Dutch FIOD Breaks Stark Industries Network After Sanctions Failed: The MIRhosting Case

Dutch fiscal crime investigators arrested two Netherlands-based men on May 18, 2026 and seized more than 800 servers across five locations, dismantling the hosting infrastructure that kept Russia’s most-documented shared cyberattack platform running for more than a year after European Union sanctions had already attempted — and failed — to shut it down.

The Dutch Fiscal Information and Investigation Service (FIOD) announced the operation on May 25, 2026. The suspects, identified by investigators as Andrey Nesterenko, 39, of The Hague, and Youssef Zinad, 57, of Amsterdam, are accused of violating EU sanctions law by continuing to provide internet connectivity and server infrastructure to entities operating under the umbrella of Stark Industries Solutions ↗ — a hosting provider that the EU sanctioned in May 2025 for enabling Russian state-sponsored cyberattacks and disinformation campaigns across Europe.

What Stark Industries Is

Stark Industries Solutions materialized as a company two weeks before Russia launched its full-scale invasion of Ukraine in February 2022. Within months it had become the preferred bulletproof hosting platform for a range of Russian state-linked and state-adjacent threat activity: distributed denial-of-service (DDoS) campaigns, proxy and anonymization infrastructure used by Russian intelligence-affiliated hacking groups, and hosting for the Doppelganger influence network’s coordinated disinformation operations targeting EU member-state elections.

The company was registered in the United Kingdom but operated through a constellation of infrastructure providers, most visibly connected to two Moldovan brothers, Ivan and Iurie Neculiti, who ran a web hosting firm called PQHosting. Investigative reporting by KrebsOnSecurity in May 2024 exposed the breadth of Stark’s infrastructure and its direct ties to Russian offensive operations. The Neculiti brothers and PQHosting were subsequently designated under EU sanctions on May 20, 2025 ↗ for “aiding Russia’s hybrid warfare efforts.”

The sanctions did not end Stark Industries’ operations. They displaced them.

The Sanctions-Evasion Playbook

According to Recorded Future’s Insikt Group ↗, the Stark Industries network began migrating infrastructure approximately six weeks before the EU formally announced the Neculiti sanctions — suggesting the operators received advance warning. The sequence was precise and fast:

• April 10, 2025: Migration of Russian infrastructure to UFO Hosting LLC begins.
• April 13, 2025: IP prefix transfers begin from Stark Industries’ primary ASN (AS44477) to the new entity.
• May 8, 2025: European media, citing leaked documentation, reports the forthcoming EU sanctions package by name.
• May 13, 2025: A new RIPE-registered organization, PQ Hosting Plus S.R.L., is created.
• May 16, 2025: AS44477 is transferred to PQ Hosting Plus S.R.L.
• May 20, 2025: EU sanctions formally designate Stark Industries, Ivan and Iurie Neculiti, and PQHosting.
• May 28–29, 2025: WorkTitans B.V., a Netherlands-registered company, creates a new RIPE organization; the public rebrand to “the[.]hosting” is announced.
• June 23–24, 2025: A new ASN, AS209847, is registered under THE/WorkTitans B.V.

The result was a functioning heir to Stark’s connectivity, built from Dutch internet infrastructure, that the original EU sanctions package had not named. Recorded Future assessed the activity as “a strategic effort to obfuscate ownership and sustain hosting services under new legal and network entities.”

MIRhosting: The Surviving Link

The critical piece that bridged the Neculiti network into its post-sanctions incarnation was MIRhosting, a Netherlands-based internet service provider run by Nesterenko — the same 39-year-old now in Dutch custody. Nesterenko, who describes himself publicly as an accomplished concert pianist, also ran a parent company called Innovation IT Solutions Corp., which KrebsOnSecurity reporting connected to StopGeorgia[.]ru, a site that coordinated cyberattacks during the 2008 Russian-Georgian war.

