Dutch authorities seize 800 servers in raid on Russian cyberattack hosting
In brief
- FIOD seized 800+ servers May 18 targeting hosting firms tied to Russian cyberattacks and sanctions evasion
- Two arrested: Youssef Zinad, 57, and Andrey Nesterenko, 39, linked to WorkTitans B.V. and MIRhosting
- Raids hit data centers in Dronten and Schiphol-Rijk, plus business sites in Enschede and Almere
- WorkTitans absorbed sanctioned Stark Industries Solutions assets under new corporate structure post-EU sanctions
The raid and arrests
The FIOD's coordinated action hit data centers in Dronten and Schiphol-Rijk, with additional searches at business locations in Enschede and Almere. Two individuals faced arrest: Youssef Zinad, a 57-year-old from Amsterdam linked to WorkTitans B.V. (operating as THE.Hosting), and Andrey Nesterenko, 39, from The Hague associated with MIRhosting.
The scale of this operation far exceeds prior enforcement actions. Back in November 2025, Dutch authorities had confiscated approximately 250 servers in a separate but related cybercrime investigation. The May 2026 raid more than tripled that haul, signaling a sustained campaign to dismantle these networks.
Sanctions evasion through corporate shells
WorkTitans B.V. didn't emerge from nowhere. Stark Industries Solutions was hit with EU sanctions in May 2025 for facilitating Russian hybrid warfare operations—DDoS attacks, malware distribution, and coordinated disinformation. After those sanctions landed, WorkTitans allegedly absorbed Stark's assets. Same servers. Same operations. Same clients. Just wearing a fresh corporate mask.
This pattern matters because European regulators have grown increasingly willing to look through corporate structures to find the beneficial owners and operators of sanctioned infrastructure. The FIOD's case demonstrates that simply rebranding doesn't erase accountability.
What bulletproof hosting enables
The seized infrastructure is believed to have enabled cybercriminal operations run by pro-Russian groups, including DDoS attacks and malware distribution tied to Russia's actions in Ukraine. These operations rely on what's known as bulletproof hosting—providers that, by design or negligence, look the other way when clients engage in illegal activity, resisting takedown requests and offering safe harbor for cyberattacks.
Compliance obligations are tightening. The Markets in Crypto-Assets Regulation (MiCA) framework already imposes obligations on crypto service providers to screen for sanctioned entities. As enforcement accelerates, hosting providers face mounting pressure to verify who they're actually serving.
