Executive Summary and Provider Overview
Quick-Reference Attributes
| Common Names | Stark Industries Solutions Ltd; stark-industries[.]solutions; PQ Hosting; PQ Hosting Plus S.R.L.; THE.Hosting; the[.]hosting; WorkTitans B.V.; MIRhosting; WT Hosting; Misfits Media |
|---|---|
| Node Type | Bulletproof Hosting Provider |
| Status | Degraded — 800+ servers seized May 2026; two operators arrested; AS209847 (WorkTitans / THE.Hosting) still announcing 200+ prefixes as of 6 June 2026 |
| Entity Registration Jurisdiction | United Kingdom — Stark Industries Solutions Ltd (Companies House 13906017; 71-75 Shelton Street, London); Netherlands — WorkTitans B.V. (Hoge Bothofstraat 39, 7511 ZA Enschede); Moldova — PQ Hosting Plus S.R.L. |
| Infrastructure Hosting Jurisdiction | Netherlands (primary: Dronten, Enschede, Almere, Schiphol-Rijk); Moldova (secondary: PQ Hosting DCs) |
| Assessed Operator Location | Neculiti brothers: Moldova / EEA (not confirmed); Zinad: Amsterdam, Netherlands (arrested); Nesterenko: The Hague, Netherlands (arrested) |
| Active Period | February 10, 2022 to present (Stark entity); WorkTitans B.V. formed 2019; AS209847 active from June 24, 2025 |
| Primary ASNs | AS44477 — STARK-INDUSTRIES / PQ Hosting Plus S.R.L. (de-registered; announced=false as of June 2026); AS43624 — PQ Hosting, MD (de-registered; announced=false as of June 2026); AS209847 — THE WorkTitans B.V. (ACTIVE; 200+ prefixes announced as of June 2026) |
| Key IPv4 Ranges (AS209847) | 171.22.126.0/24; 171.22.127.0/24; 171.22.112.0/24; 171.22.113.0/24; 171.22.118.0/24; 171.22.131.0/24 (formerly in Stark /23 blocks; RIPE confirmed active June 2026) |
| RIPE Verification (June 2026) | AS44477: holder="" announced=false (de-registered). AS43624: holder="" announced=false (de-registered). AS209847: holder="THE WorkTitans B.V." announced=true. Source: RIPE NCC RIPEstat API, queried 6 June 2026. |
| Upstream Transit | MIRhosting (Almere, Netherlands) — physical colocation and transit to AMS-IX and DE-CIX Frankfurt. MIRhosting denied knowingly supporting illegal operations. |
| Sanctions | EU Council (RUSDA program): Stark Industries Solutions Ltd, Iurie Neculiti, Ivan Neculiti — 20 May 2025. PQ Hosting and PQ Hosting Plus S.R.L. included in related EU hybrid-threat sanctions package. |
| OFAC / UK FCDO | OFAC SDN: Not confirmed as of June 2026. UK OFSI / FCDO: EU-mirrored measures applied; independent UK listing not confirmed in open sources. |
| Primary Clients | NoName057(16) (DDoS / hacktivist); TAG-53 / Callisto / COLDRIVER-like cluster (credential harvesting); FIN7 (financial crime); LockBit, ALPHV/BlackCat, Qilin, Ursnif (ransomware/crimeware); RedLine Stealer and commodity RATs |
| State Nexus Tier | Probable Cooperation (Tier 3 of 4) |
| Corporate Shell Chain | Stark Industries Solutions Ltd (UK) owned by Neculiti brothers (Moldova); WorkTitans B.V. (NL) owned by Fezzy B.V. (Almere, NL); Fezzy B.V. linked to Zinad via phone number and email |
Overall Assessment
Stark Industries Solutions Ltd is a UK-registered, Russia-aligned bulletproof hosting provider that emerged two weeks before Russia's full-scale invasion of Ukraine in February 2022 and rapidly became "prime real estate" for Kremlin-linked cyberattacks and disinformation campaigns. Operated through a layered corporate structure by Moldovan brothers Iurie and Ivan Neculiti, with Dutch infrastructure managers Youssef Zinad and Andrey Nesterenko, Stark hosted credential-harvesting operations for Russian state-aligned espionage clusters, DDoS infrastructure for hacktivist group NoName057(16), and server capacity for major cybercrime groups including FIN7 and multiple ransomware ecosystems.
