the-hosting Data Loss: What Users Should Know

the-hosting data loss became real for hundreds of customers the moment Dutch authorities walked into two data centers on May 18 and walked out with 800 servers. No warning. No grace period. Just seized hardware and a message that your data is gone forever. If you used the.hosting, you already know this. If you are just hearing about it, here is everything you need to understand what happened and why it matters.

What Just Happened in the Netherlands

Dutch financial crime investigators arrested two men on May 18. A 57-year-old from Amsterdam named Youssef Zinad. And a 39-year-old Russian native from The Hague named Andrey Nesterenko. Both are charged with violating sanctions law by funneling economic resources to entities sanctioned by the European Union.

It's catastrophic for the.hosting customers. But FIOD, the Dutch Tax Intelligence and Investigation Service, searched three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk, seizing laptops, telephones, and over 800 servers.

Who Was Arrested

Nesterenko runs MIRhosting, an Internet service provider based in the Netherlands. Zinad controlled WorkTitans BV, the Dutch entity that operated the.hosting. Together, these two men were the last remaining link between sanctioned Russian infrastructure and the wider Internet. KrebsOnSecurity first exposed this connection in September 2025. Now law enforcement has acted on it.

What Customers Were Told

800 servers. Seized. Gone. Customers of the.hosting received a blunt message after the raid. It did not mince words.

Unfortunately data stored on the server has been lost and cannot be recovered.

Not "we are working on recovery." Not "your data may be at risk." Just lost. Irrecoverable. If your business relied on those servers, you found out the hard way that geopolitical sanctions enforcement does not come with a backup plan.

the-hosting Data Loss: Who Is Affected

If you were a customer of the.hosting, you are affected. Period. There is no customer hotline for this. No insurance payout from the hosting company. The servers are in government custody. The data on them is not coming back.

But the impact goes deeper. The investigation targets Stark Industries Solutions, a hosting provider that appeared two weeks before Russia invaded Ukraine. Stark quickly became a staging ground for DDoS attacks, proxy services, and cyber operations linked to Russian intelligence. When the EU sanctioned Stark, its infrastructure did not vanish. It moved.

The Chain of Companies You Need to Know

Here is the trail, based on reporting from KrebsOnSecurity and the Dutch daily de Volkskrant:

• Stark Industries Solutions was the original sanctioned entity, tied to Russian cyberattacks and influence operations.
• Two Moldovan brothers, Ivan and Yuri Neculiti, provided Stark's connectivity through their company PQHosting.
• When PQHosting and the Neculiti brothers were sanctioned in May 2025, Stark's network assets shifted to a new entity called the.hosting.
• the.hosting was controlled by WorkTitans BV, a Dutch company run by Zinad and Nesterenko.
• WorkTitans got its Internet connectivity solely through MIRhosting, Nesterenko's company.

That is the chain. And on May 18, Dutch authorities broke it at the last two links.

The Backstory That Led to the Raid

This didn't come from nowhere. KrebsOnSecurity published a deep-dive on Stark Industries in May 2024, and a follow-up in September 2025 showed that EU sanctions had missed Stark's remaining Internet connection, MIRhosting, and that story named Nesterenko and Zinad directly.

Nesterenko, born in Nizhny Novgorod, Russia, grew up as a piano prodigy. He founded Innovation IT Solutions Corp in 2004. That company has a notable distinction. It hosted stopgeorgia[.]ru, a hacktivist website that appeared in 2008 when Russian forces invaded Georgia. That conflict is considered the first war where a cyberattack and military engagement happened simultaneously.

De Volkskrant reviewed data showing that WorkTitans and MIRhosting were the most-used networks in pro-Russian attacks on Danish government bodies between November 13 and 19, 2025. That was the week of Denmark's municipal elections.

What the Accused Are Saying

Nesterenko denies everything. He told de Volkskrant he had ended all services with the Neculiti brothers when EU sanctions took effect in May 2025. He reserved the right to take action against what he called "harmful and incorrect publications."

MIRhosting found nothing wrong. The company's statement said it didn't find indications its services were used to influence the Danish elections, and it saw no anomalies or traffic spikes and hadn't received any abuse reports before media coverage.

But that framing misses something. The lack of complaints does not prove the absence of misuse. It proves only that nobody caught it in real time. Meanwhile, 800 servers are gone. And so is customer data.

Nesterenko also pushed back on the sanctions evasion narrative.

The transition to the.hosting was not intended to evade sanctions. The hardware and customer portfolio had already been transferred to WorkTitans before the sanctions appeared. Closing or damaging a legitimate Dutch infrastructure company will not stop cybercrime, but it will harm many people who have done nothing wrong.

As for Zinad, he has been unreachable for months. He blocked access to his LinkedIn profile. He stopped responding to emails, WhatsApp messages, and phone calls. His WhatsApp auto-reply from October 2, 2025, read: "I am unavailable but will respond to your message as soon as possible." It was the only response de Volkskrant received in months. He was eventually arrested.

Nesterenko claims Zinad was never an employee of MIRhosting, only a contractor under a business-to-business arrangement. But KrebsOnSecurity found that Zinad used a @mirhosting.com email address, was copied on emails as part of the company's legal team, and was listed on a Dutch website as an official contact for MIRhosting's offices in Almere. The paper trail tells a different story.

What You Should Do If You Used the.hosting

Real talk. If you had data on the.hosting servers, it is gone. You need to act on what you can control right now.

• Check if you had off-site backups. If you did, start restoring immediately.
• If you did not have backups, contact any third-party services or clients that may hold copies of your data.
• Review what was stored on those servers. Emails? Customer records? Financial data? Know your exposure.
• If you have domain names or DNS managed through the.hosting, move them to another provider today.
• Watch for phishing. When a data loss event like this goes public, scammers pose as recovery services. Do not fall for it.

If You Are Not a the.hosting Customer

You might think this does not touch you. But here is the real takeaway. When you choose a hosting provider, you are also choosing the legal and geopolitical risks tied to that provider. Sanctions enforcement is real. Server seizures happen. If your host is tangled in international investigations, your data can become collateral damage overnight.

Ask your hosting provider hard questions. Who owns them? Where are their upstream connections? Do they have any ties to sanctioned entities or jurisdictions under scrutiny? If they cannot answer clearly, that silence is a risk factor.

The Bottom Line

the-hosting data loss is not a technical failure. It is a legal seizure with real consequences for real people who did nothing wrong. The investigation will continue. Nesterenko and Zinad face sanctions violation charges. More details will emerge. But for the customers who lost 800 servers worth of data, the damage is already done.

Do not wait for the next raid to ask whether your hosting provider can survive scrutiny. Ask now. Because if the answer is no, your data will not get a second chance.