Dutch authorities have confiscated 800 servers associated with Russian cybercriminals.

      **TL;DR** Dutch financial crime investigators have confiscated 800 servers and apprehended two men accused of supplying hosting infrastructure to the Kremlin-affiliated hacking group NoName057(16). The servers, managed by WorkTitans and MIRhosting, were connected to entities evading sanctions controlled by two Moldovan brothers blacklisted by the EU.

      Dutch financial crime authorities have seized 800 servers and arrested two individuals in an operation targeting hosting companies that supported Russian state-sponsored cyberattacks throughout Europe. The Dutch Fiscal Information and Investigation Service (FIOD) conducted raids on two data centers last week, shutting down servers run by WorkTitans and MIRhosting, companies believed to have breached EU sanctions by renting server space to entities linked to sanctioned individuals.

      The arrests involved Youssef Zinad, the 57-year-old owner of WorkTitans, and Andrey Nesterenko, the 39-year-old founder of MIRhosting. Nesterenko, who is a Russian national residing in the Netherlands and a celebrated concert pianist, refuted any wrongdoing in a message on LinkedIn, asserting that he severed ties with the sanctioned individuals after their blacklisting and that no suspicious activities had originated from MIRhosting's network.

      **The sanctions trail**

      The case traces back to Iurie and Ivan Neculiti, two Moldovan brothers who managed Stark Industries Solutions, a hosting company that became a prominent facilitator of Russian cyberattacks in Europe following the full-scale invasion of Ukraine in 2022. In May 2025, the European Union imposed sanctions on the Neculiti brothers and their companies for aiding Russian state-sponsored hackers in executing cyberattacks, disinformation operations, and other destabilizing activities against EU member states.

      Reports suggest that the brothers received early warning about the sanctions. Krebs on Security indicated that they became aware of the pending sanctions roughly 12 days before the announcement due to media coverage in Moldova and the EU. Subsequently, Stark Industries rebranded as THE.hosting and transferred operations to WorkTitans BV, the Dutch entity currently under investigation. The infrastructure supporting the attacks merely transitioned to a new corporate entity in the Netherlands while continuing to utilize the same physical servers.

      **NoName057(16) and the gamification of cyberwar**

      The servers confiscated in the Dutch raids were associated with NoName057(16), a pro-Russian hacktivist collective responsible for executing distributed denial-of-service (DDoS) attacks against government websites, banking services, and critical infrastructure in Europe since 2022. This group inundates targeted websites with traffic until they become inoperable, a straightforward yet effective tactic that has caused disruptions across various entities, including Danish government bodies and the French postal service.

      NoName057(16) operates as more than a freelance group. The US Justice Department has recognized it as a clandestine initiative involving personnel from a Kremlin-affiliated agency named the Center for the Study and Network Monitoring of the Youth Environment. This organization maintains a daily leaderboard that ranks volunteers based on the number of attacks they execute, rewarding the most active participants with cryptocurrency. This approach has transformed cyberattacks into a gamified competition, promoting mass involvement in what essentially amounts to state-sponsored digital sabotage.

      According to an investigation by the Dutch newspaper Volkskrant, WorkTitans and MIRhosting were the primary networks utilized in a series of pro-Russian attacks targeting Danish government institutions over several days in November 2025. During the Christmas season, NoName057(16) targeted France’s postal service, resulting in delays in package deliveries nationwide.

      **Why the Netherlands keeps showing up**

      The Dutch raids underscore a persistent issue in European cybersecurity. Russian-linked hacking groups rely on hosting infrastructure within Western nations to carry out their attacks, and the Netherlands, home to some of Europe’s largest internet exchanges, presents an especially attractive environment. The Netherlands has spearheaded several major cybercrime operations, including Operation Endgame in 2024, which aimed at dismantling botnets responsible for hundreds of millions of euros in damages.

      The core issue lies in the speed—or lack thereof—of law enforcement responses. Cian Heasley, a principal consultant at UK cybersecurity firm Acumen Cyber, mentioned to Bloomberg that Russian hackers are more dependent on Western hardware than they might admit, which leaves them susceptible to police actions. However, they often evade consequences due to the lengthy time required for law enforcement to shut down problematic hosting companies. By the time investigators gather enough evidence and secure warrants, the necessary infrastructure is frequently replicated in other locations.

      The Dutch seizure marks the first instance of law enforcement targeting personnel behind NoName057(16)’s infrastructure rather than merely confiscating equipment. Nonetheless, a broader enforcement challenge persists. In 2023, Europe was the most targeted region for cyberattacks, accounting for 32% of global incidents, with state-sponsored sabotage attacks on European infrastructure reportedly tripling between 2023 and 2024.

      The DDoS attacks executed by NoName057(16