The provider demonstrated exceptional resilience against regulatory pressure. When EU sanctions were announced on 20 May 2025, the Neculiti brothers had already transferred AS44477 to a freshly-created RIPE organization (PQ Hosting Plus S.R.L.) on 16 May, migrated Russian infrastructure to UFO Hosting LLC as early as 10 April, and within weeks rebranded operations as THE.Hosting under Dutch entity WorkTitans B.V. with a new ASN (AS209847, created 24 June 2025). GreyNoise data confirmed a seamless migration of malicious activity between the two ASNs between August and November 2025, with virtually identical behavioral signatures, VPN profiles, and scanning patterns.
As of June 2026, Dutch FIOD arrested Zinad and Nesterenko on 18 May 2026 and seized 800+ servers from five locations. Despite this, AS209847 remains active with over 200 prefixes still routing as of 6 June 2026, confirmed by direct RIPE NCC RIPEstat query. The Neculiti brothers remain at large and sanctioned. The overall assessment is Degraded: infrastructure substantially disrupted but not dismantled, with high reconstitution capacity demonstrated by prior rebranding behavior.
Lineage and Organizational Heritage
Brand and Entity Structure
| Brand / Entity | Type | Jurisdiction | Role | Active Window | Confidence |
|---|---|---|---|---|---|
| Stark Industries Solutions Ltd | UK Limited Company (Companies House 13906017) | United Kingdom | Primary branded entity; focal point of EU sanctions; front for Neculiti-controlled infrastructure | February 10, 2022 to present (sanctioned entity) | Confirmed |
| PQ Hosting / pq[.]hosting | Hosting service (Moldova) | Moldova | Early upstream and infrastructure partner; deeply intertwined with Stark from 2022; Neculiti-controlled | Pre-2022 through at least mid-2025; Moldovan DCs | Confirmed |
| PQ Hosting Plus S.R.L. | Moldovan company; RIPE org (ORG-PHPS1-RIPE) | Moldova | New RIPE organization created 13 May 2025 (7 days before EU sanctions); AS44477 transferred to it on 16 May 2025 as preemptive sanctions evasion | May 13, 2025 onward | Confirmed |
| WorkTitans B.V. | Dutch company (Hoge Bothofstraat 39, Enschede) | Netherlands | Post-sanctions corporate vehicle; held AS209847; presented as ostensibly separate hosting firm; sole shareholder is Fezzy B.V. (linked to Zinad); also traded as WT Hosting and Misfits Media | Formed 2019; active as BPH vehicle from ~May/June 2025 onward | Confirmed |
| THE.Hosting / the[.]hosting | Service brand | Netherlands | Rebranded service name post-sanctions; PQ.Hosting announced rebrand to THE.Hosting on 29 May 2025; inherits Stark infrastructure and clients | May 29, 2025 to present | Confirmed |
| MIRhosting | Dutch hosting/colocation operator (Almere) | Netherlands | Physical server operator and transit provider; provided colocation and high-capacity connectivity to AMS-IX (Amsterdam) and DE-CIX (Frankfurt); Nesterenko-associated; denied knowing of illegal operations | Active throughout 2022-2026 | Confirmed |
| UFO Hosting LLC | Russian hosting company (Moscow) | Russia | Russian infrastructure migrated from Stark to UFO Hosting LLC as early as 10 April 2025, ahead of EU sanctions; assessed as a parallel migration for Russia-located workloads | From April 2025 | Credible [SINGLE SOURCE: Recorded Future Insikt] |
| Fezzy B.V. | Dutch holding company (Almere) | Netherlands | Sole shareholder of WorkTitans B.V.; linked to Youssef Zinad via phone number (31651079755) and Facebook profile; corporate layer for Zinad's control of WorkTitans | Active | Confirmed |
Evidentiary Pillars for Lineage
Infrastructure continuity (CONFIRMED): GreyNoise Global Observation Grid data confirms a seamless migration of malicious activity from AS44477 (PQ Hosting Plus S.R.L.) to AS209847 (WorkTitans B.V.) between August and November 2025. The two ASNs share 24 VPN service signatures in common, with near-identical behavioral tags, JA4T hashes, scanning patterns, and geographic distribution. Recorded Future Insikt independently tracked prefix migration and client reappearance on AS209847.
