Netherlands Arrests Two Hosting Company Co-Owners, Seizes 800 Servers Linked to Russian Cyberattacks

Authorities in the Netherlands have apprehended two co-owners of related Internet hosting companies for allegedly facilitating IT infrastructure utilized by Russia in cyberattacks, influence operations, and disinformation campaigns within the European Union. This development highlights ongoing concerns regarding the intersection of cybersecurity and geopolitical tensions, particularly in the context of Russia’s actions in Ukraine.

Arrests and Charges

On May 18, 2025, the Dutch financial crime agency, FIOD, arrested a 57-year-old man from Amsterdam and a 39-year-old man from The Hague. They face charges of violating sanctions laws by either directly or indirectly providing economic resources to entities sanctioned by the EU. The investigation centers on Stark Industries Solutions, a hosting provider that emerged shortly before Russia’s invasion of Ukraine and has been implicated in various cyber threats against European targets.

The Role of Stark Industries

Stark Industries Solutions quickly became a significant player in orchestrating large-scale distributed denial-of-service (DDoS) attacks against European institutions. It has also been identified as a key supplier of proxy and anonymity services frequently linked to Russian-backed hacking groups. In May 2025, the EU sanctioned PQHosting, a company operated by Moldovan brothers Ivan and Yuri Neculiti, for its role in supporting Russia’s hybrid warfare efforts. However, sanctions failed to address Stark’s remaining Internet connection through MIRhosting, a Dutch provider.

MIRhosting and Its Operators

MIRhosting is run by Andrey Nesterenko, a 39-year-old Russian national based in the Netherlands. Following media leaks about impending sanctions against PQHosting, Stark’s network assets were transferred to a new entity called the[.]hosting, controlled by WorkTitans BV, which is also linked to Nesterenko and his associate, Youssef Zinad. On the same day as the arrests, Dutch investigators executed searches at multiple locations, including three businesses and two data centers, seizing laptops, telephones, and over 800 servers.

Implications for Cybersecurity

The investigation has revealed that WorkTitans and MIRhosting were heavily utilized in pro-Russian attacks against Danish government bodies during the week of Denmark’s municipal elections in November 2025. Prior to his arrest, Nesterenko claimed ignorance regarding the misuse of his servers for cybercriminal activities, asserting that he had ceased all services with the Neculiti brothers following the imposition of EU sanctions.

MIRhosting has since initiated an internal investigation into the allegations surrounding its services’ potential involvement in influencing the Danish elections. The company stated that preliminary findings indicated no anomalies in network traffic during the relevant period, and it had not received any complaints or reports of misuse.

Background of the Operators

Nesterenko, originally from Nizhny Novgorod, Russia, is a former piano prodigy who founded MIRhosting’s parent company, Innovation IT Solutions Corp., in 2004. This company has a controversial history, having previously hosted a hacktivist website involved in organizing cyberattacks against Georgia during the 2008 conflict. Nesterenko has publicly denied any connection to cybercrime or sanctions evasion, asserting that the transition to the[.]hosting was not intended to circumvent sanctions.

Zinad, who has maintained a low profile since the arrests, reportedly blocked access to his LinkedIn account and has been unresponsive to inquiries. Nesterenko claims that Zinad was not an employee of MIRhosting but rather assisted with business tasks under a normal business-to-business arrangement.

Conclusion

The arrests and subsequent investigations underscore the complexities of cybersecurity in an era marked by geopolitical strife. As nations grapple with the implications of cyber warfare, the actions taken by Dutch authorities serve as a reminder of the ongoing battle against cybercriminal networks that exploit legitimate infrastructure for malicious purposes. The developments in this case will likely have lasting repercussions for the cybersecurity landscape in Europe.

For further details, visit the original reporting source: KrebsOnSecurity.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.