In Might 2025, the European Union Fee levied monetary sanctions on the homeowners of Stark Industries Options Ltd., a bulletproof internet hosting supplier that materialized two weeks earlier than Russia invaded Ukraine and rapidly turned a high supply of Kremlin-linked cyberattacks and disinformation campaigns. However new findings present these sanctions have completed little to cease Stark from merely rebranding and transferring their property to different company entities managed by its unique internet hosting suppliers.
Picture: Shutterstock.
Materializing simply two weeks earlier than Russia invaded Ukraine in 2022, Stark Industries Options turned a frequent supply of huge DDoS assaults, Russian-language proxy and VPN providers, malware tied to Russia-backed hacking teams, and faux information. ISPs like Stark are referred to as “bulletproof” suppliers once they domesticate a status for ignoring any abuse complaints or police inquiries about exercise on their networks.
In Might 2025, the European Union sanctioned one among Stark’s two predominant conduits to the bigger Web — Moldova-based PQ Internet hosting — in addition to the corporate’s Moldovan homeowners Yuri and Ivan Neculiti. The EU Fee mentioned the Neculiti brothers and PQ Internet hosting had been linked to Russia’s hybrid warfare efforts.
However a brand new report from Recorded Future finds that simply previous to the sanctions being introduced, Stark rebranded to the[.]internet hosting, underneath management of the Dutch entity WorkTitans BV (AS209847) on June 24, 2025. The Neculiti brothers reportedly received a heads up roughly 12 days earlier than the sanctions had been introduced, when Moldovan and EU media reported on the forthcoming inclusion of the Neculiti brothers within the sanctions bundle.
In response, the Neculiti brothers moved a lot of Stark’s appreciable deal with house and different sources over to a brand new firm in Moldova referred to as PQ Internet hosting Plus S.R.L., an entity reportedly linked to the Neculiti brothers because of the re-use of a telephone quantity from the unique PQ Internet hosting.
“Though nearly all of related infrastructure stays attributable to Stark Industries, these modifications possible replicate an try and obfuscate possession and maintain internet hosting providers underneath new authorized and community entities,” Recorded Future noticed.
Neither the Recorded Future report nor the Might 2025 sanctions from the EU talked about a second important pillar of Stark’s community that KrebsOnSecurity recognized in a Might 2024 profile on the infamous bulletproof hoster: The Netherlands-based internet hosting supplier MIRhosting.
MIRhosting is operated by 38-year previous Andrey Nesterenko, whose private web site says he’s an achieved live performance pianist who started performing publicly at a younger age. DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Options Corp, which lists addresses in London and in Nesterenko’s said hometown of Nizhny Novgorod, Russia.
Picture credit score: correctiv.org.
In line with the ebook Inside Cyber Warfare by Jeffrey Carr, Innovation IT Options Corp. was chargeable for internet hosting StopGeorgia[.]ru, a hacktivist web site for organizing cyberattacks towards Georgia that appeared on the identical time Russian forces invaded the previous Soviet nation in 2008. That battle was considered the primary battle ever fought through which a notable cyberattack and an precise navy engagement occurred concurrently.
Mr. Nesterenko didn’t reply to requests for remark. In Might 2024, Mr. Nesterenko mentioned he couldn’t confirm whether or not StopGeorgia was ever a buyer as a result of they didn’t preserve data going again that far. However he maintained that Stark Industries Options Inc. was merely one consumer of many, and claimed MIRhosting had not obtained any actionable complaints about abuse on Stark.
Nonetheless, it seems that MIRhosting is as soon as once more the brand new residence of Stark Industries, and that MIRhosting staff are managing each the[.]internet hosting and WorkTitans — the first beneficiaries of Stark’s property.
A replica of the incorporation paperwork for WorkTitans BV obtained from the Dutch Chamber of Commerce reveals WorkTitans additionally does enterprise underneath the names Misfits Media and and WT Internet hosting (contemplating Stark’s historic connection to Russian disinformation web sites, “Misfits Media” is a bit on the nostril).
An incorporation doc for WorkTitans B.V. from the Netherlands Chamber of Commerce.
The incorporation doc says the corporate was shaped in 2019 by a [email protected]. That electronic mail deal with corresponds to a LinkedIn account for a Youssef Zinad, who says their private web sites are worktitans[.]nl and custom-solution[.]nl. The profile additionally hyperlinks to a web site (etripleasims dot nl) that LinkedIn at the moment blocks as malicious. All of those web sites are or had been hosted at MIRhosting.
Though Mr. Zinad’s LinkedIn profile doesn’t point out any employment at MIRhosting, nearly all of his LinkedIn posts over the previous 12 months have been reposts of ads for MIRhosting’s providers.
Mr. Zinad’s LinkedIn profile is filled with posts for MIRhosting’s providers.
A Google seek for Youssef Zinad reveals a number of startup-tracking web sites that checklist him because the founding father of the[.]internet hosting, which censys.io finds is hosted by PQ Internet hosting Plus S.R.L.
The Dutch Chamber of Commerce doc says WorkTitans’ sole shareholder is an organization in Almere, Netherlands referred to as Fezzy B.V. Who runs Fezzy? The telephone quantity listed in a Google seek for Fezzy B.V. — 31651079755 — additionally was used to register a Fb profile for a Youssef Zinad from the identical city, based on the breach monitoring service Constella Intelligence.
In a collection of electronic mail exchanges main as much as KrebsOnSecurity’s Might 2024 deep dive on Stark, Mr. Nesterenko included Mr. Zinad within the message thread ([email protected]), referring to him as a part of the corporate’s authorized crew. The Dutch web site stagemarkt[.]nl lists Youssef Zinad as an official contact for MIRhosting’s places of work in Almere. Mr. Zinad didn’t reply to requests for remark.
Given the above, it’s troublesome to argue with the Recorded Future report on Stark’s rebranding, which concluded that “the EU’s sanctioning of Stark Industries was largely ineffective, as affiliated infrastructure remained operational and providers had been quickly re-established underneath new branding, with no vital or lasting disruption.”