Personnel continuity (CONFIRMED): EU and French sanctions registers identify Iurie and Ivan Neculiti as controlling both Stark Industries Solutions Ltd and PQ Hosting / PQ Hosting Plus via shared phone numbers and corporate records. KrebsOnSecurity documented that Nesterenko included Zinad in email correspondence as early as 2024, linking MIRhosting and WorkTitans to a shared operator circle. Dutch Chamber of Commerce records confirm WorkTitans' sole shareholder is Fezzy B.V., tied to Zinad.
Preemptive sanctions evasion (CONFIRMED): Insikt Group documents the Neculiti brothers received advance notice of EU sanctions via leaked Moldovan and EU media reporting on 8-9 May 2025, 12 days before the official designation. Between April 10 and May 16, the network migrated Russian infrastructure to UFO Hosting, created ORG-PHPS1-RIPE (PQ Hosting Plus), and transferred AS44477 to the new organization. By the time sanctions landed, the infrastructure was already repositioned.
Disputed Assessments
No substantial public dispute exists about the core Stark / PQ / WorkTitans / MIRhosting lineage. The primary analytical disagreement in open sources concerns how deliberate the state nexus is (see Section 07) rather than whether these entities are linked. MIRhosting publicly denied knowingly supporting illegal operations, claiming it acted on abuse complaints; FIOD's charging theory rejects this framing by treating infrastructure provision to sanctioned entities as sufficient for sanctions violation regardless of stated intent.
Operator Profiles
2.1 Iurie (Iuri / Yuri) NECULITI
Aliases: Iurie Neculiti; Iuri Neculiti; Yuri Neculiti (variations across EU and French sanctions documents). No confirmed online handles or forum nicks in open sources [Intelligence Gap].
Role: CEO of Stark Industries Solutions Ltd; associated with PQ Hosting and PQ Hosting Plus S.R.L. through corporate records and sanctions findings.
Assessed nationality: Moldovan (EU sanctions materials; Moldovan company registration for PQ entities).
Assessed current location: Moldova or EEA region; not publicly confirmed post-sanctions.
Legal status: Sanctioned by EU Council (RUSDA program), 20 May 2025. Mirrored in Belgian, Latvian, French, and other national sanctions registries. No public indictment or arrest as of June 2026.
Designation basis: Providing web-hosting infrastructure used by Russian state-aligned threat actors to conduct cyberattacks, credential harvesting, and influence operations against EU and NATO-aligned targets including government, military, and critical infrastructure.
2.2 Ivan NECULITI
Role: Owner of Stark Industries Solutions Ltd; co-owner of PQ Hosting (Moldova).
Assessed nationality: Moldovan.
Assessed current location: Moldova or EEA region; not publicly confirmed.
Legal status: Sanctioned by EU Council (RUSDA program), 20 May 2025, jointly with Iurie. No public indictment or arrest as of June 2026.
Designation basis: Ownership and control of Stark Industries Solutions and PQ Hosting infrastructure used for cyberattacks and information operations aligned with Russian state interests.
2.3 Youssef ZINAD
Role: Director of WorkTitans B.V.; principal of Fezzy B.V.; linked to MIRhosting operations. Formed WorkTitans B.V. in 2019 using email [email protected].
Age / Location: 57, Amsterdam, Netherlands.
Legal status: Arrested 18 May 2026 by Dutch FIOD. Charged with violating EU sanctions by providing economic resources (hosting and connectivity) to sanctioned Stark-linked entities. Case ongoing; presumed innocent pending trial.
Designation basis: Not individually sanctioned at time of writing. Charged under Dutch sanctions law for infrastructure support to EU-sanctioned entities.
2.4 Andrey NESTERENKO
Role: Co-operator of hosting infrastructure linked to WorkTitans and MIRhosting. Documented in 2024 KrebsOnSecurity email thread that included Zinad in correspondence, establishing the Nesterenko-Zinad-MIRhosting-WorkTitans operational link.
Age / Location: 39, The Hague, Netherlands. Nationality not stated in English-language reporting.
Legal status: Arrested 18 May 2026 by Dutch FIOD. Charged with sanctions violations. Case ongoing; presumed innocent pending trial.
Designation basis: Charged for providing hosting capacity and connectivity to EU-sanctioned Stark-linked entities; not individually sanctioned as of June 2026.