When Krebs published an investigation in September 2025 ↗ identifying MIRhosting as the surviving connection to Stark after the initial sanctions wave, the company was providing upstream connectivity to WorkTitans B.V. and effectively sustaining the operational infrastructure that the EU believed it had cut off. Research by KrebsOnSecurity and Recorded Future indicated that MIRhosting’s infrastructure accounted for 84 percent of the communications used in DDoS campaigns by pro-Russian hacktivist group NoName057(16) during that period.

Zinad’s company, WorkTitans BV, provided internet connectivity and held the RIPE registrations for the new ASN. Together, MIRhosting and WorkTitans formed the two-company structure that kept Stark’s functional capabilities alive for more than twelve months after the initial EU designation.

What the Infrastructure Was Used For

The servers seized in the May 18 operation supported three distinct categories of malicious activity, according to the FIOD announcement and prior reporting.

DDoS campaigns. NoName057(16), a pro-Russian hacktivist collective that has run persistent DDoS campaigns against European government agencies, military websites, and political institutions since 2022, relied heavily on Stark/MIRhosting infrastructure for command-and-control and bot coordination. The Swiss cyber authority previously documented that NoName057(16) DDoS traffic originated from Russian IP addresses, from MIRhosting’s networks, and from Stark Industries — treating the three as effectively interchangeable routing options. The group is assessed as operating with at least tacit coordination with Russian state interests, though its formal organizational relationship to Russian intelligence remains the subject of ongoing analysis.

Election interference. FIOD documentation cited DDoS attacks against targets connected to Danish municipal elections held November 13–19, 2025. That campaign hit local government infrastructure in an EU member state during an active electoral cycle, placing it directly in scope for the EU’s hybrid warfare sanctions framework.

Disinformation operations. The Doppelganger influence network, which deploys a combination of fake news sites, cloned legitimate media domains, and social media amplification to spread pro-Kremlin narratives inside EU member states, used infrastructure associated with the Stark/Reliable Recent News ecosystem for hosting and coordination. The network has been attributed by EU institutions, Meta, and independent researchers to entities operating on behalf of the Russian government. Disinformation infrastructure of this type increasingly relies on AI-generated content at scale — a dimension tracked in depth at ai-alert.org’s AI incident tracker ↗, which monitors the intersection of machine-generated content and influence operations.

The Physical Operation

The FIOD operation on May 18 covered five locations in the Netherlands:

• Three business premises (Enschede and Almere)
• Two data centers (Dronten and Schiphol-Rijk)

More than 800 servers were seized, along with laptops and mobile phones. The scale of the seizure reflects how embedded the WorkTitans/MIRhosting operation was in Dutch internet infrastructure — not a small fly-by-night setup but a functioning commercial hosting business with a data center presence at Schiphol-Rijk, adjacent to Amsterdam’s main international airport.

Nesterenko and Zinad were taken into custody on suspicion of violating EU sanctions law and providing hosting infrastructure used in pro-Russian cyberattacks. Dutch authorities did not publicly name the suspects at the time of the FIOD announcement; their identities were established through investigative reporting by KrebsOnSecurity and The Record.

---

Original Analysis: Why Sanctions Alone Cannot Win This Fight

The Netherlands operation represents something genuinely new in European enforcement against cyber-enabling infrastructure — but understanding why requires confronting the structural problem that made MIRhosting possible in the first place.

The displacement hypothesis. EU sanctions, as currently designed and enforced, do not dismantle infrastructure networks. They displace them. When the Council designates an entity, the named company loses access to EU financial systems and EU-registered parties must cease dealings with it. But the physical infrastructure — servers, fiber, IP address blocks registered through RIPE — can be transferred to a new legal entity in days. The Stark Industries migration timeline documented by Insikt Group shows the entire transfer sequence completed in roughly six weeks, beginning before the sanctions were even public.

