In a high-stakes operation that underscores the growing intersection of corporate IT infrastructure and geopolitical warfare, Dutch financial crime authorities have dismantled a sprawling network accused of facilitating Russian intelligence operations. On May 18, the Tax Intelligence and Investigation Service (FIOD) arrested two men—a 57-year-old Amsterdam resident and a 39-year-old from The Hague—on charges of violating international sanctions law.
The arrests mark a significant escalation in the European Union’s efforts to plug the "bulletproof" hosting loopholes that have allowed pro-Russian actors to launch cyberattacks, disseminate disinformation, and execute influence operations against Western institutions from within the EU’s own borders.
The Nexus of Cyber-Warfare and Hosting
The investigation centers on the technical infrastructure of Stark Industries Solutions, an entity that materialized with suspicious speed just two weeks prior to Russia’s full-scale invasion of Ukraine in 2022. Stark quickly gained notoriety as a primary staging ground for massive distributed denial-of-service (DDoS) attacks against European government agencies and private enterprises.
The Dutch authorities allege that the two arrested individuals—identified in reports as Andrey Nesterenko and Youssef Zinad—were instrumental in maintaining the "pipes" that allowed these malicious actors to reach the global internet. The operation involved the seizure of laptops, mobile devices, and more than 800 servers across data centers in Dronten and Schiphol-Rijk, effectively pulling the plug on a critical node of the Russian cyber-proxy network.
A Chronology of Evasion
To understand the gravity of the May 18 raid, one must look at the cat-and-mouse game played between regulators and these hosting providers over the last three years.
The Rise of Stark Industries
When Stark Industries first emerged, it positioned itself as a high-performance hosting provider. However, security researchers—most notably those tracking infrastructure linked to the Russian intelligence apparatus—identified it as a haven for "bulletproof" hosting. It provided the necessary anonymity and proxy services for state-backed hacking groups to conduct their business while shielded from standard take-down requests.
The Moldovan Connection and EU Sanctions
In May 2025, the European Union imposed sweeping sanctions on PQHosting and its owners, the Moldovan brothers Ivan and Yuri Neculiti. The Neculitis were identified as providing a primary backbone for Stark’s operations. The sanctions were intended to cripple the network’s reach. However, the move highlighted a critical vulnerability: the Neculiti brothers were only one part of the equation. Stark Industries still maintained a secondary, vital conduit to the internet through the Dutch-based provider MIRhosting.

The "the[.]hosting" Pivot
Sensing the incoming regulatory pressure, the operators behind the Stark network engaged in a rapid restructuring. Leaked information suggested that assets were transferred from PQHosting to a new entity, the[.]hosting, which was placed under the control of a Dutch firm, WorkTitans BV. By shuffling ownership and infrastructure under the umbrella of a Dutch-registered company, the operators hoped to shield themselves from the reach of the EU’s sanctions regime.
The Final Takedown
Throughout late 2025, investigations by de Volkskrant and KrebsOnSecurity mapped the connection between WorkTitans, MIRhosting, and the ongoing attacks against European infrastructure. The data suggested that these networks were the most frequently used pathways for pro-Russian cyber-attacks targeting Danish government bodies during their municipal elections in November 2025. This evidence likely served as the catalyst for the coordinated FIOD raids that finally neutralized the hardware infrastructure.
Supporting Data: The Anatomy of a Proxy Network
The complexity of this operation is revealed through the digital breadcrumbs left behind by the providers. The evidence linking Nesterenko and Zinad to these operations is multifaceted:
- The Piano Prodigy’s Trail: Andrey Nesterenko, a Russian native, has a history in the hosting world dating back to 2004. His company, Innovation IT Solutions Corp, was famously responsible for hosting stopgeorgia[.]ru, a site used to coordinate cyber-assaults against Georgia during the 2008 conflict. This incident is widely cited by historians as the first example of a "cyber-war" occurring in tandem with conventional military maneuvers.
- The Role of Youssef Zinad: While Nesterenko served as the public face and technical architect, Youssef Zinad acted as a shadowy partner. Despite Nesterenko’s claims that Zinad was merely an external contractor, evidence suggests otherwise. Records indicate that Zinad used a @mirhosting.com email address and was listed as an official contact for the company’s physical offices in Almere.
- The Disappearance: Following the initial exposure of his role in late 2025, Zinad adopted a reclusive lifestyle. He deleted his professional online presence, ignored all inquiries from the press, and was eventually apprehended by authorities at a residential property in Amsterdam, having effectively gone off the grid to avoid scrutiny.
Official Responses and Denials
In the wake of the arrests, the atmosphere surrounding MIRhosting remains one of defiance and damage control.
MIRhosting released an official statement asserting that they were conducting an internal investigation. The company vehemently denied facilitating interference in the Danish elections, noting, "No anomalies or spikes were observed in our network traffic during the period mentioned in the publication." They further argued that they had terminated all services associated with the Neculiti brothers once the EU sanctions were codified in 2025.
Andrey Nesterenko, communicating via email before his detention, maintained that the move to the[.]hosting was a standard business transition, not an attempt to evade sanctions. "Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime," Nesterenko stated, "but it will harm many people who have done nothing wrong."
However, the Dutch authorities’ decisive action—and the subsequent loss of data for hundreds of customers hosted on the seized servers—suggests that the government viewed these entities as direct threats to national and regional security rather than legitimate businesses caught in the crossfire.

Geopolitical Implications
The dismantling of the MIRhosting and WorkTitans infrastructure carries profound implications for the future of digital sovereignty in the EU.
1. Closing the "Bulletproof" Gap
For years, hosting providers operating within the EU have exploited jurisdictional nuances to provide cover for state-sponsored cyber-adversaries. The Dutch crackdown sends a clear message that physical location within the EU provides no immunity if that infrastructure is weaponized against the bloc.
2. Strengthening Election Integrity
The correlation between these hosting networks and the attacks on Danish electoral infrastructure marks a dangerous trend: the use of commercial IT services to undermine democratic processes. By targeting the "plumbing" of these campaigns, investigators have demonstrated a shift toward proactive, rather than reactive, cyber-defense.
3. The End of "Business as Usual"
The case of Nesterenko and Zinad illustrates that "legitimate" hosting companies can be repurposed as extensions of state intelligence services. It sets a precedent that hosting providers must exercise extreme due diligence regarding their client base. If a provider cannot—or will not—monitor the traffic flowing through its servers, the law will now step in to seize the assets entirely.
As the legal proceedings against the two men unfold, the case will likely serve as a blueprint for other European nations to investigate similar "black box" hosting operations. The era of unchecked, anonymous infrastructure serving as a sanctuary for hybrid warfare is rapidly coming to a close, replaced by a more rigorous, intelligence-led approach to the internet’s physical backbone.