Operational and Business Model
Service Model
Stark and its successor brands operated as high-risk, abuse-tolerant infrastructure providers offering VPS and dedicated servers with liberal abuse handling, high-volume bandwidth suitable for DDoS and C2, and optional "bulletproofing" via ASNs resistant to quick de-peering. The provider targeted clients requiring persistent infrastructure immune to abuse complaints, law enforcement requests, and network-level takedown.
Primary service categories: VPS/dedicated servers (Moldova and Netherlands DCs); high-bandwidth nodes for DDoS campaigns; proxy and VPN relay infrastructure; VM images deployable via ISPsystem's VMmanager (enabling rapid re-provisioning).
Verbatim Advertising Copy
Onboarding and Vetting
No detailed documentation of KYC or vetting procedures is available in open sources. Available evidence is consistent with open signup via website with minimal verification, the standard BPH posture. The concentration of high-end state-aligned and criminal actors suggests possible informal vetting for especially sensitive services (dedicated boxes, high-bandwidth nodes), but this is ANALYST INFERENCE not directly evidenced.
Pricing and Service Tiers
Specific price tables and named service tiers are not captured in open sources. Stark's offerings appear in the mid-tier range compared to other BPHs on Russian-language forums, based on OWN-CERT's BPH landscape analysis. No historical price lists or archived website snapshots with pricing are available in the prioritized source set [Intelligence Gap].
Downstream Reseller Chain
Evidence points to downstream use of Stark / PQ / MIRhosting infrastructure via ISPsystem VMmanager installations, enabling third-party resellers to package and sell capacity. Sophos documents widely reused VM images associated with Stark infrastructure that served multiple criminal actors. Specific named reseller brands marketing Stark explicitly are not documented in open sources.
Abuse Handling and LE Posture
Phish.report and similar abuse services list STARK-INDUSTRIES-SOLUTIONS-AS, MD (AS43624) with standard abuse mailbox entries; however, CERT-EU and vendor reporting consistently notes that complaints resulted in slow or no action, consistent with bulletproof behavior. MIRhosting publicly claimed to act on abuse complaints; FIOD's May 2026 enforcement action rejected this as a defense against sanctions liability. The operator set's behavior across multiple rebrands (Stark to THE.Hosting to WorkTitans) demonstrates a consistently adversarial posture toward regulators and LE.
OPSEC and Support Channels
Stark's specific operational communications (Jabber, Telegram, ticketing portals) are not documented in open sources. A ticket-based support system via the stark-industries[.]solutions and later the[.]hosting portals is a reasonable inference from standard BPH operational models. No leaked chat logs or panel screenshots have appeared in the prioritized source set [Intelligence Gap].
Technical Capabilities and Infrastructure Footprint
ASN Summary
| ASN | Registered Name | Status (June 2026) | Notes |
|---|---|---|---|
AS44477 | STARK-INDUSTRIES / PQ Hosting Plus S.R.L. (ORG-PHPS1-RIPE, created 13 May 2025) | De-registered | holder="" announced=false per RIPE NCC RIPEstat API, 6 June 2026. Originally Stark's primary ASN; transferred to PQ Hosting Plus S.R.L. on 16 May 2025, 4 days before EU sanctions. Malicious activity migrated to AS209847 by Nov 2025. |
AS43624 | STARK-INDUSTRIES-SOLUTIONS-AS, MD (PQ Hosting, Moldova) | De-registered | holder="" announced=false per RIPE NCC RIPEstat API, 6 June 2026. Moldovan ASN with abuse contacts listed in phish.report. Now withdrawn. |
AS209847 | THE WorkTitans B.V. | Active | holder="THE WorkTitans B.V." announced=true per RIPE NCC RIPEstat API, 6 June 2026. Created 24 June 2025. Still announcing 200+ IPv4 prefixes as of 6 June 2026, three weeks after FIOD arrests and server seizures. |
Representative IPv4 Ranges (AS209847, Active June 2026)
