Dutch authorities arrested two men on May 18 and seized more than 800 servers connected to hosting infrastructure that prosecutors say was used to support Russian cyberattacks, disinformation campaigns, and influence operations inside the European Union. The arrests follow investigative reporting that traced how sanctioned Russian-linked networks quietly shifted control to Dutch-registered entities.

The Arrests and Charges

The Dutch Tax Intelligence and Investigation Service (FIOD) arrested Andrey Nesterenko, a 39-year-old Russian national operating out of the Netherlands, and Youssef Zinad, a 57-year-old from Amsterdam. Both are co-owners of related hosting companies. They face charges of violating EU sanctions law by making economic resources available to sanctioned entities, directly or indirectly.

Investigators searched three businesses in Enschede and Almere, as well as two data centers in Dronten and Schiphol-Rijk. Laptops, phones, and the servers were seized during the operation. Customers of the-hosting received a notification shortly after the raid stating that data stored on seized servers had been lost and could not be recovered.

The Infrastructure Trail

The case centers on Stark Industries Solutions, a sprawling hosting provider that appeared just two weeks before Russia’s invasion of Ukraine in 2022. Stark rapidly became a significant source of DDoS attacks against European targets and a major supplier of proxy and anonymity services linked repeatedly to Russia-backed hacking groups.

The EU sanctioned Stark Industries, as well as Moldovan brothers Ivan and Yuri Neculiti and their company PQHosting, in May 2025 for aiding Russia’s hybrid warfare efforts. However, advance media coverage of the impending sanctions gave roughly two weeks of warning before the official announcement. During that window, Stark’s network assets were transferred from PQHosting to a new entity called the-hosting, under the control of a Dutch company called WorkTitans BV.

WorkTitans was controlled by Nesterenko and Zinad, and it received its Internet connectivity exclusively through MIRhosting, Nesterenko’s own provider. Zinad had previously worked at MIRhosting. The arrangement effectively preserved Stark’s operational infrastructure while placing it under entities not yet covered by existing sanctions.

Ties to Danish Election Period

Dutch newspaper de Volkskrant reviewed data indicating that WorkTitans and MIRhosting were among the most heavily used networks in pro-Russian attacks on Danish government bodies during the week of Denmark’s municipal elections in November 2025, between November 13 and 19.

MIRhosting issued a statement saying it had launched an internal investigation and temporarily paused services to WorkTitans as a precautionary measure. The company stated that its preliminary findings showed no indications its infrastructure was used to influence the Danish elections and that no anomalies were observed in network traffic during the cited period.

Nesterenko’s Response and Earlier History

Nesterenko denied that the transfer of assets to WorkTitans was intended to evade sanctions, stating the hardware and customer portfolio had already moved before the sanctions were announced. He added that the arrest has been harmful to him and his company, and that shutting down legitimate Dutch infrastructure would not stop cybercrime.

Nesterenko founded MIRhosting’s parent company, Innovation IT Solutions Corp., in 2004. That company is notable for having hosted a hacktivist website used to coordinate cyberattacks against Georgia during the 2008 Russian military conflict, widely considered the first instance of a significant cyberattack coinciding with an active military engagement.

  • Arrested: Andrey Nesterenko (39) and Youssef Zinad (57)
  • Charges: Violations of EU sanctions law
  • Seized: More than 800 servers, laptops, and phones
  • Locations searched: Enschede, Almere, Dronten, Schiphol-Rijk

The investigation remains ongoing. No trial dates have been announced.