Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations, and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned by the EU as a frequent staging ground for cyber mischief from Russia’s intelligence agencies.
An investigator with the Tax Intelligence and Investigation Service (FIOD), the Dutch financial crimes agency, during the raid. Image: FIOD.
The Dutch daily news outlet de Volkskrant reports that the Dutch financial crime agency FIOD on May 18 arrested a 57-year-old from Amsterdam and a 39-year-old from The Hague, charging them with violating sanctions law by directly or indirectly making economic resources available to EU-sanctioned entities.
Background: Stark Industries and Its EU Ties
The Dutch investigation focuses on Stark Industries, a sprawling hosting provider that materialized just two weeks before Russia invaded Ukraine. As detailed in this May 2024 deep-dive, Stark quickly became the source of massive distributed denial-of-service (DDoS) attacks against European targets, and emerged as a top supplier of proxy and anonymity services that showed up time and again in cyberattacks linked to Russia-backed hacking groups.
That report identified two Moldovan brothers — Ivan and Yuri Neculiti and their company PQHosting — who were providing one of Stark’s two main conduits to the larger Internet. In May 2025, the EU sanctioned PQHosting and the Neculiti brothers for aiding Russia’s hybrid warfare efforts. But as KrebsOnSecurity observed in September 2025, those sanctions failed to target Stark’s remaining connection to the Internet — an Internet service provider based in the Netherlands called MIRhosting.
MIRhosting and WorkTitans
MIRhosting is operated by Andrey Nesterenko, a 39-year-old Russian native who runs the business out of the Netherlands. News that PQHosting and the Neculiti brothers were about to be sanctioned by the EU leaked in the media nearly two weeks before the sanctions were officially announced. During that window, the Stark network assets were transferred from PQHosting to a new entity called the[.]hosting, under the control of the Dutch entity WorkTitans BV.
WorkTitans was controlled by Nesterenko and a 57-year-old from Amsterdam named Youssef Zinad. WorkTitans was receiving connectivity to the larger Internet solely through MIRhosting, where Zinad had previously worked.
On May 18, Dutch financial crime investigators arrested Nesterenko and Zinad, and searched three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk. A statement from Dutch authorities said investigators also seized laptops, telephones, and more than 800 servers.
A message to the-hosting customers immediately after 800 of its servers were seized by Dutch authorities. The message states that data stored on the servers has been lost and cannot be recovered.
De Volkskrant said it reviewed data showing WorkTitans and MIRhosting were the most-used networks in pro-Russian attacks on Danish government bodies between November 13 and 19, 2025 — the week of Denmark’s municipal elections.
Nesterenko’s Denials
Prior to his arrest, Nesterenko denied knowing his servers had been misused by pro-Russian cybercriminals. He said he had ended all services with the Neculiti brothers when EU sanctions came into force in May 2025, and reserved all rights to take action against what he called “harmful and incorrect publications.”
MIRhosting released a statement saying it had initiated an internal investigation into the alleged facts concerning the Danish elections, and that it had temporarily paused services to WorkTitans as a precautionary measure.
“Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections,” the statement reads. “No anomalies or spikes were observed in our network traffic during the period mentioned in the publication; had large-scale DDoS attacks occurred, such activity would have been evident. Furthermore, prior to the media publication, we had not received any complaints, abuse reports, or official requests regarding suspicious activities or misuse of our network.”
Born in Nizhny Novgorod, Russia, Nesterenko grew up as a piano prodigy who performed publicly at a young age. In 2004, he founded MIRhosting’s parent company Innovation IT Solutions Corp., which has the notable distinction of having hosted stopgeorgia[.]ru — a hacktivist website used to organize cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict is widely considered the first war in which a significant cyberattack and an actual military engagement occurred simultaneously.
Responding to questions via email, Nesterenko said MIRhosting does not support cybercrime, sanctions evasion, or illegal activity, and that the allegations and arrest have been extremely harmful to him and his company.
“The transition to the.hosting was not intended to evade sanctions,” Nesterenko wrote. “The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions appeared. Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong.”
Zinad’s Disappearing Act
Far less is publicly known about Zinad. De Volkskrant reported that he blocked access to his LinkedIn account, went months without responding to emails, WhatsApp messages, and phone calls, and told a colleague that illness was forcing him to live a more reclusive life.
Mr. Zinad’s now-defunct LinkedIn profile. It was full of posts for MIRhosting’s services.
Nesterenko claims Zinad was never an employee of MIRhosting. “He helped me and MIRhosting with certain business tasks under a normal business-to-business arrangement between companies,” Nesterenko explained. However, in previous emails to KrebsOnSecurity, Nesterenko carbon copied Zinad — who used a @mirhosting.com email address — describing him as part of the company’s legal team. The Dutch website stagemarkt[.]nl also lists Youssef Zinad as an official contact for MIRhosting’s offices in Almere.
De Volkskrant described repeatedly attempting to reach Zinad before his arrest, receiving only an automated WhatsApp reply in October 2025. He did not answer phone calls, did not respond to messages, and blocked the reporter who contacted him via LinkedIn. When journalists visited an Almere address linked to his personal limited company, no one was present — blinds were drawn, rubbish bags were piled outside, and a neighbor said he knew the man but had no idea where he was staying. Zinad was ultimately arrested at a residence in Amsterdam.