Dutch Authorities Seize 800 Servers Linked to Russian Cyberattacks, Arrest Two Individuals
Published
Key Takeaways
- Hosting Infrastructure Seized: Dutch authorities confiscated over 800 servers linked to Russian cyber operations.
- Suspects Arrested: FIOD detained two individuals for allegedly violating EU sanctions linked to influence operations and disinformation campaigns.
- Election Interference Allegations: Pro-Russian attacks reportedly leveraged the networks during Danish municipal elections.
Dutch authorities have arrested the co-owners of two interconnected internet hosting companies accused of operating IT infrastructure utilized by Russia to execute cyberattacks, influence operations, and disinformation campaigns within the European Union. Authorities charge the individuals with violating international sanctions law by providing economic resources to EU-sanctioned entities.
Targeted Networks and Infrastructure Raids
According to the Dutch daily news outlet de Volkskrant, the Tax Intelligence and Investigation Service (FIOD) apprehended a 57-year-old from Amsterdam, Youssef Zinad, and a 39-year-old from the Hague, Andrey Nesterenko, on May 18. The law enforcement investigation centers on the infrastructure of Stark Industries Solutions, PQHosting, MIRhosting, and WorkTitans BV.
Key individuals associated with these targeted hosting entities are:
- Andrey Nesterenko and Youssef Zinad – controlled WorkTitans.
- Ivan Neculiti and Yuri Neculiti – Moldovan brothers owning PQHosting.
A KrebsOnSecurity report said that Stark, a hosting provider launched a couple of weeks before Russia invaded Ukraine, quickly became the source of distributed denial-of-service (DDoS) attacks against Europe and a supplier of proxy and anonymity services linked to Russia-backed hackers.
FIOD investigators executed search warrants at three business locations in Enschede and Almere, as well as at two large-scale data centers in Dronten and Schiphol-Rijk. During the coordinated raids, FIOD seized laptops, phones, and more than 800 servers.
The seized technical infrastructure actively supported broader geopolitical threat activity. De Volkskrant reported that network data indicated WorkTitans and MIRhosting served as the primary transit networks for pro-Russian cyberattacks directed at Danish government bodies between November 13 and November 19, 2025, which aligned with the week of Denmark’s municipal elections.
Prior to the announcement of the May 2025 EU sanctions against Stark Industries and the Neculiti brothers for facilitating Russian cyber operations against European countries, Stark rebranded to the[.]hosting, under the Dutch entity WorkTitans BV, The Recorded News had discovered.
Shortly after the announcement, Stark transferred to WorkTitans specific IP addresses used by the pro-Russian hacker group NoName057(16) to attack European targets, including at least one Danish municipal website, de Volkskrant found.
Vendor Response
In response to the law enforcement action, MIRhosting issued a public statement stating that it had temporarily paused services to WorkTitans as a precautionary measure while initiating an internal review.
The hosting provider stated that its preliminary findings showed no indications that the technical services under its direct control were utilized to influence the Danish elections.
In July 2025, Europol announced that NoName057(16) was dismantled in a global crackdown on pro-Russian hacktivists striking NATO allies.
In December 2025, the U.S. announced two indictments against an alleged key member of NoName057(16) and CARR (Z-Pentest), Ukrainian national Victoria Eduardovna Dubranova, following NoName057(16) and Z-Pentest’s February 2025 cyberattack on Polish sewage treatment plants.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular