The Netherlands’ financial crime agency FIOD raided three hosting firms, confiscated more than 800 servers and detained the co‑owners of MIRhosting and WorkTitans BV, accusing them of breaching EU sanctions by providing internet backbone to the Russia‑backed Stark Industries network used in DDoS and disinformation campaigns.
Dutch raid targets Russian‑linked hosting chain
On 18 May 2026 the Dutch Tax Intelligence and Investigation Service (FIOD) executed coordinated raids in Enschede, Almere, Dronten and Schiphol‑Rijk. The operation resulted in the seizure of over 800 servers and the arrest of two men who ran the Dutch‑based hosting providers MIRhosting and WorkTitans BV. Both firms had become critical transit points for the Russian‑controlled infrastructure known as Stark Industries, a network repeatedly cited in European cyber‑espionage and disinformation operations.
The problem: a hidden conduit for sanctioned services
Stark Industries was first identified in a May 2024 deep‑dive by Krebs on Security as a newly created ISP that appeared two weeks before Russia’s invasion of Ukraine. Within weeks it was supplying massive distributed denial‑of‑service (DDoS) attacks against EU ministries and providing proxy services that appeared in almost every campaign attributed to Russian intelligence‑backed groups.
The original gateway into Stark’s backbone was PQHosting, owned by Moldovan brothers Ivan and Yuri Neculiti. The EU sanctioned PQHosting in May 2025, but the network quickly migrated to a new conduit: MIRhosting, a Dutch‑registered provider run by Russian national Andrey Nestorenko. MIRhosting supplied the last mile connectivity for Stark, while a second Dutch entity, WorkTitans BV, handled billing and customer management. WorkTitans was controlled jointly by Nestorenko and a 57‑year‑old Amsterdam businessman Youssef Zinad.
The Dutch investigation uncovered that, despite public denials, MIRhosting continued to route traffic for Stark well after the sanctions took effect. Traffic logs from November 2025 showed the MIRhosting‑WorkTitans link was the most frequently used path for pro‑Russian attacks against Danish government sites during the week of the Danish municipal elections.
Funding, ownership and the raid
The two arrested individuals are not venture‑backed startups; they are operators of a niche hosting business that generated revenue by selling bandwidth and server space to a handful of high‑value clients. Their business model relied on low‑cost colocation in Dutch data centres and a reputation for “privacy‑first” services, which made it attractive to actors seeking to hide malicious traffic.
During the raids, FIOD agents seized:
- 800+ rack‑mount servers and associated networking gear
- Laptops, smartphones and hard drives belonging to Nestorenko and Zinad
- Documentation linking WorkTitans’ invoices to MIRhosting’s IP blocks
- Internal emails that referenced “sanctions compliance” and the need to “maintain service continuity for existing clients”
Both men have been charged with violating EU sanctions law by providing economic resources to a sanctioned entity (Stark Industries) and with aiding and abetting cyber‑attacks against EU institutions.
Why the seizure matters for the broader security ecosystem
Disruption of a critical choke point – By taking control of the physical servers, Dutch authorities have effectively cut off a major transit route for Russian‑controlled traffic aimed at Europe. While the underlying malicious actors can migrate to other hosting providers, the loss of 800 servers represents a significant operational setback.
Precedent for sanction enforcement – The case shows that EU sanctions can be enforced beyond the original target (PQHosting) and reach ancillary service providers that enable the sanctioned network’s continued operation. It may encourage other member states to scrutinise their own hosting ecosystems for similar loopholes.
Collateral impact on legitimate customers – MIRhosting’s public statement emphasized that most of its clientele are unrelated to any illicit activity. The seizure has caused data loss for dozens of small businesses that rented servers from the platform, highlighting the tension between law‑enforcement action and the rights of innocent users.
Signal to the cyber‑crime market – The operation demonstrates that law‑enforcement agencies are willing to target the infrastructure layer, not just the front‑end malware or phishing kits. This could push malicious actors to adopt more decentralized hosting models, such as peer‑to‑peer cloud services, which are harder to seize.
Reactions from the accused and the industry
Nestorenko, who founded MIRhosting’s parent company Innovation IT Solutions Corp. in 2004, responded via email that the raid “has been extremely harmful” and that the transition to the‑hosting was not intended to evade sanctions. He argued that shutting down a legitimate Dutch company will not stop cybercrime but will hurt innocent customers.
Zinad, who has kept a low public profile since the 2025 story, did not respond to interview requests. Dutch media reported that he had blocked his LinkedIn profile and avoided phone calls for months before being arrested in Amsterdam.
Industry observers note that the case underscores the importance of transparent supply‑chain monitoring for hosting services. Companies that rely on third‑party data centres are now being urged to verify that their providers are not listed on sanction registers and to implement continuous network‑traffic analytics that can flag anomalous usage patterns.
What comes next?
The Dutch prosecutor’s office has not yet disclosed whether additional arrests are planned. A court date for the two defendants is expected later this summer, and the seized servers will likely be examined for forensic evidence that could link specific DDoS campaigns to the Stark network.
For organizations that hosted services on MIRhosting or WorkTitans, the immediate priority is to assess data loss, retrieve backups from alternative locations, and review any potential exposure of customer information.
The broader lesson for the European cyber‑defence community is clear: infrastructure-level interventions can be decisive, but they must be balanced against the risk of collateral damage to legitimate businesses. As the EU tightens its sanctions regime, we can expect more cross‑border cooperation aimed at the hosting layer that underpins many of today’s covert cyber operations.
For further reading, see the original Krebs on Security investigations:
Comments
Please log in or register to join the discussion