Netherlands Arrests Two Men, Seizes More Than 800 Servers in Sanctions Probe
Dutch authorities have arrested two men and taken down more than 800 servers in an investigation into infrastructure allegedly used to support cyberattacks, influence operations, and disinformation ef...
Dutch authorities have arrested two men and taken down more than 800 servers in an investigation into infrastructure allegedly used to support cyberattacks, influence operations, and disinformation efforts tied to Russia.
The arrests were made on May 18 by the Netherlands’ Financial Intelligence and Investigation Service (FIOD), which said the suspects — a 57-year-old from Amsterdam and a 39-year-old from The Hague — are accused of violating sanctions rules by making resources available to sanctioned entities. Investigators also searched several business locations and data centers in the country.
Focus on hosting firms linked to Stark Industries
According to reporting in the Dutch press, the probe centers on a web of hosting companies connected to Stark Industries Solutions, a provider that rose to prominence shortly before Russia’s full-scale invasion of Ukraine in 2022. Stark was later identified in earlier research as a major source of DDoS attacks and proxy services used in campaigns associated with pro-Russian threat actors.
One of Stark’s key infrastructure suppliers was previously tied to the Moldovan brothers Ivan and Yuri Neculiti and their company PQHosting. The European Union sanctioned PQHosting and the brothers in 2025. After those sanctions were announced, remaining infrastructure was reportedly moved under a Dutch company called WorkTitans BV, which was linked to the two men now under arrest.
Authorities also seized laptops, phones, and servers during the raids. In a notice sent to customers, one affected hosting service said data stored on the seized systems had been lost.
Questions remain over network use
Dutch media outlets said internal data suggested that WorkTitans and MIRhosting were among the networks most heavily used during pro-Russian activity targeting Danish government entities in connection with the country’s municipal elections in late 2025. MIRhosting has denied knowingly supporting cybercrime or sanctions evasion and said it paused services to WorkTitans while reviewing the matter.
Andrey Nesterenko, who runs MIRhosting in the Netherlands, said the company does not support illegal activity and argued that shutting down infrastructure hurts legitimate customers as well. The second suspect, Youssef Zinad, has not publicly responded to the allegations.
The case highlights the continued focus of European investigators on hosting providers and other technical service firms that may be used to hide or enable hostile cyber operations.
