Dutch authorities seize 800 servers and arrest two men over alleged sanctions breaches

Dutch financial crime investigators have arrested two men and seized more than 800 servers in a crackdown on infrastructure linked to EU-sanctioned hosting provider Stark Industries Solutions. The Tax Intelligence and Investigation Service (FIOD) executed searches at businesses in Enschede and Almere, as well as data centres in Dronten and Schiphol-Rijk, on May 18. Authorities confiscated laptops, telephones, and server hardware from the locations, marking a significant escalation in enforcement against entities accused of facilitating Russian cyber activities within the European Union.

The suspects, identified as Andrey Nesterenko, 39, and Youssef Zinad, 57, face charges of violating sanctions law by providing economic resources to sanctioned entities. The investigation centres on the technical infrastructure of Stark Industries, which emerged shortly before Russia’s invasion of Ukraine and became a primary conduit for distributed denial-of-service attacks and disinformation campaigns. Dutch media outlet de Volkskrant reported that the arrests follow a detailed examination of how these individuals managed the transition of Stark’s assets to new entities to maintain internet connectivity after previous sanctions were imposed on related parties.

Nesterenko, who operates MIRhosting, and Zinad were identified as the controllers of WorkTitans BV, the entity that assumed control of Stark’s remaining internet connections after the EU sanctioned PQHosting and the Neculiti brothers in May 2025. According to the investigation, WorkTitans relied solely on MIRhosting for connectivity. Data reviewed by de Volkskrant indicated that WorkTitans and MIRhosting were the most-used networks in pro-Russian attacks on Danish government bodies during the week of Denmark’s municipal elections in November 2025.

In response to the allegations, MIRhosting has initiated an internal investigation and temporarily paused services to WorkTitans. The company stated that preliminary findings showed no anomalies or spikes in network traffic during the period in question and that no abuse reports had been received prior to media publication. Nesterenko denied that the transition of assets to WorkTitans was intended to evade sanctions, asserting that the hardware and customer portfolio had already been transferred before the sanctions were announced. He argued that closing the Dutch infrastructure company would harm legitimate users without stopping cybercrime.

Zinad has remained largely inaccessible to journalists, blocking LinkedIn access and failing to respond to multiple contact attempts over several months. Nesterenko stated that Zinad was never an employee of MIRhosting but assisted with business tasks under a commercial arrangement, although previous correspondence had listed Zinad as part of the company’s legal team. The arrests underscore the increasing scrutiny on hosting providers operating in the EU that are accused of enabling hybrid warfare tactics linked to Russian intelligence agencies.