Dutch authorities did not just seize machines; they moved against the alleged business layer that kept Russia-linked cyber operations reachable, rentable, and resilient inside Europe.
The Netherlands’ FIOD arrested Andrey Nesterenko, 39, and Youssef Zinad, 57, on May 18, seized laptops, phones and more than 800 servers, and accused the two hosting-company operators of violating sanctions law by directly or indirectly making economic resources available to EU-sanctioned entities, according to Krebs on Security.
Dutch investigators treated hosting as the weapon, not just the crime scene
The striking part of the Dutch action is not only the size of the seizure. It is the target selection.
Authorities went after the co-owners of two related Internet hosting companies accused of operating infrastructure used by Russia for cyberattacks, influence operations, and disinformation campaigns inside the European Union. That is a sharper move than blocking a few domains or naming another hacker group. It attacks the commercial substrate that allegedly made hostile activity scalable.
A domain can be replaced. A malware server can be rebuilt. A proxy range can rotate. But if prosecutors can show that a hosting business knowingly kept sanctioned or abusive operations online, they can move the fight from network indicators to personal and corporate liability.
That is the real thesis of this case: Europe is testing whether Russian-aligned cyber operations can be constrained by pressuring the infrastructure market between criminal customers, intelligence-linked activity, and nominally legitimate hosting.
This matters beyond cybersecurity. The same infrastructure can support DDoS attacks, anonymity services, phishing, malware command-and-control, propaganda mirrors, or traffic routing that obscures attribution. The hoster does not need to write the malware or author the disinformation to become operationally essential.
The question now is whether this model creates durable friction — or merely forces operators to rebrand, shift jurisdictions, and rebuild through smaller resellers.
The Stark Industries handoff sits at the center of the Dutch case
The Dutch investigation focuses on Stark Industries Solutions, a hosting provider that Krebs reported appeared just two weeks before Russia invaded Ukraine. Earlier Krebs reporting described Stark as a source of large DDoS attacks against European targets and as a supplier of proxy and anonymity services repeatedly appearing in Russia-linked cyberattacks.
The alleged infrastructure trail then moved through several names.
| Entity | Role described in source material |
|---|---|
| Stark Industries Solutions | EU-sanctioned ISP described as a staging ground for Russia-linked cyber activity |
| PQHosting | Company run by Ivan and Yuri Neculiti, identified as one of Stark’s two main Internet conduits |
| MIRhosting | Netherlands-based ISP operated by Andrey Nesterenko |
| WorkTitans BV | Dutch entity controlled by Nesterenko and Youssef Zinad, according to Krebs |
| the[.]hosting | New entity to which Stark network assets were transferred, under WorkTitans control |
In May 2025, the EU sanctioned PQHosting and the Neculiti brothers for aiding Russia’s hybrid warfare efforts. Krebs later reported that those sanctions did not hit Stark’s remaining Internet connection: MIRhosting.
The timing is central. Krebs says news that PQHosting and the Neculiti brothers were about to be sanctioned leaked nearly two weeks before the sanctions were announced. During that window, Stark network assets were transferred from PQHosting to the[.]hosting, controlled by WorkTitans BV.
That is why the Dutch case is not just about whether servers carried bad traffic. It is about continuity. If sanctioned infrastructure can shift assets, routes, customers, or control panels into a successor shell before enforcement lands, sanctions become less like a wall and more like a speed bump.
Hosting is also messy by design. A provider can serve ordinary customers while abusive customers hide behind resellers, proxies, false identities, or high-volume churn. That gray zone is where “we are only a hosting company” collides with sanctions law and national-security evidence.
For EU companies watching vendor risk expand from software suppliers into infrastructure providers, the case has echoes of broader European technology exposure questions — even in unrelated sectors we track, such as Europe-facing hardware and distribution plays, the chain behind the product or service increasingly matters as much as the front-end brand.
The 800-server seizure shows the scale problem behind modern cyber campaigns
The number 800 is the operational clue.