Direct RIPE NCC query of AS209847 on 6 June 2026 returned the following active /24 prefixes (non-exhaustive selection; 200+ total active prefixes confirmed):
| Prefix | Active as of | Note |
|---|---|---|
171.22.126.0/24 | 6 June 2026 | Formerly in Stark /23 block (171.22.126.0/23) |
171.22.127.0/24 | 6 June 2026 | Formerly in Stark /23 block |
171.22.112.0/24 | 6 June 2026 | WorkTitans range |
171.22.113.0/24 | 6 June 2026 | WorkTitans range |
171.22.118.0/24 | 6 June 2026 | WorkTitans range |
171.22.131.0/24 | 6 June 2026 | WorkTitans range |
45.12.109.0/24, 45.12.132.0/24, 45.12.133.0/24 | 6 June 2026 | 45.12.x ranges (multiple active) |
5.182.36.0/24, 5.182.37.0/24, 5.182.38.0/24 | 6 June 2026 | 5.182.x cluster |
185.234.56.0/24, 185.234.57.0/24, 185.234.58.0/24 | 6 June 2026 | 185.234.x cluster |
Data Center Footprint
| Location | Entity | Role | Status |
|---|---|---|---|
| Dronten, Netherlands | MIRhosting / WorkTitans | Data center; servers seized in FIOD raid | Raided May 2026 |
| Schiphol-Rijk, Netherlands | MIRhosting / WorkTitans | Data center; servers seized in FIOD raid | Raided May 2026 |
| Enschede, Netherlands | WorkTitans B.V. (Hoge Bothofstraat 39) | Business address searched by FIOD | Raided May 2026 |
| Almere, Netherlands | Fezzy B.V. / MIRhosting | Business address searched by FIOD | Raided May 2026 |
| Moldova | PQ Hosting / PQ Hosting Plus | Moldovan DCs; core early infrastructure; status post-EU-sanctions unclear | Degraded (sanctions on PQ entities) |
Stark and its successor entities leased or colocated hardware via PQ Hosting, MIRhosting, and WorkTitans rather than owning datacenter real estate directly. MIRhosting provided physical servers and transit to AMS-IX (Amsterdam) and DE-CIX (Frankfurt) as the connectivity backbone.
Upstream Transit Chain
Phase 1 (2022 to mid-2025): PQ Hosting (Moldova) as primary upstream and infrastructure layer; Stark-branded ASNs (AS44477, AS43624) routed via PQ facilities.
Phase 2 (mid-2025 to present): MIRhosting (Almere, Netherlands) as primary colocation and transit provider for WorkTitans / THE.Hosting (AS209847), with high-capacity connections to AMS-IX and DE-CIX Frankfurt. MIRhosting served as the transport layer through which THE.Hosting traffic entered European internet infrastructure.
De-peering events: EU sanctions on PQ Hosting and PQ Hosting Plus (May 2025) triggered financial exclusion and forced migration of RIPE resources to new entities. AS44477 and AS43624 are now fully de-registered. No documented upstream de-peering events targeted AS209847 before the FIOD arrests, explaining its persistence post-sanctions. As of June 2026, AS209847 continues to route despite the May 2026 arrests.
RIPE abuse contacts: AS43624 (PQ Hosting, MD) listed standard NOC/abuse mailboxes per phish.report. AS209847 (WorkTitans) lists a Dutch address and abuse mailbox in its RIPE object; these were the formal complaint channels for Stark/THE.Hosting traffic after the sanctions rebrand.
Resilience Techniques
- ASN agility: Rapid migration of prefixes from Stark-labeled ASNs to AS209847 while preserving customer base and malicious activity profiles. The transfer of AS44477 to PQ Hosting Plus S.R.L. four days before sanctions was a documented preemptive maneuver.
- Multi-datacenter redundancy: Multiple Dutch facilities (Dronten, Enschede, Almere, Schiphol-Rijk) plus Moldovan facilities provided resilience against single-facility takedowns.
- Rebranding and shell layering: Serial use of Stark, PQ Hosting Plus, THE.Hosting / WorkTitans, with MIRhosting providing the physical layer; each rebrand inserted a new legal entity between the operator and the infrastructure.
- Preemptive intelligence: Demonstrated ability to receive advance warning of sanctions (via leaked EU media, May 2025) and execute infrastructure migration before formal designation.
- VM image standardization: Use of ISPsystem VMmanager installations to enable rapid re-provisioning of customer VMs across infrastructure, reducing the impact of node-level takedowns.
