Krebs on Security
Authorities in the Netherlands have apprehended the co-owners of two interconnected Internet hosting companies for facilitating IT infrastructure utilized by Russia in conducting cyberattacks, influence operations, and disinformation campaigns within the European Union. These individuals were previously highlighted in a 2025 KrebsOnSecurity report detailing their companies' takeover of the technical infrastructure of Stark Industries Solutions, an Internet service provider that was sanctioned by the EU the prior year for being a common launchpad for cyber operations attributed to Russian intelligence agencies.
As reported by the Dutch daily de Volkskrant, the Dutch financial crime agency FIOD arrested a 57-year-old resident of Amsterdam and a 39-year-old from The Hague on May 18. Both men face charges of breaching sanctions laws by knowingly or unknowingly providing economic resources to entities sanctioned by the EU.
The ongoing Dutch investigation centers on Stark Industries, a vast hosting provider that emerged just two weeks ahead of Russia's invasion of Ukraine. Stark quickly established itself as a primary source for considerable distributed denial-of-service (DDoS) attacks targeting European entities and became a leading provider of proxy and anonymity services frequently associated with cyberattacks linked to Russian-aligned hacking groups.
This investigation led to the identification of two Moldovan brothers — Ivan and Yuri Neculiti, along with their business PQHosting, which operated as one of Stark's two principal links to the broader Internet. In May 2025, the EU imposed sanctions on PQHosting and the Neculiti brothers for their role in supporting Russia's hybrid warfare strategies. However, these sanctions did not address Stark's remaining connection to the Internet — a provider based in the Netherlands, known as MIRhosting.
MIRhosting is managed by Andrey Nesterenko, a 39-year-old Russian native conducting business from the Netherlands. It was reported that media sources leaked information regarding the impending sanctions on PQHosting and the Neculiti brothers nearly two weeks before the official announcements. During this period, assets belonging to the Stark network were transferred from PQHosting to a newly established entity called the[.]hosting, which was under the management of the Dutch company WorkTitans BV.
WorkTitans was controlled by Nesterenko and a 57-year-old Amsterdam resident named Youssef Zinad. Additionally, WorkTitans was reliant on Internet connectivity exclusively through MIRhosting, where Zinad had previously been employed.
On May 18, the Dutch financial crime investigators detained Nesterenko and Zinad, executing searches at three businesses located in Enschede and Almere, as well as two data centers in Dronten and Schiphol-Rijk. Dutch authorities confiscated laptops, mobile phones, and over 800 servers.
The report from De Volkskrant indicated that it reviewed data demonstrating that WorkTitans and MIRhosting were the predominant networks utilized in pro-Russian attacks against Danish government institutions during the week of November 13 to 19, 2025, coinciding with Denmark's municipal election period.
Before Nesterenko's arrest, the founder of MIRhosting denied knowledge of the misuse of his servers by pro-Russian cybercriminals. He claimed to have discontinued all services with the Neculiti brothers upon the enactment of the EU sanctions in May 2025, while asserting his intention to pursue legal action against what he termed "harmful and incorrect publications."
MIRhosting released a formal statement indicating it has launched an internal investigation into the claimed election-related activities in Denmark and that it has temporarily suspended services to WorkTitans as a precaution. "Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections," the statement asserts. "No anomalies or spikes were observed in our network traffic during the period mentioned in the publication; had large-scale DDoS attacks occurred, such activity would have been evident."
Nesterenko, originally from Nizhny Novgorod, Russia, demonstrated early talent as a piano prodigy with public performances at a young age. He founded MIRhosting's parent company, Innovation IT Solutions Corp., in 2004, which was associated with hosting stopgeorgia[.]ru, a hacktivist platform that facilitated cyberattacks against Georgia during its 2008 conflict with Russia. This incident is often regarded as the first war that featured notable simultaneous cyber and military engagements.
In correspondence via email, Nesterenko stated that MIRhosting does not endorse cybercrime or sanctions evasion and views the allegations and the arrests by Dutch authorities as extremely detrimental to himself and his organization. "The transition to the.hosting was not intended to evade sanctions," Nesterenko clarified. "The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions became effective."
Limited public information is available regarding the 57-year-old Zinad, who has reportedly maintained a low profile following the prior investigation. De Volkskrant noted that he had restricted access to his LinkedIn account, gone months without responding to various communications, and conveyed to a colleague that health concerns necessitated a more reclusive lifestyle.
Nesterenko contends that Zinad was never formally employed by MIRhosting, asserting he only assisted with certain tasks under a standard business-to-business arrangement. Nonetheless, earlier emails sent by Nesterenko to KrebsOnSecurity included Zinad as part of the legal team, utilizing an email associated with the company.
Zinad has not provided any responses to media inquiries. De Volkskrant reported repeated attempts to contact him, all of which he evaded, including an automated response on WhatsApp indicating his unavailability. He did not answer phone calls and did not return messages. Upon being requested by an acquaintance via LinkedIn to engage with a reporter, he blocked access to his LinkedIn profile. He was subsequently arrested at a residence in Amsterdam.
Share this story