"More than 800 servers" were seized during coordinated Dutch raids that also produced two arrests, according to public reporting of the operation.
May 18 raids, arrests, and material seized
Dutch financial crime investigators from the Tax Intelligence and Investigation Service (FIOD) arrested two men on May 18 and searched multiple business addresses and data centers, seizing laptops, telephones and more than 800 servers. De Volkskrant reported that the two arrestees are a 57-year-old from Amsterdam and a 39-year-old from The Hague. The men were charged with violating sanctions law by directly or indirectly making economic resources available to EU‑sanctioned entities.
How Stark Industries, MIRhosting, WorkTitans and PQHosting intersect
The seizures grew out of an inquiry into Stark Industries Solutions, a hosting provider that regulators and investigators have linked to large-scale distributed denial-of-service attacks, proxy and anonymity services, and other activity described in reporting as repeatedly used in operations tied to Russia-backed actors. Stark “materialized just two weeks before” the Russian invasion of Ukraine, the reporting notes, and later became a focus for sanctions and investigative attention.
KrebsOnSecurity’s reporting identified two Moldovan brothers, Ivan and Yuri Neculiti, and their company PQHosting as one of Stark’s primary conduits to the wider Internet; the EU sanctioned PQHosting and the Neculiti brothers in May 2025. Other reporting in September 2025 showed that when news of those impending sanctions leaked, Stark’s network assets were shifted to a new entity called the-hosting under the control of a Dutch company named WorkTitans BV. That report concluded WorkTitans was controlled by the 39-year-old Andrey Nesterenko and the 57-year-old Youssef Zinad, and that WorkTitans’ connectivity to the Internet came solely through MIRhosting.
Allegations of misuse during Denmark’s municipal elections
De Volkskrant said it reviewed data indicating that WorkTitans and MIRhosting were the most-used networks in pro‑Russian attacks on Danish government bodies between November 13 and 19, 2025—the week of Denmark’s municipal elections. In the immediate aftermath of the server seizures, the-hosting customers received a message stating that “unfortunately data stored on the server has been lost and cannot be recovered.”
MIRhosting issued a public statement saying it had temporarily paused services to WorkTitans while conducting an internal investigation. The statement reads, in part: “Based on our preliminary findings, there are no indications that the services over which we exercise control were actually used to influence the Danish elections. No anomalies or spikes were observed in our network traffic during the period mentioned in the publication; had large-scale DDoS attacks occurred, such activity would have been evident. Furthermore, prior to the media publication, we had not received any complaints, abuse reports, or official requests regarding suspicious activities or misuse of our network.”
Statements and background on Nesterenko and Zinad
Investigative reporting includes biographical and corporate details about both men. Andrey Nesterenko, described in reporting as born in Nizhny Novgorod and a former piano prodigy, founded Innovation IT Solutions Corp. in 2004, the parent of MIRhosting. Reporting notes that Innovation IT Solutions hosted stopgeorgia[.]ru, a hacktivist site that appeared during the 2008 conflict with Georgia. Nesterenko told reporters that “MIRhosting does not support cybercrime, sanctions evasion, or illegal activity,” and that the arrests had been “extremely harmful to him and his company.” He also wrote: “The transition to the.hosting was not intended to evade sanctions. The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions appeared. Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong.”
Reporting portrays Youssef Zinad as keeping a low profile. De Volkskrant said Zinad blocked access to LinkedIn, had gone months without responding to messages, and maintained an automated WhatsApp reply on October 2, 2025. The publication reported that Zinad was later arrested at a residence in Amsterdam. Questions about Zinad’s formal role produced conflicting signals: Nesterenko said Zinad “helped me and MIRhosting with certain business tasks under a normal business-to-business arrangement between companies,” while earlier emails showed Zinad carbon‑copied on messages from a @mirhosting.com address that identified him as part of the company’s legal team. Zinad did not respond to requests for comment, the reporting says.
What this means for technologists, policymakers, and affected organizations
- Technologists and security teams: Customers of seized infrastructure have already received messages that some data “has been lost and cannot be recovered,” underscoring the operational consequences when law enforcement takes custody of hosting hardware tied to investigations.
- Policymakers and regulators: The sequence of asset transfers described in reporting—PQHosting sanctions in May 2025 followed by apparent movement of Stark assets to new entities—highlights enforcement challenges when connectivity paths and ownership change ahead of or during sanction actions.
- Affected enterprises and procurement leaders: MIRhosting temporarily paused services to WorkTitans and said regular operations for other clients continued. Organizations that rely on third‑party hosting should expect disruption where infrastructure is subject to criminal or sanctions enforcement.
The Dutch action—arrests, searches in Enschede and Almere and at data centers in Dronten and Schiphol‑Rijk, and the seizure of more than 800 servers—marks a forceful enforcement step in a complex network of providers, intermediaries and sanctioned entities. Prosecutors have accused the two men of providing economic resources to EU‑sanctioned entities; investigators now must show how the seized hardware and records map to the alleged assistance. How those technical traces align with the sanctions timeline and the allegations about election-related activity in Denmark will be central to the next phase of the case.




