Dutch Authorities Dismantle Infrastructure Linked to Russian Hybrid Warfare

In a significant blow to the clandestine digital machinery supporting Russian intelligence operations, Dutch financial crime investigators have arrested two men accused of facilitating cyberattacks and disinformation campaigns against the European Union. The crackdown, executed by the Tax Intelligence and Investigation Service (FIOD) on May 18, targeted the operational core of two interconnected hosting companies that served as critical conduits for pro-Russian hacking groups.

The arrests mark the culmination of a long-running international investigation into how technical infrastructure, operating under the guise of legitimate Dutch enterprise, became a "bulletproof" staging ground for state-sponsored digital mischief.

The Principal Suspects and the Raid

The FIOD apprehended a 57-year-old Amsterdam resident and a 39-year-old resident of The Hague. While authorities have not released their identities in accordance with Dutch privacy laws, reporting by de Volkskrant and follow-up investigations by KrebsOnSecurity have identified the men as Youssef Zinad and Andrey Nesterenko, respectively.

The operation was sweeping. Investigators executed search warrants at three business locations in Enschede and Almere, as well as two data centers in Dronten and Schiphol-Rijk. The haul was substantial: beyond the suspects themselves, authorities seized laptops, encrypted mobile devices, and more than 800 servers. For the clients of the hosting entities involved, the impact was instantaneous; a notice posted on the affected network informed customers that the data stored on the seized hardware was lost and effectively unrecoverable.

The suspects face severe charges related to the violation of international sanctions law. Specifically, they are accused of making economic resources available to entities sanctioned by the European Union—a direct contravention of the bloc’s attempts to strangle the financial and technical lifelines of the Russian war effort.

A Chronology of Sanctions Evasion

The investigation into this network began in the shadow of the 2022 invasion of Ukraine, when a sprawling hosting provider known as Stark Industries Solutions suddenly emerged. Almost immediately, Stark became a hub for massive distributed denial-of-service (DDoS) attacks against European government bodies and infrastructure.

The Rise of Stark Industries

By May 2024, deep-dive forensic analysis revealed that Stark was not merely a hosting provider but a key supplier of proxy and anonymity services for Russia-backed hacking collectives. The network relied on two primary "pipes" to the global internet. One of those pipes was provided by PQHosting, a firm run by Moldovan brothers Ivan and Yuri Neculiti.

In May 2025, the EU officially sanctioned PQHosting and the Neculiti brothers for their role in Russia’s hybrid warfare. However, the sanctions were incomplete. A second, equally critical connection to the internet remained untouched: MIRhosting, an entity operated by Andrey Nesterenko.

The "the[.]hosting" Shell Game

Sensing the regulatory net closing in, the actors behind this infrastructure engaged in a high-stakes shell game. Nearly two weeks before the official EU sanctions were announced, the network assets belonging to Stark were transferred from PQHosting to a new entity branded as the[.]hosting, which was under the umbrella of a Dutch company named WorkTitans BV.

WorkTitans was the brainchild of Nesterenko and his associate, Youssef Zinad. Investigative records indicate that WorkTitans’ only path to the internet was through MIRhosting, effectively keeping the malicious traffic flowing despite the EU’s attempts to cut off the source.

Evidence of Digital Aggression

The charges against Nesterenko and Zinad are underpinned by evidence suggesting their infrastructure was not merely "misused" by bad actors, but was a primary theater for state-aligned operations.

Data reviewed by de Volkskrant indicates that during the week of Denmark’s municipal elections in November 2025—a period marked by heightened anxiety regarding foreign interference—the WorkTitans and MIRhosting networks were the most frequently used infrastructure for cyberattacks directed at Danish government bodies.

The pattern of behavior fits a long-standing profile for Nesterenko. A native of Nizhny Novgorod, Russia, Nesterenko’s career in IT has long been intertwined with Russian geopolitical objectives. In 2004, he founded Innovation IT Solutions Corp., the parent company of MIRhosting. Notably, his infrastructure was used to host stopgeorgia[.]ru, a hub for hacktivists organizing cyber-assaults against Georgia during the 2008 Russo-Georgian War. Military analysts often cite that conflict as the first instance of a physical military invasion being accompanied by synchronized, large-scale cyber warfare.

The Defense: Denials and Discrepancies

Following the arrests, the narrative from the suspects has been one of victimhood and professional innocence. In a statement released via LinkedIn, MIRhosting asserted that it had launched an internal investigation and had paused services to WorkTitans as a precautionary measure.

"Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections," the company stated, claiming that no anomalous traffic spikes were recorded. They further argued that they had received no prior abuse reports or official requests regarding suspicious activity, suggesting that the regulatory action against them was disproportionate.

Nesterenko himself has vehemently denied the allegations of sanctions evasion. In an email correspondence, he claimed the transfer of assets to "the[.]hosting" was a standard business move unrelated to the EU’s blacklist. "Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong," Nesterenko argued.

However, the documentation suggests a much tighter collaboration between the men than Nesterenko admits. While he claims Zinad was merely an external contractor, internal emails show Zinad using a @mirhosting.com address and acting as part of the company’s legal team. Furthermore, Dutch educational and commercial registries have historically listed Zinad as the official contact for MIRhosting’s Almere office.

Implications for EU Cyber Security

The arrests of Nesterenko and Zinad serve as a sobering reminder of the difficulties inherent in policing the modern, decentralized internet. For years, these individuals leveraged the perceived anonymity of the hosting industry to act as a bridge between the Russian intelligence apparatus and the digital infrastructure of the West.

The implications of this case are three-fold:

1. Closing the "Sanctions Gap": The case highlights that even when major entities are sanctioned, their secondary connections—often smaller, regional ISPs or resellers—can maintain the integrity of malicious networks. Regulators are now under increased pressure to conduct more thorough "follow-the-money" and "follow-the-traffic" investigations into hosting supply chains.
2. The "Bulletproof" Hosting Problem: The ease with which the assets were transferred from PQHosting to WorkTitans demonstrates how "bulletproof" hosting providers can evade detection by rapidly re-incorporating under new names. This agility makes it difficult for law enforcement to keep pace with state-sponsored cyber actors.
3. Accountability for Facilitators: By targeting the owners of the infrastructure rather than just the anonymous hackers using it, the Dutch FIOD is sending a clear message: those who build the digital highways for cyber-aggression will be held legally responsible for the "cargo" that passes through them.

As the legal proceedings in the Netherlands move forward, the focus will likely remain on whether these men were unwitting conduits or willing participants in a larger geopolitical strategy. Regardless of the outcome, the seizure of 800 servers has effectively silenced one of the most prolific nodes of Russian-linked digital disruption, providing a temporary, albeit necessary, reprieve for European networks.