Dutch Authorities Dismantle Hosting Infrastructure Linked to Russian Cyberattacks
Two men were arrested in the Netherlands for allegedly violating sanctions by facilitating Russian influence operations through more than 800 seized servers.
Primary source: Krebs on Security. Full source links and update notes are below.
Fast summary
Start here
- Dutch financial crime agency FIOD arrested two individuals for providing economic resources to EU-sanctioned entities.
- Authorities seized more than 800 servers used by MIRhosting and WorkTitans to support Russian intelligence operations.
- The hosting infrastructure was reportedly used to launch DDoS attacks against Danish government bodies during elections.
What happened
On May 18, the Dutch financial crime agency FIOD arrested a 57-year-old from Amsterdam and a 39-year-old from The Hague for allegedly violating sanctions law. The investigation focuses on the provision of technical infrastructure to Russian-linked entities. During raids in Enschede, Almere, and data centers in Dronten and Schiphol-Rijk, authorities seized laptops, phones, and more than 800 servers. Customers of the targeted hosting services were notified that data stored on those servers has been lost.
What's new in this update
The arrests of Andrey Nesterenko and Youssef Zinad mark a significant escalation in the crackdown on 'sanction-hopping.' Investigators found that assets from the previously sanctioned Stark Industries were transferred to a new entity called WorkTitans BV, which was controlled by the suspects. This new entity received its primary internet connectivity through Nesterenko's MIRhosting, effectively bypassing earlier EU restrictions intended to disable Russian hybrid warfare conduits.
Key details
Data reviewed by investigators indicates that WorkTitans and MIRhosting were the most-used networks for pro-Russian cyberattacks on Danish government bodies in November 2025. These attacks occurred during the week of Denmark’s municipal elections. Stark Industries, the entity at the heart of the probe, has been identified as a major source of massive distributed denial-of-service (DDoS) attacks and a supplier of proxy services for Russia-backed hacking groups.
Background and context
Stark Industries Solutions appeared shortly before the Russian invasion of Ukraine and has been a frequent staging ground for intelligence agency activity. While the EU sanctioned PQHosting and the Moldovan Neculiti brothers in 2025 for aiding Stark, the infrastructure was quickly shifted to MIRhosting in the Netherlands. Nesterenko had previously denied knowing his servers were misused, claiming he had ended services with the sanctioned Moldovan partners in May 2025.
What to watch next
The suspects are currently facing charges related to the direct or indirect provision of resources to sanctioned entities. The Dutch internal investigation into the Danish election interference is ongoing. Furthermore, the total loss of data for hundreds of customers on the seized servers may lead to additional legal complications and could reveal more about the clients utilizing these pro-Russian conduits.
Why it matters
This operation disrupts a critical technical bridge used by Russian-backed groups to launch cyber warfare and disinformation campaigns within the European Union.
Read next
Follow this story through the topic hub, more security coverage, and the latest updates.
Weekly briefing
Get the week's key developments in one concise email.
Get a fast catch-up on the biggest stories, the context behind them, and the links worth your time.
Cadence
Weekly, for a quick catch-up
Coverage
AI, business, world, security, sports
Format
Clear takeaways and useful context
Request the briefing
Leave your email to open a prepared request and get on the list for the weekly briefing.
Author
See who assembled this story and follow more of their work.
Sources and methodology