Dutch authorities just took down a major piece of Russia’s cyberattack infrastructure. On May 18, the financial crimes agency FIOD arrested two men and seized more than 800 servers across two data centers, according to Hacker News, which carried the KrebsOnSecurity investigation behind the bust. The targets: the co-owners of two linked hosting companies accused of keeping a sanctioned Russian staging network alive inside the EU.
This is one of the clearest examples yet of a Western government going after the plumbing, not just the hackers.
What Happened
The two men arrested are a 57-year-old from Amsterdam and a 39-year-old from The Hague. Investigators charged them with violating sanctions law by making economic resources available to EU-sanctioned entities. Hacker News reports the raid hit three businesses in Enschede and Almere, plus two data centers in Dronten and Schiphol-Rijk. Alongside the servers, police grabbed laptops and phones.
The fallout for customers was immediate. A message sent to clients after the seizure said data stored on the servers had been lost and could not be recovered.
The Backstory
The case traces back to Stark Industries Solutions, a hosting provider that appeared just two weeks before Russia invaded Ukraine. Stark quickly became a launchpad for DDoS attacks on European targets and a go-to supplier of proxy and anonymity services for Russia-linked hacking groups.
Here’s how the chain unraveled, per the reporting:
- In May 2025, the EU sanctioned PQHosting and the Moldovan Neculiti brothers, one of Stark’s two main links to the wider internet.
- News of the coming sanctions leaked nearly two weeks early. During that window, Stark’s network assets were quietly transferred to a new entity called the.hosting, run by the Dutch firm WorkTitans BV.
- WorkTitans got its sole connection to the internet through MIRhosting, a Netherlands-based provider run by Russian native Andrey Nesterenko.
- The two men now under arrest are Nesterenko and Youssef Zinad, who had previously worked at MIRhosting.
That sequence is what makes this significant. The original sanctions missed Stark’s remaining connection to the internet. The asset transfer looked a lot like a move to keep operating while the paperwork caught up.
Why It Matters
Sanctions only work if someone enforces the gaps. The first round in 2025 cut one conduit and left another running. This arrest closes the loop the regulators left open, and it signals that hosting operators who service sanctioned networks can face criminal charges, not just blocked payments.
There’s an election angle too. The Dutch outlet de Volkskrant said it reviewed data showing WorkTitans and MIRhosting were the most-used networks in pro-Russian attacks on Danish government bodies during the week of Denmark’s municipal elections in November 2025. That moves the story from abstract “hybrid warfare” to a concrete attempt to hit a democratic vote.
The Denials
Both Nesterenko and MIRhosting pushed back hard. Nesterenko said his company does not support cybercrime or sanctions evasion, and that the transfer to the.hosting was not meant to dodge anything. “The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions appeared,” he wrote. He added that damaging a legitimate Dutch company “will not stop cybercrime, but it will harm many people who have done nothing wrong.”
MIRhosting said it paused services to WorkTitans as a precaution and found no signs its controlled servers were used against the Danish elections. The company said it saw no traffic spikes that would point to large-scale DDoS activity, and had received no abuse reports before the media coverage.
Worth noting: Nesterenko’s track record stretches back a long way. His parent firm hosted a hacktivist site used to organize cyberattacks against Georgia in 2008, during the Russian invasion of that country.
What to Watch Next
The legal case will test whether “the assets moved before the sanctions hit” holds up as a defense. Expect EU regulators to study how the leak and the rapid asset transfer let a sanctioned network keep running, and to tighten enforcement so the next takedown doesn’t leave a side door open. For hosting providers across Europe, the message is blunt: know your customers, or risk losing your servers.
More details are available in the original Hacker News report.