This is not a design flaw unique to EU sanctions. The same dynamic appears in U.S. Treasury OFAC designations against hosting providers: named entities rebrand, transfer ASNs, and reconstitute under new registrations within weeks. Sanctions are an instrument built to exert economic pressure on nation-states and large corporations where asset freezing has durable effect. Applied to a loosely structured hosting operation with distributed physical infrastructure and jurisdictional flexibility, they function more like a temporary inconvenience than a disruption.

The Stark Industries case provides a controlled experiment. The May 2025 sanctions wave successfully disrupted the Neculiti brothers’ ability to operate under their own names inside the EU. Within two weeks, functionally equivalent infrastructure was running under new names via WorkTitans and MIRhosting, with Dutch legal entities and Dutch internet connectivity. The named actors were inconvenienced; the operational capability was not materially degraded.

The missing enforcement layer. What the Netherlands operation adds — and what is largely absent from prior EU sanctions enforcement against cyber infrastructure — is criminal prosecution of the facilitators: the people and companies that knowingly provided connectivity to post-sanction successor entities.

Nesterenko and Zinad did not operate Stark Industries. They provided internet connectivity and hosting to entities that were themselves operating in apparent violation of EU sanctions. The Dutch case treats that knowing provision of services as a sanctionable act in its own right. If the prosecution succeeds, it establishes a precedent that European internet service providers face criminal liability when they continue to serve entities that are identified in the public record as sanctions-circumvention vehicles.

This is a meaningful deterrence shift. Sanctions enforcement against the named entities creates an incentive for the operator (in this case, Russian-linked actors) to route around by finding new hosting providers. Criminal liability for the hosting provider — particularly when investigative reporting has publicly identified the sanctioned-entity connection, as KrebsOnSecurity did in September 2025 — raises the cost for the new provider. The journalist’s report becomes, in effect, a public notice that removes the “we didn’t know” defense.

The counter-argument: principals are untouched. The obvious objection is that arresting Nesterenko and Zinad does not arrest anyone in Moscow. The actual threat actors — the FSB officers, GRU contractors, and NoName057(16) volunteers who used MIRhosting’s servers to run DDoS campaigns — face no consequence from a Dutch prosecution. Their infrastructure is disrupted temporarily while they identify replacement hosting. The Stark Industries entity itself has already migrated multiple times; there is no reason to believe the post-MIRhosting network stays dark.

This objection is correct as far as it goes, but it sets the wrong success criterion. The goal of an operation like this is not to arrest the SVR officer in Yasenevo who ordered a DDoS campaign against a Danish municipal election. The goal is to raise the operational cost of running persistent cyberattack and disinformation infrastructure inside the EU by shrinking the pool of willing European hosting providers. If hosting companies understand that they can be prosecuted for knowingly continuing to serve sanctions-designated networks under renamed entities, the post-sanction migration options narrow.

What the journalism-to-prosecution pipeline means. The Stark Industries case is also a demonstration of what the investigative-journalism-to-law-enforcement pipeline can accomplish. KrebsOnSecurity published the first major Stark Industries investigation in May 2024. When EU sanctions in May 2025 missed MIRhosting as the surviving connection, Krebs published a follow-on in September 2025 explicitly naming MIRhosting and Nesterenko. The Dutch FIOD arrested Nesterenko eight months later.

That eight-month gap is not a failure. It is the time required for FIOD to investigate, build a case under Dutch law, and coordinate the multi-location raid. The published reporting provided the intelligence lead; the law enforcement agency provided the investigative process and the legal authority. Neither could have accomplished the outcome alone.

This model — published investigative reporting reducing the “we didn’t know” defense, followed by law enforcement action timed to a prosecutable case — is replicable. It depends on the quality of the underlying investigative reporting, on law enforcement agencies with the mandate and capacity to pursue sanctions-violation cases in the cyber-infrastructure domain, and on legal frameworks that make facilitator liability meaningful. The Netherlands has now demonstrated all three components working in sequence.

