Loading...
Loading...
Dutch investigators seized 800 servers, laptops and records and arrested two men after uncovering a hosting network linked to Stark Industries and a Dutch front, WorkTitans B.V. (THE.Hosting). Authorities say the infrastructure routed and monetized cyberattacks, disinformation and interference operations for sanctioned Russian and Belarusian actors, with Mirhosting providing colocation and transit into European exchanges. Danish probes connected the setup to DDoS campaigns by pro‑Russian hacktivist group NoName057(16). The coordinated seizures at data centers in Dronten and Schiphol‑Rijk aim to disrupt the technical backbone enabling sanctioned cyber activity across Europe.
Disruption of a commercial hosting network linked to sanctioned cyber actors shows law enforcement can target the middlemen enabling attacks. Tech professionals should reassess threat exposure from third-party hosting, colocation and transit providers.
Dossier last updated: 2026-05-25 14:43:41
Dutch authorities on May 18 arrested two co-owners of related hosting firms, seizing more than 800 servers and digital devices for allegedly running infrastructure that enabled Russia-linked cyberattacks and disinformation across the EU. The suspects—Andrey Nesterenko (MIRhosting) and Youssef Zinad (WorkTitans BV)—are accused of violating EU sanctions by providing connectivity and services tied to Stark Industries, a hosting network long implicated in DDoS, proxy and anonymity services used by Russia-backed groups. Investigators traced transfers of Stark assets through PQHosting and the-hosting after prior sanctions, and say WorkTitans and MIRhosting were heavily used in pro-Russian attacks around Denmark’s 2025 municipal elections. The seizures disrupt alleged abuse-for-hire infrastructure and signal stepped-up enforcement of sanctions and cybercrime ties to hosting providers.
Dutch authorities seized 800 servers and arrested two men linked to hosting companies accused of providing infrastructure used by Russia-linked cyberattacks, influence operations and disinformation across the EU. The arrests on May 18 by the FIOD target operators who allegedly made economic resources available to EU-sanctioned entities tied to Stark Industries, a hosting provider blamed for massive DDoS attacks and proxy/anonymity services used by Russia-backed groups. Earlier reporting traced Stark’s internet connectivity to Moldova’s PQHosting (sanctioned in May 2025) and a Dutch ISP that continued to route traffic despite sanctions, prompting the raid. The action underscores enforcement challenges against hosting providers exploited for state-aligned cyber operations.
Dutch authorities arrested two co-owners of related hosting firms and seized more than 800 servers after finding they operated infrastructure used by Russia-linked actors for cyberattacks, influence operations and disinformation across the EU. Investigators say the suspects — Andrey Nesterenko (MIRhosting) and Youssef Zinad (WorkTitans) — helped maintain Stark Industries Solutions’ connectivity after other conduits were sanctioned, and allegedly enabled DDoS, proxy and anonymity services tied to Russia-backed campaigns. The raids, searches of data centers and seizures of devices respond to alleged sanctions violations for providing economic resources to sanctioned entities; prosecutors also cited links to attacks on Danish government bodies during 2025 municipal elections. The takedown underscores enforcement risks for hosting providers that facilitate malicious or sanctioned actors.
Dutch financial crime investigators (FIOD) arrested two men and seized 800 servers, laptops, phones and records tied to Stark Industries and related firms after finding the hosting company enabled cyberattacks, interference operations and disinformation campaigns. Stark Industries — added to the EU sanctions list in May 2025 — allegedly shifted infrastructure to a new Dutch front company (reported as WorkTitans B.V., brand THE.Hosting) to keep supporting sanctioned Russian and Belarusian actors. Authorities say Mirhosting provided colocation and high-capacity connectivity into Europe, and Danish investigators linked the setup to DDoS attacks by the pro‑Russian NoName057(16) hacktivist group. The seizures target infrastructure used to route and monetize hostile operations, disrupting sanctioned cyber activity.
Dutch financial crime investigators (FIOD) arrested two men and seized 800 servers, laptops, phones and records linked to Stark Industries and associated firms after finding the web hosting infrastructure enabled cyberattacks, interference operations and disinformation campaigns tied to Russian and Belarusian sanctioned entities. Authorities say Stark Industries, founded in February 2022 and added to the EU sanctions list in May 2025, moved infrastructure into a new Dutch front company (reported as WorkTitans B.V. operating as THE.Hosting) and relied on Mirhosting for colocation and transit into European internet exchanges. Danish authorities have tied the setup to DDoS attacks by pro‑Russian hacktivist group NoName057(16). The raids targeted data centers in Dronten and Schiphol‑Rijk and aim to disrupt malicious hosting services.