A cyber campaign that depends on a handful of machines is fragile. A campaign backed by hundreds of servers can rotate infrastructure, absorb takedowns, split functions, host decoys, run proxy layers, and rebuild faster when defenders block known indicators.
The Dutch authorities also searched three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk, according to the source material. That footprint points to an infrastructure case, not a one-off abuse complaint.
The accusation is also more serious because prosecutors arrested alleged decision-makers rather than only unplugging hardware. Seizing machines disrupts operations. Arresting operators tests whether accountability can climb from IP addresses to corporate control.
De Volkskrant, cited by Krebs, said it reviewed data showing WorkTitans and MIRhosting were the most-used networks in pro-Russian attacks on Danish government bodies between November 13 and 19, 2025, the week of Denmark’s municipal elections. That detail links the infrastructure question directly to democratic pressure points.
Influence operations need infrastructure too. They need hosting, mirrors, domains, analytics, accounts, routing, and fallback channels. Disinformation is not only messaging. It is distribution engineering.
MIRhosting disputes the implication that its controlled services were used to affect the Danish elections.
“Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections,” the statement reads. “No anomalies or spikes were observed in our network traffic during the period mentioned in the publication; had large-scale DDoS attacks occurred, such activity would have been evident. Furthermore, prior to the media publication, we had not received any complaints, abuse reports, or official requests regarding suspicious activities or misuse of our network. Meanwhile, our regular operational activities continue, and our service to our other clients remains fully intact.”
That denial matters. So does the standard it implies. “No spikes” may be relevant for large DDoS claims, but not every influence or cyber-support function produces obvious traffic surges visible at a provider level.
Sanctions enforcement is moving from hacker aliases to infrastructure providers
Older cyber enforcement often centered on attribution: name the group, indict the hackers, seize the domains, publish indicators. This case sits in a different lane. It targets the companies alleged to have made sanctioned or hostile operations possible.
That shift reflects a practical constraint. Individual operators can be unreachable. Intelligence-linked actors may never appear in a European courtroom. Infrastructure providers, by contrast, may own companies, lease data-center space, hold customer records, maintain payment relationships, and sit inside jurisdictions with enforceable law.
The Dutch charge, as reported, is sanctions-related: directly or indirectly making economic resources available to EU-sanctioned entities. That framing is powerful because it does not require prosecutors to prove that a hoster personally launched every attack. The key question becomes whether the provider made resources available to sanctioned actors, and under what knowledge or intent.
Nesterenko rejects the sanctions-evasion theory.
“The transition to the.hosting was not intended to evade sanctions,” Nesterenko wrote. “The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions appeared. Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong.”
That is the defense shape likely to matter: legitimate infrastructure, ordinary customers, pre-existing transfers, lack of knowledge, and collateral damage.
MLXIO analysis: the enforcement risk for hosting providers will increasingly turn on documentation. Who were the beneficial owners? When did assets move? Who controlled routing? What abuse reports arrived? What sanctions screening occurred? Who approved the customer migration? The answers can separate negligence from facilitation.
The hard part for Europe is that infrastructure is portable. If pressure rises, hostile operators can fragment across smaller resellers, offshore jurisdictions, compromised legitimate servers, or more opaque routing arrangements. A large seizure can hurt. It can also teach the next network to be less centralized.
Security teams, hosters, and civil-liberties lawyers will not see the same case
The national-security view is straightforward: if a provider knowingly supports sanctioned or hostile operations, commercial neutrality should not shield it. One infrastructure takedown can disrupt many campaigns at once.
The hosting-industry view is more anxious. Providers deal with resellers, shells, proxies, forged identities, and customers who look clean until abuse appears. A broad enforcement signal can raise compliance costs and make hosters fear liability for customer behavior they did not detect in time.
