Netherlands Seizes 800 Servers, Arrests 2 for Assisting Cyberattacks – Krebs on Security
Authorities in the Netherlands arrested the owners of two related Internet hosting companies for using the IT infrastructure used by Russia to carry out cyberattacks, influence operations and information extraction campaigns within the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies have taken control of the technology infrastructure. Stark Industries Solutionsan internet service provider that was sanctioned last year by the EU as a common scene of cyber malfeasance from Russian intelligence agencies.
An investigator from the Tax Intelligence and Investigation Service (FIOD), the Dutch financial crime agency, during the raid. Photo: FIOD.
Dutch daily news source in the Volkskrant reports that the Dutch financial crime agency FIOD on May 18 he arrested a 57-year-old from Amsterdam and a 39-year-old from The Hague, charging them with violating the law on fines by directly or indirectly using economic resources from organizations authorized by the EU.
The Dutch investigation focused on Stark Industries, a growing hosting provider that came to light just two weeks before Russia invaded Ukraine. As described in this deep dive from May 2024, Stark quickly became the source of large-scale denial-of-service (DDoS) attacks against European targets, and emerged as a top supplier of proxy services and anonymity services that appeared repeatedly in cyber attacks linked to Russian-backed hacking groups.
That report revealed two Moldovan brothers— Ivan again Yuri Neculiti and their company PQHosting – who were providing Stark’s two channels to the greater Internet. In May 2025, the EU sanctioned PQHosting and the Neculiti brothers for aiding Russia’s hybrid war effort. But as KrebsOnSecurity noted in September 2025, those sanctions failed to identify Stark’s remaining Internet connection — a Netherlands-based Internet service provider called. MIRhosting.
MIRhosting is operated by Andrey Nesterenkoa 39-year-old Russian-born entrepreneur from the Netherlands. News that PQHosting and the Neculiti brothers were about to be sanctioned by the EU leaked to the media about two weeks before the sanctions were announced last year. At that time, Stark’s network assets were transferred from PQHosting to a new company named i[.]to be handledunder Dutch control WorkTitans BV.
And as our September 2025 report showed, WorkTitans was controlled by Nesterenko and a 57-year-old from Amsterdam named Nesterenko. Youssef Zinad. Furthermore, WorkTitans was only getting a larger internet connection through MIRhosting, where Zinad used to work.
On May 18, Dutch financial crime investigators arrested Nesterenko and Zinad, searched three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk. A statement issued by Dutch authorities said they also seized more than 800 laptops, phones and servers.
A message to customers that runs immediately after 800 of their servers were seized by Dutch authorities. The message says that unfortunately the data stored on the server has been lost and cannot be recovered.
De Volkskrant said it has reviewed data showing that WorkTitans and MIRhosting are the networks most used in attacks on Danish government organizations between November 13 and 19, 2025, which is the week of Danish municipal elections.
The publication noted that prior to Nesterenko’s arrest, MIRhosting’s founder denied knowing that his servers had been compromised by Russian-backed hackers. “He said he has ended all services with the Neculiti brothers when the EU sanctions come into effect in May 2025,” and “reserved all rights to take action against ‘dangerous and wrong publications,'” wrote De Volkskrant.
MIRhosting released a statement saying that it has launched an internal investigation into the alleged facts surrounding the Danish election, and that it has temporarily suspended services to WorkTitans as a precautionary measure while the matter is reviewed.
“Based on our initial findings, there are no indications that the services we control were actually used to influence the Danish election,” the statement read. “No anomalies or anomalies were observed in our network traffic during the period mentioned in the publication; if a large-scale DDoS attack had occurred, such activity would have been obvious. In addition, prior to the publication of the media, we had not received any complaints, abuse reports, or legal requests regarding suspicious activities or misuse of our network. Currently, our normal operational activities continue with our other clients.”
Born in Nizhny Novgorod, Russia, Mr. Nesterenko grew up a pianist who performed in public as a child. In 2004, Nesterenko founded the parent of MIRhosting Company Innovation IT Solutions Corp.with the notable distinction of being the company responsible for hosting stopgeorgia[.]ru, a hacktivist website planning a cyberattack against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a significant cyberattack and actual military engagement occurred simultaneously.
In response to questions shared by email, Nesterenko said that MIRhosting does not support cybercrime, evasion of sanctions, or illegal activities, and that the allegations and arrests of the Dutch authorities have been very dangerous for him and his company.
“The switch to hosting was not intended to avoid sanctions,” Nesterenko wrote. “Hardware and customer portfolios are transferred to WorkTitans before sanctions are imposed. Shutting down or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will hurt many innocent people.”
Very little is public about 57-year-old Zinad, who has reportedly been keeping a low profile since our story last year. De Volkskrant reported that Zinad has blocked access to her LinkedIn account, has not responded to emails, WhatsApp messages and phone calls for months, and told a colleague that the illness forces her to lead an unusual life.
Profile of Mr. Zinad of the late LinkedIn. There were loads of posts on MIRhosting services.
Mr. Nesterenko claims that Zinad was never an employee of MIRhosting.
“He helped me and MIRhosting with some business activities under a standard business-to-business arrangement between companies,” Nesterenko explained.
However, in previous emails to KrebsOnSecurity, Nesterenko carbon copied Mr. Zinad (who had an email address of @mirhosting.com), explaining that she was part of the company’s legal team. Also, a Dutch website platform logo[.]nl lists Youssef Zinad as the official contact person for the MIRhosting offices in Almere.
Mr. Zinad never responded to requests for comment. And de Volkskrant had no luck following him. This book says that he often asked Mr. Zinad (referred to here as simply “Z”), but reportedly avoided all forms of communication.
“‘I’m not available but I’ll answer your message as soon as possible,’ reads the automatic reply on WhatsApp on 2 October 2025,” de Volkskrant reported. “It’s the only answer De Volkskrant will get in a few months. He didn’t pick up his phone and didn’t call again. When someone he knew asked him on LinkedIn to contact the journalist, he blocked access to his LinkedIn page. At the address in Almere where Z.’s company is registered, no one was there in April. The curtains of the house on the corner were pulled, and one was left with a lot of rubbish outside. He said he knew this man but didn’t know where Z lived.
