Skip to content

Netherlands Dismantles Russian Cyberattack Infrastructure, Two Operators Arrested

On point: The Netherlands dismantled a network of hosting providers linked to the EU-sanctioned Stark Industries and serving as a hub for Russian cyberattacks on European targets.

On 18 May, Dutch authorities arrested the operators of two hosting companies that provided IT infrastructure for Russian cyberattacks, influence operations and disinformation campaigns within the EU. During searches, investigators seized over 800 servers.

The Dutch financial crime agency FIOD arrested a 57-year-old from Amsterdam and a 39-year-old from The Hague. They are accused of violating sanctions laws by providing or facilitating economic resources to EU-sanctioned companies. The suspects are Andrey Nesterenko (39) and Youssef Zinad (57), operators of the hosting providers MIRhosting and WorkTitans BV.

The background reaches back to the founding of Stark Industries in February 2022, two weeks before Russia’s invasion of Ukraine. Stark quickly established itself as a source of massive DDoS attacks against European targets and as a leading provider of proxy and anonymisation services for cyberattacks by Russia-controlled hacker groups. The EU sanctioned Stark Industries and its original connectivity partner PQHosting (operated by Moldovan brothers Ivan and Yuri Neculiti) in May 2025. Shortly before this sanctioning, the operators moved Stark’s network assets to WorkTitans BV, which connected to the internet via MIRhosting — an evasion strategy that, according to investigations, effectively circumvented the sanctions.

During raids on 18 May, Dutch investigators searched three business locations in Enschede and Almere as well as two data centres in Dronten and Schiphol-Rijk. Seized items included laptops, mobile phones and over 800 servers. According to media reports, WorkTitans and MIRhosting were the most-used networks in pro-Russian attacks on Danish authorities during the week of the Danish municipal election campaign from 13–19 November 2025.

According to his own statements, Nesterenko ended all connections to the Neculiti brothers after the EU sanctions came into force in May 2025. The arrests mark a systematic crackdown on Russia’s hybrid warfare operations in the EU and underscore the dependence of Russian cyberattack campaigns on commercial hosting infrastructure in European jurisdictions.


Source: krebsonsecurity.com · Published 25 May 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.2.0.

Share on: