Netherlands seizes 800 servers in massive cyber‑crime bust

2 Min Read

Netherlands seizes 800 servers in a coordinated raid that also led to the arrest of two individuals accused of enabling Russian‑backed cyber campaigns across the EU.

Operation crackdown on Stark‑linked hosting

Agents of the Dutch Tax Intelligence and Investigation Service (FIOD) detained a 57‑year‑old Amsterdam resident and a 39‑year‑old Hague native on May 18, charging them with breaching EU sanctions by funneling resources to the outlawed provider Stark Industries Solutions.

Key infrastructure under fire

The sweep targeted MIRhosting, a Netherlands‑based ISP run by Russian national Andrey Nesterenko, and WorkTitans BV, the corporate shell that channeled traffic to the ↓ 800 seized servers across data centres in Dronten and Schiphol‑Rijk.

“The hardware and client base were transferred before the sanctions took effect,” Nesterenko told reporters via email.

Investigators linked the network to a surge of distributed denial‑of‑service attacks and proxy services that surfaced in Russian‑aligned disinformation drives, notably during Denmark’s municipal elections in November 2025.

Must Read Intel Uncover more details in our exclusive coverage here

Related Intel: CISA Demands Immediate Fix for Critical cPanel Plugin Flaw

According to Reuters, EU authorities had already black‑listed PQHosting and its Moldovan owners in May 2025, yet the Dutch entities remained operational until this intervention.

In a statement, MIRhosting said an internal review found “no anomalies” in traffic during the election week and that services to other clients remain uninterrupted.

Nesterenko, a former piano prodigy from Nizhny Novgorod, highlighted his 2004 venture Innovation IT Solutions Corp., which once hosted the hacktivist site stopgeorgia[.]ru during the 2008 Georgia conflict – a historic blend of cyber and kinetic warfare.

The arrested co‑owner, Youssef Zinad, has largely vanished from public view; attempts to reach him via LinkedIn, WhatsApp and phone have been rebuffed, echoing the opaque tactics often seen in covert sanction‑evasion schemes.

While Dutch officials stress the operation’s role in curbing hostile cyber activity, critics warn that dismantling legitimate hosting infrastructure can collateral‑damage innocent businesses, a concern amplified by the lingering effects of the recent pandemic on global supply chains.

Words by: Kaelen Frost

Lead Cybersecurity Analyst