The structural risk that remains. The arrests address the Dutch node. They do not address the broader structural condition: most bulletproof hosting infrastructure serving Russian offensive operations is registered in jurisdictions with no meaningful sanctions enforcement capacity. The Stark Industries network routed through Moldova, Russia, and the United Kingdom before landing in the Netherlands. Only the Dutch node was actionable for Dutch prosecutors.

The arrests also do not address the sanctioning body’s speed problem. The gap between the initial Stark Industries exposure in May 2024 and the EU sanctions in May 2025 was twelve months. The gap between sanctions and the infrastructure migrating to MIRhosting was measured in days. Enforcement institutions are structurally slower than the operational infrastructure they are attempting to disrupt. Closing that gap requires either faster sanctions designation processes or standing frameworks that make sanctions-evasion infrastructure presumptively unlawful independent of a specific designation.

Both reforms are politically available within EU institutions. Neither is currently on the Commission’s immediate legislative calendar.

What Defenders Should Do

1. Block and monitor MIRhosting and WorkTitans ASNs. AS209847 (WorkTitans B.V. / the[.]hosting) and AS33993 (UFO Hosting LLC) were the primary successor ASNs documented by Insikt Group. Defenders should verify whether these ranges appear in perimeter logs. Their presence in outbound traffic may indicate compromised systems contacting C2 infrastructure.

2. Update threat-intel feeds to include Stark successor infrastructure. The seizure of 800 servers does not guarantee complete infrastructure takedown. Insikt Group documented IP ranges including 45.15.178.0/24, 94.131.10.0/24, and 176.120.67.0/24 under the WorkTitans/THE umbrella; add these to block and alert lists pending further attribution.

3. Treat NoName057(16) as an ongoing threat. The DDoS campaigns operated by NoName057(16) predate MIRhosting and will continue after it. Organizations in European government, critical infrastructure, financial services, and political institutions should review their DDoS mitigation posture — in particular ensuring upstream provider scrubbing agreements are active and tested.

4. Monitor for Doppelganger successor infrastructure. The influence operations associated with the Stark network use domains that closely mimic legitimate European news outlets. Monitor outbound DNS resolution for lookalike domains and verify news sources before forwarding internally.

5. Review business relationships with unknown Netherlands-based hosting resellers. The Stark network operated through a chain of legitimate-looking Dutch commercial entities. Security teams at cloud providers and CDN operators should review contracts with resellers and ensure due-diligence processes include sanctions-screening for the beneficial owners of connectivity customers.

Sources

KrebsOnSecurity — Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks (May 25, 2026). https://krebsonsecurity.com/2026/05/netherlands-seizes-800-servers-arrests-2-for-aiding-cyberattacks/ ↗ — Primary breaking-news account; named Nesterenko and Zinad, documented the FIOD operation dates and seized-server counts.

The Record (Recorded Future News) — Dutch authorities arrest men suspected of providing infrastructure for Russian cyber operations. https://therecord.media/dutch-authorities-arrest-suspects-over-russian-cyber-operations ↗ — Independent confirmation of arrests, FIOD statement, charge framing under EU sanctions law.

KrebsOnSecurity — Bulletproof Host Stark Industries Evades EU Sanctions (September 2025). https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/ ↗ — The September 2025 investigation that identified MIRhosting as the surviving connection eight months before FIOD acted; named Nesterenko and his concert-pianist background; documented StopGeorgia[.]ru linkage.

Recorded Future / Insikt Group — One Step Ahead: Stark Industries Solutions Preempts EU Sanctions (2025). https://www.recordedfuture.com/research/one-step-ahead-stark-industries-solutions-preempts-eu-sanctions ↗ — Technical infrastructure analysis documenting the pre-sanctions migration timeline, ASN transfers, IP prefix movements, and the creation of WorkTitans B.V. and the[.]hosting as Stark successor entities.