Dutch Authorities Dismantle Infrastructure Linked to Russian Hybrid Warfare

dutch-authorities-dismantle-infrastructure-linked-to-russian-hybrid-warfare

In a decisive strike against the digital underpinnings of Russian state-sponsored aggression, Dutch financial crime investigators have arrested two men accused of operating a sophisticated network of hosting companies that served as a critical staging ground for cyberattacks and disinformation campaigns across the European Union.

The operation, led by the Dutch Tax Intelligence and Investigation Service (FIOD), resulted in the seizure of over 800 servers, laptops, and mobile devices across multiple data centers in Dronten and Schiphol-Rijk, alongside raids on corporate offices in Enschede and Almere. The suspects—a 57-year-old Amsterdam resident and a 39-year-old from The Hague—are charged with flagrant violations of EU sanctions law by providing essential economic resources and digital infrastructure to sanctioned entities involved in Russian hybrid warfare.

This enforcement action marks the culmination of a long-running international investigation into the exploitation of Dutch IT infrastructure to facilitate cyber-aggression. It follows years of scrutiny into the murky operations of hosting providers that have acted as “bulletproof” conduits for Kremlin-aligned hacking groups.

The Chronology of Complicity

The investigation’s roots trace back to the volatile period immediately preceding the Russian invasion of Ukraine. In early 2022, a sprawling hosting entity known as Stark Industries Solutions emerged with startling velocity. Within months, it established itself as a primary supplier of proxy, anonymity, and DDoS-for-hire services, frequently utilized by intelligence-backed groups to target European government bodies and critical infrastructure.

The structural complexity of Stark Industries was designed to evade regulatory oversight. Initial investigations identified two Moldovan brothers, Ivan and Yuri Neculiti, and their company, PQHosting, as the primary internet conduits for Stark. When the European Union sanctioned the Neculiti brothers and PQHosting in May 2025 for their role in facilitating hybrid warfare, the illicit network displayed a remarkable level of agility.

Nearly two weeks before the official sanctions were announced, assets within the Stark network were rapidly migrated to a new entity known as the[.]hosting, which operated under the corporate umbrella of the Dutch firm WorkTitans BV. This move was a calculated effort to preserve access to the global internet, utilizing the remaining, unsanctioned connection through a Dutch provider: MIRhosting.

Supporting Data: A Pattern of Misuse

The scale of the operation dismantled by the FIOD is significant. According to reports from the Dutch daily de Volkskrant, data analysis suggests that WorkTitans and MIRhosting were the most frequently used networks in a series of coordinated, pro-Russian cyberattacks targeting Danish government bodies during the week of Denmark’s municipal elections in November 2025.

The forensic evidence gathered by investigators paints a picture of a network built for disruption. By providing stable infrastructure to groups engaged in massive distributed denial-of-service (DDoS) attacks, the hosting companies allowed state-aligned actors to remain untraceable. The recent seizure of 800 servers serves as a testament to the sheer volume of data and malicious traffic routed through these Dutch facilities.

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

The connection between these hosting providers and Russian interests is not merely logistical; it is historical. The founder of MIRhosting, Andrey Nesterenko, has a professional pedigree that stretches back to the 2008 Russo-Georgian War. Nesterenko, who founded MIRhosting’s parent company, Innovation IT Solutions Corp., was behind the hosting of stopgeorgia[.]ru—a hacktivist portal that synchronized cyber-strikes with physical military movements. This incident is widely cited by cybersecurity experts as the first instance of a “combined arms” cyber-physical conflict.

The Players: From Piano Prodigy to Shadowy Operator

The investigation has centered on two key figures: Andrey Nesterenko and Youssef Zinad.

Nesterenko, a 39-year-old Russian native who grew up as a child prodigy and concert pianist, has consistently denied intentional involvement in cybercrime. In correspondence, he has argued that his companies were merely providing neutral hosting services and that the transition to new corporate entities was a standard business evolution rather than a scheme to bypass sanctions.

"Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong," Nesterenko stated in an email response to inquiries. He maintains that he severed all ties with the Neculiti brothers following the May 2025 sanctions.

Conversely, the role of 57-year-old Youssef Zinad appears to be one of calculated obscurity. Following earlier exposés by KrebsOnSecurity, Zinad effectively vanished from public view. He deactivated his LinkedIn profile, ceased all professional communication, and became virtually unreachable. Reports from his neighborhood in Almere described a residence that appeared abandoned, with blinds drawn and refuse piling up outside. His eventual arrest in Amsterdam brought a sudden end to his attempt to maintain a low profile.

While Nesterenko has attempted to characterize Zinad’s involvement as a minor "business-to-business arrangement," evidence suggests a much deeper integration. Zinad was frequently carbon-copied on internal emails using a @mirhosting.com domain, and professional registries listed him as an official contact for the company’s Almere offices.

Official Responses and Corporate Defenses

Following the raid, MIRhosting issued a formal statement defending its operational integrity. The company claims that an internal investigation into the Danish election period revealed no anomalies or traffic spikes that would suggest their infrastructure was used for malicious influence operations.

"Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections," the statement read. "Had large-scale DDoS attacks occurred, such activity would have been evident. Furthermore, prior to the media publication, we had not received any complaints, abuse reports, or official requests regarding suspicious activities or misuse of our network."

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

However, this defense contrasts sharply with the findings of Dutch financial investigators and the reality faced by their clients. Following the server seizures, customers of the[.]hosting were met with a stark message informing them that all data stored on the seized hardware had been lost and was unrecoverable—a final, abrupt conclusion to a network that had spent years operating in the shadows of the European digital landscape.

Implications for European Cyber-Defense

The arrest of Nesterenko and Zinad and the subsequent dismantling of their infrastructure represent a pivotal moment in the European Union’s effort to secure its digital borders.

1. Closing the “Sanction Gap”

The case highlights a major vulnerability in current sanction regimes: the ease with which digital infrastructure providers can rebrand, shift assets, and pivot through new corporate entities. By linking the Dutch hosting providers directly to sanctioned Russian actors, the FIOD has set a precedent for holding infrastructure operators accountable for the activities they facilitate.

2. The Responsibility of ISPs

This investigation serves as a stern warning to internet service providers operating within the EU. The days of claiming neutrality while hosting malicious state-sponsored entities are effectively over. European authorities are increasingly viewing the provision of server space to sanctioned actors as an act of complicity in hybrid warfare.

3. Protecting Democratic Processes

With the focus on the Danish municipal elections, the case underscores that cyber-infrastructure is the frontline of modern electoral security. The ability to disrupt these networks before they can be used for influence operations is now a top-tier national security priority for every EU member state.

As the legal proceedings against Nesterenko and Zinad begin, the international cybersecurity community will be watching closely. The outcome of this case will likely determine how aggressively European nations pursue the intermediaries that allow foreign adversaries to weaponize the internet against them. For now, the lights have gone out on the servers that provided a home to some of Russia’s most persistent digital threats, providing a rare, tactical victory in the ongoing shadow war of the 21st century.