The civil-liberties view adds another constraint: enforcement must distinguish intentional facilitation from sloppy moderation or lawful controversial speech. Infrastructure cases can reach into the layer that keeps websites, email, and services online. That makes due process and evidence quality essential.
| Stakeholder | Likely reading of the Dutch arrests |
|---|---|
| Law enforcement | A way to disrupt many Russia-linked operations through one infrastructure case |
| Hosting firms | A warning that sanctions exposure and customer migration can become criminal risk |
| Enterprise customers | A reminder that third-party infrastructure can carry reputational and operational exposure |
| Civil-liberties advocates | A test of whether enforcement can avoid overbroad punishment of neutral services |
| Russian-aligned operators | A cost event that may push faster migration and decentralization |
The case also creates a collateral-risk problem. A message to the[.]hosting customers after the seizure said data stored on the server had been lost and could not be recovered, according to the source material. That is a brutal reminder that infrastructure enforcement can hit customers who may not be targets.
For companies, this is no longer just a cybersecurity procurement issue. It touches sanctions compliance, vendor due diligence, incident response, cyber insurance, and reputational exposure. The same discipline applied to software vendors now has to extend to hosting, DNS, VPN, and traffic-routing partners. Even ordinary tech-buying coverage, such as MLXIO’s look at European availability and supplier positioning in consumer hardware, sits in a broader reality: infrastructure relationships are becoming risk decisions.
EU companies should audit the networks beneath their vendors
The immediate lesson for enterprises, banks, media groups, election bodies, and critical-infrastructure operators is not “avoid small providers.” The lesson is to understand who sits underneath the services they buy.
Security teams should scrutinize:
- Sanctions exposure: Whether providers, owners, customers, or upstream partners have links to sanctioned entities.
- Abuse history: How quickly the provider responds to malware, phishing, DDoS, proxy abuse, and botnet reports.
- Reseller chains: Whether the company selling the service controls the infrastructure or merely fronts another network.
- IP reputation: Whether the provider’s ranges overlap with known malicious or high-risk activity.
- Ownership records: Whether beneficial control is documented, current, and consistent across corporate entities.
- Exit planning: Whether data is backed up outside the provider and recoverable if servers are seized or services are cut.
The Dutch action may create short-term disruption for abusive infrastructure tied to this case. It may also trigger migration. Defenders should watch for new domains, fresh hosting ranges, replacement proxy services, and sudden movement by customers previously tied to WorkTitans, MIRhosting, or the[.]hosting.
MLXIO analysis: the more important signal will be whether investigators follow the routes. If enforcement stops at 800 servers, operators can rebuild. If it extends into resellers, upstream connectivity, financial flows, customer handoffs, and successor networks, the cost of serving sanctioned demand rises.
The next enforcement front is successor networks, not splashy takedowns
The Dutch seizure will not end Russia-linked cyber operations. The source material does not support that kind of claim. But it does show a more aggressive European posture toward the infrastructure market that supports them.
The next phase is likely to focus on the mechanics exposed here: asset transfers before sanctions, customer migration into new entities, sole-source connectivity through friendly providers, and hosting brands that preserve continuity while changing names.
Evidence that would strengthen the Dutch thesis includes court filings showing knowledge, intentional sanctions evasion, beneficial ownership links, abuse reports ignored, or operational ties between sanctioned entities and successor companies. Evidence that would weaken it includes credible records showing legitimate pre-sanctions transfers, meaningful customer screening, prompt abuse handling, and no controlled-service role in the cited Danish election-week activity.
For defenders, the practical watch item is migration. If related infrastructure rapidly reappears through smaller providers or opaque resellers, the seizure becomes the opening move in a longer infrastructure contest. If arrests, sanctions, and server seizures make providers refuse this business before it lands, Europe will have made the market more expensive and legally dangerous for state-aligned campaigns.
Impact Analysis
- The case targets the hosting layer that allegedly helped Russia-linked cyber operations stay online in Europe.
- It signals that infrastructure providers may face liability if they knowingly support sanctioned or abusive activity.
- The action could reshape how European authorities disrupt cyberattacks, disinformation, and influence operations.
