Dutch financial crime investigators seized more than 800 servers and arrested two Netherlands-based men on May 18, 2026, dismantling the hosting infrastructure that kept Russia's most-documented shared cyberattack network running for more than a year after European Union sanctions had already tried and failed to shut it down. The Dutch Tax Intelligence and Investigation Service (FIOD) raided five locations — three business addresses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk — targeting a web-hosting operation that Dutch authorities say was used to carry out cyberattacks, foreign-interference operations, and disinformation campaigns against EU member states.
The investigation centered on Stark Industries Solutions, a hosting provider founded on February 10, 2022 — exactly two weeks before Russia launched its full-scale invasion of Ukraine, a timing that investigators and cybersecurity researchers have described as almost certainly deliberate.
FIOD charged Youssef Zinad, 57, of Amsterdam, and Andrey Nesterenko, 39, of The Hague, with violating EU sanctions law by directly or indirectly making economic resources available to entities sanctioned for supporting Russia's hybrid warfare campaign against Europe. Both suspects are presumed innocent until proven guilty in court.
Who Are Zinad and Nesterenko?
Nesterenko is the founder of MIRhosting, a Netherlands-based internet service provider that had become Stark Industries' sole remaining connection to the broader internet after the EU's May 2025 sanctions cut off one of its two previous conduits. Research by KrebsOnSecurity and Recorded Future had identified MIRhosting as the critical link that allowed Stark to keep operating after the initial sanctions wave, with the Dutch hosting company's infrastructure accounting for 84% of the communications used in distributed denial-of-service (DDoS) attack campaigns by pro-Russian hacker group NoName057(16).
Nesterenko's company history stretches back to a notable precedent: his parent company, Innovation IT Solutions Corp., founded in 2004, hosted stopgeorgia[.]ru, a hacktivist coordination website that appeared simultaneously with Russia's 2008 military invasion of Georgia — an event considered the first war in which a coordinated cyberattack and a military offensive happened at the same time.
Zinad, previously identified by KrebsOnSecurity as a co-controller of the Dutch entity WorkTitans BV, had been unreachable for months before his arrest. Dutch newspaper de Volkskrant, which reviewed network data as part of an eight-month investigation, reported that Zinad had blocked his LinkedIn account, ignored WhatsApp messages, and told a colleague that illness was forcing him to lead a reclusive life. He was eventually arrested at a residence in Amsterdam.
How EU Sanctions Evasion Kept Stark Industries Online
When the EU sanctioned Stark Industries and its Moldovan owners — brothers Ivan and Yuri Neculiti and their company PQHosting — in May 2025, the network did not go dark. The Neculiti brothers had reportedly received a heads-up approximately 12 days before the official sanctions announcement, when Moldovan and EU media reported on leaked documents identifying them as targets. During that window, the brothers transferred Stark's network assets to a new Dutch entity, WorkTitans BV, rebranding operations as the[.]hosting. Nesterenko and Zinad then took operational control of WorkTitans, with MIRhosting providing the sole connectivity that kept the rebranded network's servers online.
Analysis by GreyNoise confirmed a "seamless migration" of malicious infrastructure from Stark's original autonomous system to WorkTitans between August and November 2025, with virtually identical behavioral signatures — VPN services, scanning patterns, and attack traffic — continuing without significant interruption.
Danish Election Systems Among Documented Targets
De Volkskrant's investigation found that WorkTitans and MIRhosting were the most-used networks in pro-Russian cyberattacks against Danish government bodies during the week of November 13–19, 2025 — the precise week of Denmark's municipal elections. Shortly after the EU sanctions announcement in May 2025, Stark had transferred to WorkTitans specific IP addresses that NoName057(16) had been using to attack European targets, including at least one Danish municipal website, de Volkskrant reported.
Denmark's Defence Intelligence Service confirmed in December 2025 that NoName057(16) — which it assessed has direct connections to the Russian state — carried out DDoS attacks against Danish websites during the election period, and attributed the attacks to Russia's ongoing hybrid warfare campaign against Western nations supporting Ukraine.
