Dutch financial crime investigators have seized 800 servers and arrested two men in a crackdown on hosting companies that provided infrastructure for Russian state-sponsored cyberattacks across Europe. The Dutch Fiscal Information and Investigation Service (FIOD) raided two data centres last week and shut down servers operated by WorkTitans and MIRhosting, two companies suspected of violating EU sanctions by renting server space to entities controlled by sanctioned individuals.

The arrests targeted Youssef Zinad, the 57-year-old owner of WorkTitans, and Andrey Nesterenko, the 39-year-old founder of MIRhosting. Nesterenko, a Russian citizen based in the Netherlands, is a prize-winning concert pianist. He denied wrongdoing in a LinkedIn message, saying he had cut off the relationship with the sanctioned individuals after they were blacklisted and that MIRhosting had not seen anything suspicious originating from its network.

The sanctions trail

The case traces back to Iurie and Ivan Neculiti, two Moldovan brothers who ran Stark Industries Solutions, a hosting company that became one of the most prolific enablers of Russian cyberattacks in Europe after the full-scale invasion of Ukraine in 2022. In May 2025, the European Union sanctioned the Neculiti brothers and their companies for helping Russian state-sponsored hackers conduct cyberattacks, disinformation campaigns, and other destabilising activities against EU member states.

But the brothers reportedly received advance warning. According to Krebs on Security, they learned of the forthcoming sanctions roughly 12 days before the announcement when Moldovan and EU media reported on the pending blacklisting. Stark Industries rebranded to THE.hosting and transferred its operations to WorkTitans BV, the Dutch entity now at the centre of the investigation. The infrastructure that powered the attacks simply moved to a new corporate shell in the Netherlands, continuing to operate from the same physical servers.

NoName057(16) and the gamification of cyberwar

The servers seized in the Dutch raids were linked to NoName057(16), a pro-Russian hacktivist group that has conducted distributed denial-of-service (DDoS) attacks against government websites, banking services, and critical infrastructure across Europe since 2022. The group floods targeted websites with traffic until they go offline, a simple but effective technique that has disrupted everything from Danish government agencies to the French postal service.

NoName057(16) is not a freelance operation. The US Justice Department has identified it as a covert project that includes employees of a Kremlin-backed organisation called the Center for the Study and Network Monitoring of the Youth Environment. The group runs a daily leaderboard that ranks volunteers by the number of attacks they launch and rewards the most productive contributors with cryptocurrency. It has turned cyberattacks into a gamified competition, incentivising mass participation in what amounts to state-sponsored digital sabotage.

WorkTitans and MIRhosting were the most-used networks in a series of pro-Russian attacks against Danish government organisations over several days in November 2025, according to an investigation by the Dutch newspaper Volkskrant. Over Christmas, NoName057(16) hit France's postal service and delayed package deliveries across the country.

Why the Netherlands keeps showing up

The Dutch raids highlight a structural problem in European cybersecurity. Russian-linked hacking groups depend on hosting infrastructure within Western countries to launch their attacks, and the Netherlands, home to some of Europe's largest internet exchanges, is a particularly attractive location. The Netherlands has led some of Europe's largest cybercrime operations, including Operation Endgame in 2024, which targeted botnets responsible for hundreds of millions of euros in damages.

The problem is speed, or the lack of it. Cian Heasley, principal consultant at UK cybersecurity firm Acumen Cyber, told Bloomberg that Russian hackers rely on Western hardware more than they like to admit, making them vulnerable to police action. But they get away with it because of how long it takes law enforcement to shut down rogue hosting companies. By the time investigators build a case and obtain warrants, the infrastructure has often been replicated elsewhere.

The Dutch seizure is not the first time law enforcement has targeted NoName057(16)'s infrastructure. In July 2025, a Europol-coordinated operation took down 100 servers that the group had apparently rented to power its attacks. The fact that 800 more servers were seized less than a year later suggests the group rebuilt its capacity quickly, likely by routing through the same sanctions-evading corporate structures that the Neculiti brothers set up before they were blacklisted.

The limits of enforcement

The arrests of Zinad and Nesterenko represent a rare case of law enforcement reaching the human operators behind the hosting infrastructure rather than just seizing hardware. But the broader enforcement challenge remains. Europe was the most targeted region for cyberattacks in 2023, accounting for 32% of global incidents, and state-linked sabotage attacks on European infrastructure roughly tripled between 2023 and 2024.

The DDoS attacks conducted by NoName057(16) are not sophisticated. They do not steal data or compromise systems. They simply knock websites offline, creating visible disruption that serves Russia's broader information warfare strategy. The damage is measured in lost public confidence, disrupted government services, and the cumulative cost of defending against attacks that are cheap to launch but expensive to absorb.

Seizing 800 servers and arresting two suspects is a significant operational result. But as NATO and European governments invest in cyber defence capabilities, the underlying problem persists: hosting infrastructure in democratic countries with strong internet connectivity will continue to be attractive to state-sponsored attackers precisely because it is fast, reliable, and, until someone files charges, legal.