Netherlands Seizes 800 Servers, Arrests Two Over Russian-Linked Cyberattack Hosting

Dutch authorities arrested two co-owners of Netherlands-based hosting companies on May 18, 2026, and seized more than 800 servers, charging the men with violating EU sanctions law by making IT infrastructure available to entities linked to Russian-directed cyberattacks and influence operations inside the European Union.

The enforcement action dismantled a hosting footprint that investigators say absorbed the operational infrastructure of Stark Industries Solutions after the EU sanctioned that company in 2025.

The Arrests

The FIOD — the Dutch Tax Intelligence and Investigation Service — executed simultaneous raids across five locations: three business premises in Enschede and Almere, and two data centers in Dronten and Schiphol-Rijk.

The two men in custody are Andrey Nesterenko, 39, a Russian national and founder of MIRhosting, and Youssef Zinad, 57, an Amsterdam resident. Together they co-own MIRhosting, WorkTitans BV, and a third company trading as the[.]hosting.

The charge is violating EU Council Regulation 269/2014 and Dutch implementing sanctions legislation — specifically, making economic resources available to sanctioned entities. No software vulnerability or breach of a victim’s systems underlies the case; the prosecution turns on whether the defendants knowingly continued to serve sanctioned customers after the EU designations took effect.

Stark Industries and Its Orbit

The EU sanctioned Stark Industries Solutions ↗ and its affiliate PQHosting Plus S.R.L. in May 2025, citing both as staging grounds for attacks tied to Russian intelligence services. Stark was incorporated on February 10, 2022 — two weeks before Russia’s invasion of Ukraine — by Ivan and Yuri Neculiti, brothers who operated PQHosting out of Moldova.

Prior reporting established that Stark’s IP ranges provided infrastructure to NoName057(16), a pro-Russia hacktivist group that recruits volunteers for DDoS attacks via a gamified Telegram tool called DDoSia. Stark-adjacent address blocks also traced back to Russia’s Federal Guard Service, the successor to the KGB’s Ninth Directorate.

Nesterenko had previously confirmed to researchers that Stark Industries was a colocation customer of MIRhosting, characterizing the relationship as “purely provider-customer.” Dutch prosecutors’ theory of the case appears to be that the relationship was materially deeper: after EU sanctions targeted the Neculiti brothers, operational infrastructure migrated toward MIRhosting and the co-defendants’ related companies.

Scope of the Seizure

The 800-plus servers span hardware at both data-center and business-premises locations across the Netherlands. Dutch prosecutors have not disclosed a full client list. The investigation examined use of the seized infrastructure in connection with DDoS attacks against European targets and with influence operations, including attacks on Danish government websites during the country’s November 2025 municipal elections.

MIRhosting issued a statement contesting the election-interference allegation: “Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections.” The company did not address the broader sanctions-evasion charge.

Prior Indicators

Nesterenko’s involvement in Russian-associated hosting operations predates the current investigation by nearly two decades. His earlier company, Innovation IT Solutions Corp. — founded in 2004 — hosted stopgeorgia[.]ru, a website used to coordinate cyberattacks against Georgian government and media infrastructure during Russia’s August 2008 military campaign in South Ossetia. Dutch prosecutors are reportedly incorporating that history into the evidentiary record.

What Defenders Should Do

The seizure affects live hosting infrastructure. Organizations with dependencies on IP ranges linked to MIRhosting, WorkTitans BV, or the[.]hosting may encounter unexpected connectivity disruptions. Bulletproof-hosting operations have historically reconstituted under new autonomous system numbers within weeks of law enforcement seizures; monitoring for reactivation is warranted.

1. Within 48 hours: Cross-reference MIRhosting and the[.]hosting autonomous system numbers against egress-allow lists, firewall rules, and threat-intel feed block lists.
2. Within 7 days: Audit DDoS-mitigation and traffic-scrubbing configurations for any reliance on upstream IP ranges now under FIOD control.
3. Ongoing: Scan historical logs for connections to ASNs associated with Stark Industries, PQHosting, and MIRhosting; community-published blocklists covering this infrastructure have been available since mid-2024.
4. If operating in Denmark or adjacent EU jurisdictions: Flag the election-period attack allegation to legal and compliance teams; regulatory inquiries may follow.
5. Threat-intel hygiene: Add attribution tags for NoName057(16) and Stark-adjacent infrastructure to detection rules, and watch for re-registration of the same IP blocks under new provider names.

Both men remain in custody pending further Dutch criminal proceedings. No trial date has been set.

Sources

• Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks ↗ — KrebsOnSecurity, May 25, 2026. Primary reporting on the FIOD enforcement action, the defendants, charges, and MIRhosting’s response.
• Stark Industries Solutions: An Iron Hammer in the Cloud ↗ — KrebsOnSecurity, May 2024. Investigative background on Stark Industries, its ties to PQHosting and the Neculiti brothers, its role in NoName057(16) DDoS campaigns, and its historical relationship with MIRhosting.