Dutch Authorities Seize 800 Servers in Raid Targeting Russian Cyber-Infrastructure Hub
Table of Contents
A Strategic Takedown in the Low Countries
Dutch authorities have dealt a significant blow to the technical backbone of Russian influence operations in Europe. In a coordinated series of raids, the Dutch financial crimes agency, FIOD, arrested two men and seized more than 800 servers, dismantling a hosting network allegedly used to bypass European Union sanctions and facilitate cyberattacks against EU member states.
The targets of the operation are a 57-year-old resident of Amsterdam and 39-year-old Andrey Nesterenko, a Russian native based in The Hague. The duo are accused of violating sanctions law by providing economic resources to entities specifically blacklisted by the EU for their role in Russia’s hybrid warfare efforts. The arrests follow a complex trail of corporate shell games designed to keep Russian-aligned infrastructure online after official sanctions were imposed.
The Stark Industries Connection
At the heart of the investigation is Stark Industries Solutions, a hosting provider that emerged just two weeks before the 2022 invasion of Ukraine. Stark quickly became a notorious staging ground for massive distributed denial-of-service (DDoS) attacks and a primary provider of proxy services used by Russian-backed hacking groups to mask their identities.
When the EU sanctioned Stark and its primary conduits—including the Moldovan-run PQHosting and the Neculiti brothers—the infrastructure didn’t simply vanish. Instead, it migrated. Reporting suggests that shortly before the sanctions were formally announced, assets were transferred to a new entity called the[.]hosting, managed by WorkTitans BV, a Dutch-registered firm.
WorkTitans was controlled by Nesterenko and Youssef Zinad, the Amsterdam resident arrested in the May 18 raids. Crucially, WorkTitans relied on MIRhosting for its connectivity to the global internet. MIRhosting is owned by Nesterenko, effectively creating a closed loop of infrastructure that allowed sanctioned Russian operations to continue operating from the safety of Dutch data centers.
Election Interference and Digital Fallout
The timing and utility of this infrastructure have raised red flags among European intelligence services. According to reports from the Dutch daily de Volkskrant, data suggests that WorkTitans and MIRhosting were among the most active networks used in pro-Russian attacks targeting Danish government bodies during the week of Denmark’s municipal elections in November 2025.
The scale of the FIOD operation was extensive. Investigators searched three business premises in Enschede and Almere, as well as two major data centers located in Dronten and Schiphol-Rijk. Beyond the 800 servers, authorities seized a trove of laptops and mobile phones.
The fallout for users was immediate. A message sent to the[.]hosting customers shortly after the seizure informed them that their data had been lost and was unrecoverable, signaling a total collapse of the service.
The Defense: ‘Legitimate Infrastructure’
Andrey Nesterenko has vigorously denied the allegations. In statements and emails, Nesterenko claimed he had no knowledge that his servers were being misused by cybercriminals and asserted that he had severed ties with the Neculiti brothers once EU sanctions took effect.
Nesterenko, once a piano prodigy in his native Nizhny Novgorod, has a long history with controversial hosting. His parent company, Innovation IT Solutions Corp, was linked to the hosting of stopgeorgia[.]ru during the 2008 conflict between Russia and Georgia—a conflict often cited as the first instance of a coordinated cyber-campaign coinciding with a conventional military invasion.
“The transition to the.hosting was not intended to evade sanctions,” Nesterenko stated, arguing that the hardware transfer had occurred before the sanctions were active. He warned that dismantling legitimate Dutch infrastructure companies would not stop cybercrime but would instead harm innocent clients.
Despite these claims, MIRhosting has temporarily paused services to WorkTitans as a “precautionary measure” while conducting an internal review. For now, the seizure represents one of the most aggressive attempts by an EU member state to physically purge the hardware supporting Russia’s digital offensive.
