Dutch Police Seize 800 Servers, Arrest Two Tied to Russian Cyberattack Infrastructure

Dutch financial crime investigators arrested Andrey Nesterenko, the Russian-born founder of MIRhosting, and 57-year-old Youssef Zinad of Amsterdam on May 18, charging them with violating EU sanctions law. The pair allegedly kept Stark Industries Solutions operational after the EU sanctioned it in 2024 for serving as a staging ground for Russian intelligence operations, DDoS attacks, and disinformation campaigns across Europe. Authorities seized more than 800 servers, along with laptops and phones, in raids across data centers in Dronten and Schiphol-Rijk.

The arrests follow reporting that traced how Stark’s infrastructure quietly migrated from the sanctioned Moldovan-owned PQHosting to a new Dutch entity, WorkTitans BV, in the weeks before sanctions hit — with WorkTitans routing its connectivity exclusively through MIRhosting. De Volkskrant reviewed data showing the two networks were the most heavily used in pro-Russian attacks targeting Danish government bodies during the country’s November 2025 municipal elections. Nesterenko denies the transfer was sanctions evasion, arguing hardware and customers moved before sanctions took effect.

MIRhosting has paused services to WorkTitans pending its own internal review and claims it saw no traffic anomalies consistent with large-scale DDoS activity during the Danish election window. The case is notable for cracking down on the sanctions-laundering layer of bulletproof hosting — the corporate restructuring tricks that have historically let infrastructure providers keep serving sanctioned clients by reshuffling ownership before enforcement lands.