Dutch authorities have taken into custody the co-owners of two connected Internet hosting firms for running IT systems that Russia exploited to launch cyberattacks, influence operations, and disinformation campaigns within the European Union. These two individuals were central figures in a 2025 KrebsOnSecurity investigation, which revealed how their hosting businesses had taken over the technical backbone of Stark Industries Solutions—an Internet provider sanctioned the previous year by the EU for repeatedly serving as a launchpad for cyber operations linked to Russian intelligence agencies.
A Tax Intelligence and Investigation Service (FIOD) agent, the Netherlands’ financial crimes unit, seen during the raid. Image: FIOD.
According to the Dutch newspaper de Volkskrant, the country’s financial crimes agency FIOD arrested a 57-year-old Amsterdam resident and a 39-year-old from The Hague on May 18, accusing them of breaching sanctions regulations by directly or indirectly providing economic resources to entities sanctioned by the EU.
The Dutch probe centers on Stark Industries, a vast hosting provider that appeared just two weeks before Russia’s invasion of Ukraine. As outlined in a May 2024 in-depth report, Stark rapidly became a major source of large-scale distributed denial-of-service (DDoS) strikes against European targets and a leading provider of proxy and anonymity services that repeatedly surfaced in cyberattacks tied to Russian-backed hacking groups.
That investigation pinpointed two Moldovan siblings — Ivan and Yuri Neculiti along with their firm PQHosting — who managed one of Stark’s two primary links to the broader Internet. In May 2025, the EU imposed sanctions on PQHosting and the Neculiti brothers for supporting Russia’s hybrid warfare activities. However, as KrebsOnSecurity noted in September 2025, those sanctions overlooked Stark’s remaining Internet connection — a Netherlands-based Internet service provider called MIRhosting.
MIRhosting is run by Andrey Nesterenko, a 39-year-old Russian national operating the business from the Netherlands. Reports that PQHosting and the Neculiti brothers would soon face EU sanctions surfaced in the media nearly two weeks before the official announcement last year. During that window, Stark’s network assets were shifted from PQHosting to a new entity named the[.]hosting, managed by the Dutch company WorkTitans BV.
As our September 2025 report demonstrated, WorkTitans was controlled by Nesterenko and a 57-year-old Amsterdam resident named Youssef Zinad. Additionally, WorkTitans relied exclusively on MIRhosting for its connection to the wider Internet, where Zinad had previously been employed.
On May 18, Dutch financial crime investigators detained Nesterenko and Zinad, and conducted searches at three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk. Authorities stated they also confiscated laptops, mobile phones, and over 800 servers.
A notice sent to the-hosting customers right after Dutch authorities seized 800 of its servers. The message states that, regrettably, data stored on the servers has been lost and is unrecoverable.
De Volkskrant reported that data it examined showed WorkTitans and MIRhosting were the most frequently used networks in pro-Russian attacks on Danish government institutions between November 13 and 19, 2025—the week of Denmark’s local elections.
The newspaper wrote that before Nesterenko’s arrest, the MIRhosting founder denied any knowledge that his servers had been exploited by pro-Russian cybercriminals. “He claimed he had severed all ties with the Neculiti brothers once the EU sanctions took effect in May 2025,” and that he “reserved all rights to pursue action against ‘damaging and inaccurate reporting,'” de Volkskrant noted.
MIRhosting issued a statement saying it has launched an internal review of the alleged incidents related to the Danish elections and has temporarily suspended services to WorkTitans as a precaution while the situation is being examined further.
“Based on our initial findings, there is no evidence that the services under our control were actually used to influence the Danish elections,” the statement reads. “No irregularities or traffic spikes were detected in our network during the period referenced in the publication; had large-scale DDoS attacks taken place, such activity would have been clearly visible. Moreover, prior to the media report, we had not received any complaints, abuse notifications, or official inquiries concerning suspicious activities or misuse of our network. In the meantime, our regular operations continue, and service to all other clients remains completely unaffected.”
Originally from Nizhny Novgorod, Russia, Mr. Nesterenko was a piano prodigy who performed publicly from a young age. In 2004, he established MIRhosting’s parent company, Innovation IT Solutions Corp., which holds the notable distinction of being the firm that hosted stopgeorgia[.]ru—a hacktivist site used to coordinate cyberattacks against Georgia that emerged at the same time Russian military forces invaded the former Soviet republic in 2008. That conflict is widely regarded as the first war in which a significant cyberattack and a conventional military operation occurred simultaneously.
When responding to questions sent by email, Nesterenko stated that MIRhosting does not support cybercrime, sanctions evasion, or any illegal activity, and that the allegations and his arrest by Dutch authorities have caused severe harm to both him and his company.
“The move to the.hosting was not an attempt to circumvent sanctions,” Nesterenko wrote. “The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions were announced. Shutting down or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will hurt many innocent people who have done nothing wrong.”
Much less is publicly known about the 57-year-old Zinad, who has reportedly maintained a low profile since our story last year. De Volkskrant reported that Zinad restricted access to his LinkedIn profile and had gone months without responding.
Apart from emails, WhatsApp messages, and phone calls, he informed a colleague that poor health was compelling him to adopt a more secluded lifestyle.
Mr. Zinad’s now-defunct LinkedIn profile. It was full of posts for MIRhosting’s services.
Mr. Nesterenko claims Zinad was never an employee of MIRhosting.
“He helped me and MIRhosting with certain business tasks under a normal business-to-business arrangement between companies,” Nesterenko explained.
However, in previous emails to KrebsOnSecurity, Nesterenko carbon copied Mr. Zinad (who had a @mirhosting.com email), explaining that he was part of the company’s legal team. Also, the Dutch website stagemarkt[.]nl lists Youssef Zinad as an official contact for MIRhosting’s offices in Almere.
Mr. Zinad has never responded to requests for comment. Nor did de Volkskrant have any luck tracking him down. The publication said it repeatedly asked Mr. Zinad (referred to here as simply “Z”), but he reportedly avoided every form of contact.
“‘I am unavailable but will respond to your message as soon as possible,’ reads an automated reply on WhatsApp on 2 October 2025,” de Volkskrant reported. “It is the only response de Volkskrant would receive in months. He did not pick up his phone and did not call back. When an acquaintance asked him via LinkedIn to contact the reporter, he blocked access to his LinkedIn page. At an address in Almere where Z.’s personal limited company is registered, no one was present in April. The corner house’s blinds were drawn, and a pile of rubbish bags lay outside next to a container, as if someone had recently left. A neighbour said he knew the man but did not know where he was staying. Z. was later arrested at a residence in Amsterdam.”
