from PQHosting to a new entity called the[.]hosting, under the control of the Dutch entity WorkTitans BV. WorkTitans was controlled by Nesterenko and a 57-year-old from Amsterdam named Youssef Zinad. On top of that, WorkTitans was getting connectivity to the larger Internet solely through MIRhosting, where Zinad had worked previously.
Arrests and Seizures
On May 18, Dutch financial crime investigators arrested Nesterenko and Zinad and searched three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk. A statement from the Dutch authorities said they also seized laptops, telephones, and more than 800 servers.
A message to the-hosting customers immediately after 800 of its servers were seized by Dutch authorities stated that unfortunately, data stored on the server has been lost and cannot be recovered.
Denial of Wrongdoing
De Volkskrant reported that prior to Nesterenko's arrest, the MIRhosting founder denied that he knew his servers had been misused by pro-Russian cybercriminals. Nesterenko claimed that he had ended all services with the Neculiti brothers when the EU sanctions came into force in May 2025.
MIRhosting released a statement saying it has initiated an internal investigation into the alleged facts concerning the elections in Denmark and that it has temporarily paused services to WorkTitans as a precautionary measure while the matter is being reviewed further.
“Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections,” the statement reads. “No anomalies or spikes were observed in our network traffic during the period mentioned in the publication; had large-scale DDoS attacks occurred, such activity would have been evident.
Nesterenko responded to questions shared via email, stating that MIRhosting does not support cybercrime, sanctions evasion, or illegal activity, and that the allegations and arrest by Dutch authorities have been extremely harmful to him and his company.
Youssef Zinad's Involvement
Far less is public about the 57-year-old Zinad, who reportedly has been keeping a low profile since the story last year. De Volkskrant reported that Zinad blocked access to his LinkedIn account, had gone months without responding to emails, WhatsApp messages, and phone calls, and told a colleague that illness was forcing him to lead a somewhat more reclusive life.
Nesterenko claims Zinad was never an employee of MIRhosting. “He helped me and MIRhosting with certain business tasks under a normal business-to-business arrangement between companies,” Nesterenko explained.
However, in previous emails to KrebsOnSecurity, Nesterenko carbon copied Mr. Zinad (who had a @mirhosting.com email), explaining that he was part of the company's legal team. Also, the Dutch website stagemarkt[.]nl lists Youssef Zinad as an official contact for MIRhosting's offices in Almere.
Source: Krebs on Security