Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations, and disinformation campaigns within the European Union. The two men were the subject of a 2025 KrebsOnSecurity article about how their hosting companies had taken control of the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned by the EU last year as a frequent staging ground for cyber mischief by Russia's intelligence agencies.

An investigator with the Tax Intelligence and Investigation Service (FIOD), the Dutch financial crimes agency, during the raid. Image: FIOD.

The Dutch daily news outlet _de Volkskrant_ reports that the Dutch financial crime agency FIOD arrested a 57-year-old from Amsterdam and a 39-year-old from The Hague on May 18, charging them with violating sanctions law by directly or indirectly making economic resources available to EU-sanctioned entities.

The Dutch investigation focuses on Stark Industries, a large hosting provider that emerged just two weeks before Russia invaded Ukraine. As detailed in this May 2024 deep-dive, Stark quickly became the source of massive distributed denial-of-service (DDoS) attacks against European targets and emerged as a top supplier of proxy and anonymity services frequently linked to Russia-backed hacking groups.

That report identified two Moldovan brothers — Ivan and Yuri Neculiti and their company PQHosting — who were providing one of Stark’s two main conduits to the larger Internet. In May 2025, the EU sanctioned PQHosting and the Neculiti brothers for aiding Russia’s hybrid warfare efforts. However, as KrebsOnSecurity observed in September 2025, those sanctions did not target Stark’s remaining connection to the Internet — an Internet service provider based in the Netherlands called MIRhosting.

MIRhosting is operated by Andrey Nesterenko, a 39-year-old Russian native who runs the business from the Netherlands. News that PQHosting and the Neculiti brothers were about to be sanctioned by the EU leaked in the media nearly two weeks before the sanctions were announced last year. During that time, the Stark network assets were transferred from PQHosting to a new entity called the[.]hosting, under the control of the Dutch entity WorkTitans BV.

As our September 2025 report showed, WorkTitans was controlled by Nesterenko and a 57-year-old from Amsterdam named Youssef Zinad. Additionally, WorkTitans obtained connectivity to the larger Internet solely through MIRhosting, where Zinad had previously worked.

On May 18, Dutch financial crime investigators arrested Nesterenko and Zinad and searched three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk. A statement from the Dutch authorities said they also seized laptops, telephones, and more than 800 servers.

A message to the-hosting customers immediately after 800 of its servers were seized by Dutch authorities. The message states that unfortunately, data stored on the server has been lost and cannot be recovered.

_de Volkskrant_ said it reviewed data showing that WorkTitans and MIRhosting were the most-used networks in pro-Russian attacks on Danish government bodies between November 13 and 19, 2025, the week of Denmark’s municipal elections.

The publication wrote that prior to Nesterenko’s arrest, the MIRhosting founder denied knowing that his servers had been misused by pro-Russian cybercriminals. “He said he had ended all services with the Neculiti brothers when the EU sanctions came into force in May 2025,” and he “reserved all rights to take action against ‘harmful and incorrect publications,’” _de Volkskrant_ wrote.

MIRhosting released a statement saying it has initiated an internal investigation into the alleged facts concerning the elections in Denmark and has temporarily paused services to WorkTitans as a precautionary measure while the matter is being reviewed further.

“Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections,” the statement reads. “No anomalies or spikes were observed in our network traffic during the period mentioned in the publication; had large-scale DDoS attacks occurred, such activity would have been evident. Furthermore, prior to the media publication, we had not received any complaints, abuse reports, or official requests regarding suspicious activities or misuse of our network. Meanwhile, our regular operational activities continue, and our service to our other clients remains fully intact.”

Born in Nizhny Novgorod, Russia, Mr. Nesterenko grew up as a piano prodigy who performed publicly at a young age. In 2004, Nesterenko founded MIRhosting’s parent Innovation IT Solutions Corp., which is notable for being the company responsible for hosting stopgeorgia[.]ru, a hacktivist website used to organize cyberattacks against Georgia that emerged concurrently with the Russian invasion of the former Soviet nation in 2008. This conflict was considered the first war in which a significant cyberattack occurred alongside an actual military engagement.

Responding to questions via email, Nesterenko stated that MIRhosting does not support cybercrime, sanctions evasion, or illegal activities, and that the allegations and arrest by Dutch authorities have been extremely detrimental to him and his company.

“The transition to the.hosting was not aimed at evading sanctions,” Nesterenko wrote. “The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions were imposed. Shutting down or harming a legitimate Dutch infrastructure company will not prevent cybercrime, but it will hurt many innocent people.”

There is much less public information about the 57-year-old Zinad, who reportedly has maintained a low profile since our last story. De Volkskrant reported that Zinad blocked access to his LinkedIn account, went months without responding to emails, WhatsApp messages, and phone calls, and told a colleague that illness was forcing him to lead a more secluded life.

Mr. Zinad’s now-defunct LinkedIn profile, which was filled with posts about MIRhosting’s services.

Mr. Nesterenko claims that Zinad was never an employee of MIRhosting.

“He assisted me and MIRhosting with certain business tasks under a standard business-to-business agreement between companies,” Nesterenko explained.

However, in previous emails to KrebsOnSecurity, Nesterenko copied Mr. Zinad (who had a @mirhosting.com email address), stating that he was part of the company’s legal team. Additionally, the Dutch website stagemarkt[.]nl lists Youssef Zinad as an official contact for MIRhosting’s offices in Almere.

Mr. Zinad has never responded to requests for comment. De Volkskrant also failed to locate him. The publication reported that they repeatedly contacted Mr. Zinad (referred to here as simply “Z”), but he reportedly avoided all forms of communication.

“‘I am unavailable but will respond to your message as soon as possible,’ reads an automated reply on WhatsApp from October 2, 2025,” de Volkskrant reported. “This was the only response de Volkskrant received over several months. He did not answer his phone or return calls. When an acquaintance asked him via LinkedIn to contact the reporter, he blocked access to his LinkedIn page. At an address in Almere where Z.’s personal limited company is registered, no one was present in April. The curtains were drawn, and a pile of garbage bags lay outside next to a container, as if someone had recently moved out. A neighbor said he knew the man but did not know where he was staying. Z. was later arrested at a residence in Amsterdam.”