Dutch hosting executives arrested over alleged support for Russian cyber operations
Dutch authorities have arrested the co-owners of two interconnected Internet hosting companies accused of providing infrastructure used by Russia to conduct cyberattacks, influence operations, and disinformation campaigns across the European Union. The two men were previously highlighted in a 2025 KrebsOnSecurity investigation that detailed how their companies had taken over key technical assets belonging to Stark Industries Solutions—an ISP sanctioned by the EU for serving as a launchpad for Russian intelligence–linked cyber activity.
The Dutch financial crimes agency FIOD carried out the arrests on May 18, detaining a 57-year-old man from Amsterdam and a 39-year-old from The Hague. Both are charged with violating EU sanctions by supplying economic resources—directly or indirectly—to entities under EU restriction.
A network at the center of Russian cyber operations
The investigation centers on Stark Industries, a large hosting provider that appeared just two weeks before Russia’s invasion of Ukraine. As documented in a May 2024 deep-dive, Stark quickly became a major source of distributed denial-of-service (DDoS) attacks targeting European institutions and a key supplier of proxy and anonymity services repeatedly linked to Russia-backed hacking groups.
That reporting identified Moldovan brothers Ivan and Yuri Neculiti—operators of PQHosting—as one of Stark’s two main upstream Internet providers. The EU sanctioned PQHosting and the brothers in May 2025 for supporting Russia’s hybrid warfare efforts. However, Stark’s other upstream provider, the Netherlands-based MIRhosting, remained untouched.
MIRhosting is run by 39-year-old Russian native Andrey Nesterenko, who operates the company from the Netherlands. When news leaked that PQHosting would soon be sanctioned, Stark’s network assets were quietly shifted from PQHosting to a new entity—the[.]hosting—controlled by WorkTitans BV, a Dutch company tied to Nesterenko and 57-year-old Amsterdam resident Youssef Zinad.
WorkTitans relied exclusively on MIRhosting for connectivity, and Zinad had previously worked at MIRhosting.
Raids and seizures
On May 18, FIOD investigators arrested Nesterenko and Zinad and searched three businesses in Enschede and Almere, along with two data centers in Dronten and Schiphol-Rijk. Authorities seized laptops, phones, and more than 800 servers.
Customers of the-hosting received a notice stating that all data stored on the seized servers had been lost and could not be recovered.
Dutch newspaper de Volkskrant reported that WorkTitans and MIRhosting were the most frequently used networks in pro-Russian cyberattacks targeting Danish government agencies between November 13 and 19, 2025—the week of Denmark’s municipal elections.
Denials and internal investigations
Before his arrest, Nesterenko denied knowing that his infrastructure was being used for pro-Russian cyber operations. He claimed he cut ties with the Neculiti brothers after the EU sanctions took effect and warned he would challenge “harmful and incorrect publications.”
MIRhosting issued a statement saying it had launched an internal investigation and temporarily suspended services to WorkTitans. The company said it found no evidence of abnormal traffic or DDoS activity during the Danish election period and had received no complaints or abuse reports prior to media inquiries.
A history of controversial hosting
Nesterenko, born in Nizhny Novgorod and once a child piano prodigy, founded MIRhosting’s parent company in 2004. That company hosted stopgeorgia[.]ru, a hacktivist site used to coordinate cyberattacks against Georgia during Russia’s 2008 invasion—widely considered one of the first conflicts where cyberattacks and military action occurred simultaneously.
Responding to emailed questions, Nesterenko insisted MIRhosting does not support cybercrime or sanctions evasion. He argued that the transition to the.hosting was not an attempt to bypass sanctions and warned that shutting down a legitimate Dutch infrastructure provider would harm innocent customers without stopping cybercriminals.
The elusive Mr. Zinad
Far less is publicly known about Zinad, who has kept a low profile since the earlier reporting. According to de Volkskrant, he blocked access to his LinkedIn profile, stopped responding to messages, and told a colleague he was withdrawing from public life due to illness.
Nesterenko has claimed Zinad was never an employee, only a business-to-business contractor. However, previous emails from Nesterenko copied Zinad at a @mirhosting.com address and described him as part of MIRhosting’s legal team. Dutch records also list Zinad as a contact for MIRhosting’s Almere office.
Zinad did not respond to inquiries from journalists. De Volkskrant reported that attempts to reach him by phone, WhatsApp, LinkedIn, and at his registered business address all failed. He was eventually arrested at a residence in Amsterdam.
Reward this post with your reaction or TipDrop:
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
TipDrop
0










