In a major blow to the digital backbone of Russian hybrid warfare, Dutch financial crime investigators have arrested two men accused of facilitating cyberattacks and disinformation campaigns across the European Union. The operation, led by the Tax Intelligence and Investigation Service (FIOD), resulted in the seizure of over 800 servers, marking a significant escalation in the European crackdown on "bulletproof" hosting services that cater to state-sponsored hackers.
The suspects—a 57-year-old Amsterdam resident and a 39-year-old from The Hague—are alleged to have violated international sanctions by providing critical IT infrastructure to entities involved in hostile cyber operations. Central to the investigation is the hosting provider "Stark Industries Solutions," a firm that emerged just weeks before Russia’s full-scale invasion of Ukraine and quickly became a primary staging ground for distributed denial-of-service (DDoS) attacks against European government institutions and infrastructure.
A Web of Deception: The Chronology of an Investigation
The origins of this crackdown trace back to the rapid proliferation of pro-Russian digital infrastructure following the escalation of the war in Ukraine in 2022.
The Rise of Stark Industries
Stark Industries Solutions burst onto the scene in early 2022, offering "bulletproof" hosting—a service model designed to ignore abuse reports and provide anonymity to its users. Intelligence agencies and cybersecurity researchers quickly identified Stark as a major supplier of proxy and anonymity services for Russian-backed hacking collectives. By 2024, it was clear that Stark was not merely a commercial entity but a strategic asset in the Kremlin’s hybrid warfare arsenal.
The PQHosting Connection
In May 2025, the European Union imposed sanctions on two Moldovan brothers, Ivan and Yuri Neculiti, and their company, PQHosting, for their role in facilitating Russian hybrid warfare. Investigations revealed that PQHosting served as one of the two main conduits connecting Stark’s infrastructure to the broader internet.
The Pivot to MIRhosting
As the net tightened around the Neculiti brothers, Stark Industries executed a tactical pivot. Reports indicate that, alerted by media leaks regarding the impending sanctions, Stark transferred its network assets to a new entity known as "the[.]hosting," which operated under the control of the Dutch firm WorkTitans BV. This maneuver effectively bypassed the initial round of EU sanctions by shifting the operational burden to MIRhosting, a Netherlands-based provider controlled by Russian native Andrey Nesterenko.
The May 2026 Raid
On May 18, 2026, the Dutch FIOD executed a coordinated series of raids across the country. Investigators searched three business premises in Enschede and Almere, alongside two high-capacity data centers in Dronten and Schiphol-Rijk. The operation led to the immediate seizure of hardware, including 800 servers, and the arrest of Nesterenko and his associate, Youssef Zinad.

The Faces Behind the Infrastructure
The two men at the center of the controversy represent an unlikely pair, bridging the worlds of Russian classical music and Dutch corporate consulting.
Andrey Nesterenko: The Prodigy Turned Infrastructure Mogul
Andrey Nesterenko, a 39-year-old born in Nizhny Novgorod, Russia, was once a celebrated piano prodigy. His professional trajectory, however, shifted sharply toward the digital frontier. In 2004, Nesterenko founded Innovation IT Solutions Corp. History shows the company’s early involvement in controversial activities; it was the host for stopgeorgia[.]ru, a website utilized to organize cyberattacks against Georgia during the 2008 conflict. This event is widely cited by military historians as the first modern instance of a cyber offensive operating in direct coordination with kinetic military action.
Youssef Zinad: The Elusive Associate
The role of Youssef Zinad, 57, remains more opaque. Following initial reports by KrebsOnSecurity in 2025, Zinad adopted a reclusive lifestyle, cutting off communication and scrubbing his digital footprint. While Nesterenko has attempted to characterize Zinad’s involvement as a limited, arm’s-length business arrangement, internal company documentation—including emails sent via official @mirhosting.com accounts and public business registries—suggests he functioned as a core legal and administrative pillar of the organization.
Supporting Data: Evidence of Malicious Intent
The case against WorkTitans and MIRhosting is supported by more than mere suspicion; it is built on forensic data regarding network traffic during critical geopolitical windows.
According to reports from de Volkskrant, WorkTitans and MIRhosting were identified as the primary networks utilized in a wave of pro-Russian cyberattacks directed at Danish government bodies in November 2025. These attacks coincided with Denmark’s municipal elections, highlighting the use of these hosting companies as tools for political interference rather than just clandestine hacking.
The immediate aftermath of the May 2026 raid saw the-hosting customers receive a stark, automated notice: "Unfortunately, data stored on the server has been lost and cannot be recovered." This acknowledgment of data loss confirms the total operational collapse of the network under the Dutch enforcement action.
Official Responses and Denials
The defendants have maintained a stance of innocence, arguing that their infrastructure was misused by third parties without their knowledge.

In a formal statement, MIRhosting claimed it had terminated all services associated with the sanctioned Neculiti brothers in May 2025. The company asserted that an internal investigation found no anomalies in its network traffic during the periods of the alleged Danish election interference. "Had large-scale DDoS attacks occurred, such activity would have been evident," the company stated, emphasizing that they had received no prior abuse reports or official requests for intervention from authorities.
Nesterenko, speaking through counsel and email, echoed these sentiments, describing the Dutch investigation as a "harmful" overreach. He argued that the transition of assets to WorkTitans was a legitimate business consolidation and that closing a Dutch infrastructure company would do little to deter global cybercrime while causing significant collateral damage to innocent third-party clients.
Strategic Implications: The Future of Hosting Accountability
The arrests and subsequent seizures represent a significant shift in how the European Union manages the "gray zone" of digital infrastructure.
The End of "Bulletproof" Immunity
For years, hosting providers have utilized jurisdictional arbitrage to evade responsibility, hiding behind the claim that they are merely "conduits" for data and cannot be held accountable for the content their users host. By charging the owners with violating sanctions law, Dutch prosecutors are setting a precedent: providers who knowingly facilitate sanctioned actors—or fail to perform adequate due diligence on high-risk traffic—are themselves complicit in the underlying crimes.
National Security vs. Digital Freedom
The case also underscores the fragility of the internet’s infrastructure. The seizure of 800 servers, while necessary for law enforcement, has undoubtedly impacted legitimate users who shared the same network space. This creates a difficult balancing act for the Netherlands and other EU nations as they attempt to sanitize the digital environment without disrupting the global digital economy.
A Deterrent for Future Proxies
The coordinated effort by the EU to target the supply chain of Russian cyber-espionage—moving from the hackers themselves to the ISPs and the individual owners of those ISPs—is designed to make the cost of operating such infrastructure prohibitively high. By targeting the human elements, such as Nesterenko and Zinad, authorities are signaling that the "digital veil" of anonymity is no longer a shield against international law.
As the legal proceedings in the Netherlands move forward, the case will likely serve as a blueprint for other nations seeking to dismantle the infrastructure that supports hostile state-sponsored cyber operations. For the global cybersecurity community, the message is clear: the infrastructure of hybrid warfare is finally being treated with the same severity as the warfare itself.

