In Could 2025, the European Union levied monetary sanctions on the homeowners of Stark Industries Options Ltd., a bulletproof internet hosting supplier that materialized two weeks earlier than Russia invaded Ukraine and rapidly grew to become a high supply of Kremlin-linked cyberattacks and disinformation campaigns. However new findings present these sanctions have executed little to cease Stark from merely rebranding and transferring their belongings to different company entities managed by its authentic internet hosting suppliers.
Picture: Shutterstock.
Materializing simply two weeks earlier than Russia invaded Ukraine in 2022, Stark Industries Options grew to become a frequent supply of large DDoS assaults, Russian-language proxy and VPN companies, malware tied to Russia-backed hacking teams, and faux information. ISPs like Stark are referred to as “bulletproof” suppliers after they domesticate a fame for ignoring any abuse complaints or police inquiries about exercise on their networks.
In Could 2025, the European Union sanctioned certainly one of Stark’s two primary conduits to the bigger Web — Moldova-based PQ Internet hosting — in addition to the corporate’s Moldovan homeowners Yuri and Ivan Neculiti. The EU Fee stated the Neculiti brothers and PQ Internet hosting have been linked to Russia’s hybrid warfare efforts.
However a new report from Recorded Future finds that simply previous to the sanctions being introduced, Stark rebranded to the[.]internet hosting, below management of the Dutch entity WorkTitans BV (AS209847) on June 24, 2025. The Neculiti brothers reportedly acquired a heads up roughly 12 days earlier than the sanctions have been introduced, when Moldovan and EU media reported on the forthcoming inclusion of the Neculiti brothers within the sanctions package deal.
In response, the Neculiti brothers moved a lot of Stark’s appreciable deal with area and different assets over to a brand new firm in Moldova referred to as PQ Internet hosting Plus S.R.L., an entity reportedly linked to the Neculiti brothers due to the re-use of a phone number from the unique PQ Internet hosting.
“Though nearly all of related infrastructure stays attributable to Stark Industries, these modifications doubtless mirror an try and obfuscate possession and maintain internet hosting companies below new authorized and community entities,” Recorded Future noticed.
Neither the Recorded Future report nor the Could 2025 sanctions from the EU talked about a second vital pillar of Stark’s community that KrebsOnSecurity recognized in a Could 2024 profile on the infamous bulletproof hoster: The Netherlands-based internet hosting supplier MIRhosting.
MIRhosting is operated by 38-year outdated Andrey Nesterenko, whose personal website says he’s an completed live performance pianist who started performing publicly at a younger age. DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Options Corp, which lists addresses in London and in Nesterenko’s acknowledged hometown of Nizhny Novgorod, Russia.
Picture credit score: correctiv.org.
In keeping with the ebook Inside Cyber Warfare by Jeffrey Carr, Innovation IT Options Corp. was chargeable for internet hosting StopGeorgia[.]ru, a hacktivist web site for organizing cyberattacks towards Georgia that appeared on the similar time Russian forces invaded the previous Soviet nation in 2008. That battle was regarded as the primary warfare ever fought wherein a notable cyberattack and an precise navy engagement occurred concurrently.
Mr. Nesterenko didn’t reply to requests for remark. In Could 2024, Mr. Nesterenko stated he couldn’t confirm whether or not StopGeorgia was ever a buyer as a result of they didn’t hold information going again that far. However he maintained that Stark Industries Options was merely one shopper of many, and claimed MIRhosting had not acquired any actionable complaints about abuse on Stark.
Nonetheless, it seems that MIRhosting is as soon as once more the brand new dwelling of Stark Industries, and that MIRhosting workers are managing each the[.]internet hosting and WorkTitans — the first beneficiaries of Stark’s belongings.
A duplicate of the incorporation paperwork for WorkTitans BV obtained from the Dutch Chamber of Commerce reveals WorkTitans additionally does enterprise below the names Misfits Media and and WT Internet hosting (contemplating Stark’s historic connection to Russian disinformation web sites, “Misfits Media” is a bit on the nostril).
An incorporation doc for WorkTitans B.V. from the Netherlands Chamber of Commerce.
The incorporation doc says the corporate was fashioned in 2019 by a y.zinad@worktitans.nl. That e-mail deal with corresponds to a LinkedIn account for a Youssef Zinad, who says their private web sites are worktitans[.]nl and custom-solution[.]nl. The profile additionally hyperlinks to a web site (etripleasims dot nl) that LinkedIn at present blocks as malicious. All of those web sites are or have been hosted at MIRhosting.
Though Mr. Zinad’s LinkedIn profile doesn’t point out any employment at MIRhosting, nearly all of his LinkedIn posts over the previous 12 months have been reposts of commercials for MIRhosting’s companies.
Mr. Zinad’s LinkedIn profile is stuffed with posts for MIRhosting’s companies.
A Google seek for Youssef Zinad reveals a number of startup-tracking web sites that record him because the founding father of the[.]internet hosting, which censys.io finds is hosted by PQ Internet hosting Plus S.R.L.
The Dutch Chamber of Commerce doc says WorkTitans’ sole shareholder is an organization in Almere, Netherlands referred to as Fezzy B.V. Who runs Fezzy? The cellphone quantity listed in a Google seek for Fezzy B.V. — 31651079755 — additionally was used to register a Fb profile for a Youssef Zinad from the identical city, based on the breach monitoring service Constella Intelligence.
In a sequence of e-mail exchanges main as much as KrebsOnSecurity’s Could 2024 deep dive on Stark, Mr. Nesterenko included Mr. Zinad within the message thread (youssef@mirhosting.com), referring to him as a part of the corporate’s authorized workforce. The Dutch web site stagemarkt[.]nl lists Youssef Zinad as an official contact for MIRhosting’s workplaces in Almere. Mr. Zinad didn’t reply to requests for remark.
Given the above, it’s tough to argue with the Recorded Future report on Stark’s rebranding, which concluded that “the EU’s sanctioning of Stark Industries was largely ineffective, as affiliated infrastructure remained operational and companies have been quickly re-established below new branding, with no important or lasting disruption.”
