Digital Siege: Dutch Authorities Dismantle Hosting Infrastructure Linked to Russian Hybrid Warfare

In a sweeping operation that marks a significant escalation in the European Union’s battle against state-sponsored digital subversion, Dutch financial crime investigators have arrested two prominent tech entrepreneurs on charges of violating international sanctions. The May 18, 2026, raid by the Fiscal Information and Investigation Service (FIOD) targeted the heart of a clandestine network accused of providing the digital scaffolding for Russian intelligence agencies to execute cyberattacks and disinformation campaigns across the EU.

The suspects—a 57-year-old Amsterdam resident and a 39-year-old from The Hague—are the primary architects behind two interconnected hosting companies. According to investigators, these entities served as a critical staging ground for "Stark Industries Solutions," a sprawling, illicit internet service provider (ISP) previously sanctioned by the European Union for its central role in facilitating Russian hybrid warfare operations.

The Anatomy of a Digital Proxy

The investigation centers on the exploitation of internet infrastructure to bypass sanctions and sustain cyber aggression. Stark Industries Solutions, which emerged with suspicious speed just two weeks prior to the Russian invasion of Ukraine in 2022, quickly gained notoriety as a "bulletproof" host. It became the preferred launchpad for massive distributed denial-of-service (DDoS) attacks targeting European government institutions and financial sectors.

Stark did not operate in a vacuum. It relied on a sophisticated web of providers to maintain its connection to the global internet. Initially, the network was propped up by PQHosting, a firm managed by Moldovan brothers Ivan and Yuri Neculiti. When the EU placed the Neculiti brothers and PQHosting under sanctions in May 2025, the infrastructure did not collapse; it merely shifted.

Data obtained by de Volkskrant reveals a calculated migration of assets. Nearly two weeks before the official announcement of the 2025 sanctions, the Stark network’s resources were transferred to a new entity, "the[.]hosting," which operated under the corporate umbrella of the Dutch firm WorkTitans BV. The threads of control led directly back to the two men now in custody: Andrey Nesterenko and Youssef Zinad.

A Chronology of Subversion

The collapse of this network follows a multi-year trail of digital evidence that highlights the difficulty of policing the "gray zone" of international cyber warfare.

• 2004–2008: Andrey Nesterenko, a former piano prodigy from Nizhny Novgorod, establishes Innovation IT Solutions Corp. The firm gains infamy for hosting "stopgeorgia[.]ru," a site used to coordinate cyberattacks against Georgia during the 2008 Russo-Georgian War—widely considered the first instance of a physical military conflict synchronized with large-scale cyber warfare.
• February 2022: Stark Industries Solutions is launched, providing anonymity and proxy services to actors linked to Russian intelligence.
• May 2024: Investigative reports, including an in-depth analysis by KrebsOnSecurity, expose Stark’s role as an "iron hammer in the cloud," linking it to persistent attacks on Western targets.
• May 2025: The EU imposes sanctions on the Neculiti brothers and PQHosting. Anticipating this, the network’s assets are quietly migrated to the Dutch-based WorkTitans BV and MIRhosting.
• September 2025: Further investigative scrutiny reveals that despite the sanctions, the Stark infrastructure remains alive, powered by MIRhosting and WorkTitans.
• November 2025: During the week of the Danish municipal elections, WorkTitans and MIRhosting are identified as the primary networks facilitating pro-Russian cyberattacks against Danish government digital infrastructure.
• May 18, 2026: FIOD agents execute coordinated raids in Enschede, Almere, Dronten, and Schiphol-Rijk, resulting in the arrests of Nesterenko and Zinad and the seizure of over 800 servers.

The Scope of the Seizure

The FIOD operation was not merely an arrest; it was a tactical decapitation of a digital node. By seizing more than 800 servers, investigators effectively neutralized the "the[.]hosting" platform. In an ironic turn of events, customers attempting to access their data on these servers were greeted with a stark notification: the hardware had been seized, and the data was deemed unrecoverable.

This loss of data, while devastating to the clients of these hosting providers, represents a treasure trove for forensic analysts. The seized hardware is expected to provide a roadmap of the connections between the hosting providers and the specific threat actors who utilized them to target European democracy.

Official Responses and Denials

In the wake of the arrests, the narrative from the suspects and their associated companies has been one of defensive denial. MIRhosting, through a formal statement, claimed that it had initiated an internal audit regarding the Danish election attacks and asserted that it had severed ties with WorkTitans following the 2025 sanctions.

"Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections," the company stated, adding that they had received no prior abuse reports or official requests regarding suspicious activity.

Andrey Nesterenko, speaking through legal channels, maintained his innocence. He argued that the transition of assets to WorkTitans was a routine business transaction, not an attempt to evade sanctions. "Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong," Nesterenko argued.

Youssef Zinad, the second individual arrested, has proven far more elusive. Known for keeping a low profile, Zinad had effectively vanished from the public eye since his name surfaced in earlier investigations. Reports describe a man attempting to hide in plain sight—blocking LinkedIn profiles, ignoring calls, and maintaining an abandoned, darkened residence in Almere before his eventual capture in Amsterdam. While Nesterenko attempted to distance himself from Zinad, claiming they only shared a "business-to-business" arrangement, internal documentation—including emails and official registration records—suggests a far deeper, more integrated partnership.

Implications for EU Security

The implications of the MIRhosting case extend far beyond the arrests of two men. It highlights the vulnerability of the European internet ecosystem to exploitation by foreign powers who utilize the privacy protections and legal frameworks of EU member states as a shield for hybrid warfare.

The case also serves as a warning to the hosting industry. By treating the "provision of infrastructure" as a neutral service, companies have often turned a blind eye to the activities of their tenants. The Dutch authorities’ move to classify these actions as a violation of sanctions law—by providing "economic resources" to sanctioned entities—sets a significant legal precedent. It implies that hosting companies are not mere conduits, but are responsible for the nature of the content they facilitate.

As the investigation continues, the focus will likely shift toward the broader network of "bulletproof" hosts that remain active. The dismantling of the MIRhosting and WorkTitans infrastructure is a victory, but security experts warn that such networks are inherently hydra-headed. The primary challenge remains: how to balance the fundamental requirements of a free and open internet with the urgent necessity of defending against those who use that very openness to undermine the democratic process.

For now, the silence of the 800 seized servers in the Netherlands stands as a testament to a shift in policy. The era of digital impunity for those who knowingly host the architects of cyber warfare is, at the very least, under sustained and aggressive assault.