Hosted Activity Types
| Activity Type | Evidence | Confidence |
|---|---|---|
| Credential harvesting / phishing (state-aligned) | Recorded Future / Insikt: TAG-53 / Callisto / COLDRIVER-like cluster infrastructure hosted on Stark ASNs | Confirmed |
| DDoS / hacktivist infrastructure | CERT-EU briefs: NoName057(16) C2, staging, and propaganda sites | Confirmed |
| Ransomware C2 and staging | Sophos / OWN-CERT: LockBit, ALPHV/BlackCat, Qilin, Ursnif on widely reused Stark VM images | Confirmed |
| Financial crime infrastructure (FIN7) | Team Cymru / Silent Push: FIN7 credential-harvesting and fake corporate sites on Stark IPs | Confirmed |
| Commodity stealer / RAT C2 | Centripetal: RedLine Stealer and NetSupport RAT C2 on Stark ranges | Confirmed |
| VPN / proxy obfuscation nodes | TRM Labs; GreyNoise (24+ VPN service signatures on AS44477/AS209847) | Confirmed |
Blocklist Standing
| Blocklist | Status | Notes |
|---|---|---|
| Spamhaus SBL / CBL / XBL | Probable Listed | Vendor and CERT reporting confirms repeated listings for spam, malware C2, and abusive scanning on Stark-associated ranges. Specific SBL entry numbers and first-listing dates not publicly documented in prioritized source set. AS209847 continues to announce from the same IP space. [Intelligence Gap: complete historical listing table] |
| abuse.ch (Feodo, URLhaus, MalwareBazaar) | Probable Listed | Multiple individual IPs and domains resolving to Stark/WorkTitans ranges appear in abuse.ch feeds per Centripetal and vendor IOC reporting. Presented as IOC feeds rather than ASN-level narrative; no full enumeration available. |
| FireHOL level-1 / level-2 | Probable Listed | FireHOL high-risk ASN lists historically included PQ Hosting ranges; Stark-specific annotations not called out by name in available sources. |
Known Weaknesses Exploited
Dutch jurisdictional vulnerability: Concentrating physical infrastructure in Netherlands facilities created a jurisdictional exposure that FIOD leveraged in May 2026. Under Dutch sanctions law, providing economic resources (hosting, connectivity) to sanctioned entities constitutes a violation regardless of whether the provider claims ignorance of client identity. This enabled rack-level seizures, not just individual IP takedowns.
Limited operator set: Reliance on a small circle of operators (Neculiti brothers, Zinad, Nesterenko) and known corporate shells (Fezzy B.V., WorkTitans, MIRhosting) allowed sanctions packages to target overlapping individuals and companies, concentrating legal pressure even when technical impact was limited.
Shell company transparency: KrebsOnSecurity traced WorkTitans to Fezzy B.V. to Zinad through public Dutch Chamber of Commerce records and open-source OSINT on phone numbers. The shell structure was legally obfuscating but not operationally opaque.
Financial Infrastructure
Payment Methods
Direct evidence of Stark's payment interfaces is sparse in open sources, consistent with BPH operational security norms.
- Cryptocurrencies (CONFIRMED): GreyNoise and other vendors explicitly list crypto payments as part of Stark's offering. Post-sanctions, crypto is the dominant plausible channel given financial exclusion from EU banking.
- Traditional bank / card payments: Not documented in available sources. EU sanctions effectively cut Stark and PQ entities off from formal EU financial systems from May 2025 onward.
Wallet Clusters and On-Chain Analysis
Three-Phase Laundering Model
The three-phase laundering pattern (acquisition, layering, extraction) cannot be reconstructed from open sources given the absence of wallet IOCs. This remains a significant intelligence gap that limits financial disruption options (OFAC wallet designation, exchange-level blocking).
Sanctions and Risk Ratings
| Authority | Entity / Individual | Designation Date | Program | Status |
|---|---|---|---|---|
| EU Council | Stark Industries Solutions Ltd | 20 May 2025 | RUSDA (Russia destabilizing actions) | Active |
| EU Council | Iurie Neculiti | 20 May 2025 | RUSDA | Active |
| EU Council | Ivan Neculiti | 20 May 2025 | RUSDA | Active |
| EU Council | PQ Hosting; PQ Hosting Plus S.R.L. | 20 May 2025 | RUSDA | Active |
| National mirrors (BE, LV, FR, others) | All of the above | May 2025 | EU mirror | Active |
| OFAC (US Treasury) | Stark entities / operators | N/A | N/A | Not confirmed on SDN list as of June 2026 |
| UK OFSI / FCDO | Stark entities / operators | N/A | N/A | EU-mirrored measures applied; independent UK listing not confirmed in open sources as of June 2026 |
TRM Labs and other risk-rating vendors classify Stark as a high-risk "hybrid threat infrastructure" entity, but specific VASP-level risk scores are not public.
