Dutch financial crime investigators have arrested two men and seized more than 800 servers in a sanctions case centered on internet infrastructure allegedly used for Russian cyberattacks and influence operations in the European Union.
The Dutch Fiscal Information and Investigation Service, known as FIOD, said it arrested a 57-year-old man from Amsterdam and a 39-year-old man from The Hague on May 18. According to de Volkskrant, prosecutors accuse the pair of violating sanctions law by directly or indirectly providing economic resources to entities under EU sanctions.
KrebsOnSecurity identified the men as Youssef Zinad and Andrey Nesterenko, who were linked to WorkTitans BV and MIRhosting, two Dutch-connected hosting operations that became important pieces of the plumbing around Stark Industries Solutions. That name sounds like cosplay, but investigators and researchers have treated it as something more prosaic: a hosting provider used as cover and capacity for hostile traffic.
Stark Industries appeared shortly before Russia’s full-scale invasion of Ukraine, according to earlier reporting by KrebsOnSecurity. The provider was later associated with large distributed denial-of-service attacks against European targets and with proxy and anonymity services seen in operations attributed to Russia-backed hacking groups.
The EU sanctioned Moldovan brothers Ivan and Yuri Neculiti, along with their company PQHosting, in May 2025 for allegedly supporting Russian hybrid warfare. KrebsOnSecurity reported that PQHosting had been one of Stark’s main routes to the wider internet. After reports of the sanctions surfaced before their formal announcement, Stark-linked network assets were moved to the.hosting, an entity controlled through WorkTitans BV, according to KrebsOnSecurity.
That left MIRhosting in a central role. KrebsOnSecurity reported that WorkTitans received its connectivity through MIRhosting, a Netherlands-based provider run by Nesterenko. The same reporting said Zinad controlled WorkTitans with Nesterenko and had previously worked with MIRhosting.
FIOD said investigators searched three businesses in Enschede and Almere, as well as two data centers in Dronten and Schiphol-Rijk. The agency said it seized laptops, phones and more than 800 servers. A notice shown by KrebsOnSecurity from the.hosting to customers said data stored on seized servers had been lost and could not be recovered.
De Volkskrant reported that it reviewed data showing WorkTitans and MIRhosting were the most frequently used networks in pro-Russian attacks on Danish government bodies from Nov. 13 to Nov. 19, 2025, the week Denmark held municipal elections.
MIRhosting said in a public statement that it had opened an internal investigation into allegations concerning Denmark and had temporarily suspended services to WorkTitans while reviewing the matter. The company said its preliminary findings showed no indication that services under its control were used to influence the Danish elections, and said it had seen no traffic spikes or abuse complaints before the media reports.
Nesterenko told KrebsOnSecurity by email that MIRhosting does not support cybercrime, sanctions evasion or illegal activity. He said the move to the.hosting was not designed to dodge sanctions and that hardware and customers had already been transferred to WorkTitans before the sanctions appeared.
Zinad has not responded to requests for comment from KrebsOnSecurity or de Volkskrant. Nesterenko said Zinad was not a MIRhosting employee, describing his role as business-to-business support. KrebsOnSecurity reported that Nesterenko previously copied Zinad at a MIRhosting email address and described him as part of the company’s legal team.
This story draws on original reporting from Krebs on Security.