The scale of NoName057(16)'s operations, run substantially through Stark and MIRhosting infrastructure, is well-documented: Recorded Future's Insikt Group tracked the group targeting 3,776 distinct hosts over 13 months between July 2024 and July 2025, averaging 50 unique targets per day across European government and public-sector entities.
Suspects Deny Wrongdoing
Nesterenko, who grew up as a piano prodigy in Nizhny Novgorod, Russia, before founding MIRhosting's parent company in 2004, responded in writing to questions shared via email. "The transition to the.hosting was not intended to evade sanctions," he wrote. "The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions appeared. Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong."
MIRhosting also released a statement saying it had initiated an internal investigation into the Danish election allegations and temporarily suspended services to WorkTitans as a precautionary measure. The company said it had found "no indications that the services over which we exercise control were actually used to influence the Danish elections," and noted no anomalies or traffic spikes during the period in question.
Zinad did not respond to requests for comment from KrebsOnSecurity or de Volkskrant.
Sanctions Law as Cyber Enforcement Tool
Security analysts have highlighted the enforcement mechanism in this case as a notable development. Rather than pursuing the suspects exclusively under cybercrime statutes, FIOD's theory — that providing hosting and internet connectivity to a sanctioned entity constitutes a sanctions violation — treats the infrastructure layer of cyber operations as a direct target of financial law. Analysts at The CyberSignal noted the sanctions-evasion framing as a "potentially replicable legal mechanism" that suggests bulletproof hosting can increasingly be prosecuted as a sanctions matter and not only as a cybercrime.
The action fits within a broader 2026 enforcement pattern. European and international authorities have repeatedly targeted the shared infrastructure layer beneath cybercrime operations rather than pursuing individual actors who can be replaced within days. Operation Saffron, which seized the entire user database of a criminal anonymization service used by more than 25 ransomware groups, took place just days before the Stark Industries arrests.
Defenders and security teams should treat the seizure as an intelligence opportunity rather than a permanent fix. Bulletproof-hosting customers are likely to migrate to other abuse-tolerant providers within days of a takedown, meaning the underlying attack capability is likely to reconstitute on new infrastructure.
Frequently Asked Questions
What is bulletproof hosting and how does it enable Russian cyberattacks?
Bulletproof hosting refers to internet service providers that deliberately ignore abuse complaints, law enforcement requests, and court orders, making them attractive to cybercriminals and state-sponsored hackers who need stable infrastructure for DDoS attacks, malware delivery, and influence operations. In Stark Industries' case, researchers documented the provider hosting attack infrastructure for multiple Russian-aligned hacking groups simultaneously, making it a shared launchpad rather than a single threat actor's tool.
How did Stark Industries keep operating after EU sanctions in May 2025?
The Neculiti brothers, Stark's Moldovan owners, reportedly received advance warning of the impending sanctions approximately 12 days before the official announcement through leaked documents in Moldovan media. During that window, they transferred Stark's network assets to the Dutch entity WorkTitans BV, rebranding as the[.]hosting, with Nesterenko's MIRhosting providing the internet connectivity. Both WorkTitans and MIRhosting continued operating in the Netherlands, outside the scope of the original sanctions, until the FIOD arrests in May 2026.
What does the FIOD arrest of Zinad and Nesterenko mean for organizations targeted by DDoS attacks?
The seizure of 800 servers removes a significant piece of shared cyberattack infrastructure, but security experts caution that the disruption is unlikely to be permanent. Hacking groups like NoName057(16) that relied on Stark and MIRhosting infrastructure are likely to migrate to other abuse-tolerant hosting providers. Organizations that have experienced DDoS attacks originating from IP ranges associated with Stark Industries, WorkTitans, or MIRhosting should treat this moment as an opportunity to correlate historical attack data and update their network blocklists.
Why was a financial crime agency, not a cybercrime unit, responsible for this takedown?
FIOD charged the suspects under Dutch sanctions law rather than cybercrime statutes, alleging they made economic resources available to EU-sanctioned entities. This enforcement approach — treating the provision of hosting services to sanctioned organizations as a financial crime — is considered notable by analysts because it offers a separate legal track for pursuing hosting providers that enable Russian-state-aligned operations, even when direct cybercrime charges are difficult to prove.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