Client Profile and Hosted Operations
Crimeware Verticals by Evidence Tier
| Client Vertical | Evidence | Tier 1 Hosting | Tier 2 Operational |
|---|---|---|---|
| Russia-aligned APT / Espionage TAG-53 / Callisto / COLDRIVER-like cluster |
Recorded Future Insikt: credential-harvesting and phishing infrastructure hosted on Stark ASNs; technical infrastructure overlap (ASNs, domains) | Confirmed | Credible |
| Pro-Russian Hacktivist / DDoS NoName057(16) and related fronts |
CERT-EU briefs (CB24-06, CB25-10): IP/ASN overlap, campaign timing and targeting patterns; De Volkskrant (May 2026) links WorkTitans to NoName057(16) DDoS attacks | Confirmed | Credible |
| Ransomware Ecosystems LockBit, ALPHV/BlackCat, Qilin, Ursnif |
Sophos: widely reused Stark-heavy VM images; OWN-CERT: BPH landscape placing Stark-type hosts; NetSupport RAT and Ursnif observed on Stark ranges | Confirmed | Analyst Inference |
| High-End Financial Crime FIN7 |
Team Cymru: Stark-assigned IPs hosting FIN7 credential-harvesting and fake corporate sites; Silent Push Year-in-Review referencing Stark infrastructure | Confirmed | Analyst Inference [SINGLE SOURCE: primarily Team Cymru / Silent Push] |
| Commodity Stealers / RATs RedLine Stealer, NetSupport RAT |
Centripetal: RedLine and NetSupport RAT C2 on Stark ranges | Confirmed | Analyst Inference |
Client Geography
Client infrastructure concentrated in Moldova and Netherlands IP ranges, but used to target EU, UK, US, and Ukrainian entities. No evidence of a CIS exclusion zone, consistent with a provider serving Russian state-aligned actors targeting outward rather than protecting domestic interests. Campaign targeting patterns documented in CERT-EU confirm EU and NATO-aligned government, military, energy, and democratic institutions as primary targets.
Notable Hosted Cases
EU/UK hybrid threat sanctions package (May 2025): Stark cited as a key enabler of Russian cyber and information operations in the RUSDA sanctions package. Underlying EU designation narratives summarized in TRM Labs and Cyfluence highlight use for campaigns against military, energy, logistics, and democratic institutions, though the full technical annex is not public.
Dutch FIOD enforcement action (May 2026): 800+ servers used by Russian-aligned cyberattack and disinformation operations seized from five locations. FIOD and De Volkskrant explicitly linked the seized infrastructure to Stark / WorkTitans / MIRhosting and to NoName057(16) DDoS operations against Danish infrastructure.
State Nexus Assessment
Assessed Tier: Probable Cooperation (Tier 3 of 4)
Evidence supports more than tolerated safe harbor. The EU sanctions designation explicitly states that Stark "enabled Russian state-sponsored cyber operations" including information manipulation, cyberattacks, and destabilizing hybrid activities. CTI reporting shows systematic and repeated hosting of infrastructure for Russia-aligned APT and influence clusters, not merely generic cybercrime. The emergence of the provider two weeks before Russia's February 2022 invasion, the consistent alignment of hosted operations with Russian state objectives (targeting NATO democracies, Ukrainian entities, EU critical infrastructure), and the use by TAG-53 / Callisto / COLDRIVER-like clusters (assessed FSB-linked by multiple vendors) collectively support probable cooperation.
Tier 4 (Direct Control) is not justified: no public leaks, court documents, or technical evidence show direct FSB/GRU tasking, payment flows to Stark operators from Russian state actors, or shared infrastructure administration accounts between Stark and Russian state agencies.
Evidence Supporting Probable Cooperation
- EU Council RUSDA designation language: "enabling Russian state-sponsored cyber operations and information manipulation" — this exceeds the language typically used for tolerated-safe-harbor assessments.
- