Dutch authorities confiscate 800 servers associated with Russian hackers.

      **Summary**: Dutch financial crime investigators have seized 800 servers and apprehended two individuals believed to have provided hosting infrastructure for the Kremlin-affiliated hacking group NoName057(16). The servers, managed by WorkTitans and MIRhosting, were associated with entities circumventing sanctions controlled by two Moldovan brothers, who are on the EU blacklist.

      The Dutch Fiscal Information and Investigation Service (FIOD) dismantled operations at two data centers last week, shutting down servers operated by WorkTitans and MIRhosting for allegedly breaching EU sanctions.

      The arrests included Youssef Zinad, the 57-year-old owner of WorkTitans, and 39-year-old Andrey Nesterenko, founder of MIRhosting, who is a Russian citizen residing in the Netherlands and also a celebrated concert pianist. In a message on LinkedIn, Nesterenko asserted his innocence, claiming he severed ties with sanctioned individuals after their blacklisting and emphasized that nothing dubious had been detected on MIRhosting's network.

      **Background**: The investigation traces back to the Neculiti brothers, Iurie and Ivan, who managed Stark Industries Solutions, a hosting firm that became a major facilitator of Russian cyberattacks in Europe following the onset of the Ukraine invasion in 2022. The EU sanctioned the brothers and their businesses in May 2025 for aiding Russian state-backed hackers. They reportedly received advance notice of the sanctions and subsequently rebranded Stark Industries to THE.hosting, moving their operations to WorkTitans BV, the focus of the current investigation. The infrastructure used for the attacks simply transferred to this new corporate identity in the Netherlands while still using the same physical servers.

      **Cyber Activities**: The seized servers were linked to NoName057(16), a pro-Russian hacktivist organization that has targeted government websites, banking services, and critical infrastructure across Europe since 2022 with distributed denial-of-service (DDoS) attacks. This group inundates targeted sites with traffic until they become inoperable, effectively disrupting a range of services.

      NoName057(16) operates within a structured framework. The US Justice Department has classified it as a covert operation involving personnel from a Kremlin-supported organization known as the Center for the Study and Network Monitoring of the Youth Environment, which maintains a leaderboard ranking volunteers based on their number of attacks and rewarding top contributors with cryptocurrency. This has gamified cyberattacks, incentivizing extensive participation in what is essentially state-sponsored digital disruption.

      According to an investigation by the Dutch outlet Volkskrant, WorkTitans and MIRhosting were extensively utilized in a series of pro-Russian attacks against Danish government entities in November 2025. Additionally, during the Christmas period, NoName057(16) targeted France’s postal service, causing delays in package deliveries nationwide.

      **Ongoing Issues**: The Dutch raids underline a persistent issue in European cybersecurity—Russian-aligned hacking groups rely heavily on hosting facilities within Western nations for their operations, with the Netherlands being a particularly attractive hub due to its significant internet exchanges. The country has spearheaded some of Europe’s major cybercrime operations, including Operation Endgame in 2024, focused on dismantling botnets responsible for considerable financial damages.

      The challenge lies in the speed of law enforcement responses. Cian Heasley, a principal consultant at the UK cybersecurity firm Acumen Cyber, remarked that Russian hackers might rely on Western infrastructure more than they acknowledge, making them susceptible to policing efforts. However, their operations often evade capture because the process of building cases and obtaining warrants is time-consuming, allowing for infrastructure replication elsewhere.

      The Dutch seizure of servers is not a first for law enforcement targeting NoName057(16), as a Europol-led operation previously dismantled 100 servers used by the group in July 2025. The swift recovery of 800 servers indicates that the group managed to quickly rebuild its operational capability, likely utilizing the same tactics of evasion previously adopted by the Neculiti brothers prior to their sanctions.

      **Challenges in Enforcement**: While the arrests of Zinad and Nesterenko mark a notable instance of law enforcement engaging with the individuals behind the infrastructure rather than merely confiscating hardware, broader enforcement issues remain. Europe faced the highest number of cyberattacks in 2023, representing 32% of global incidents, with state-sponsored sabotage on European infrastructures reportedly tripling between 2023 and 2024.

      The DDoS attacks by NoName057(16) are straightforward as they do not involve data theft or system breaches; they merely incapacitate websites, creating visible disruptions that align with Russia's broader information warfare strategies. The resulting harm manifests through diminished public trust, disrupted governmental operations, and the cumulative expenses associated with defending against these relatively inexpensive attacks.

      The operation resulting in the seizure of 800 servers and the arrest of two suspects represents a substantial achievement in operational terms. However, as NATO and European governments bolster their cyber defense initiatives, the underlying issue continues: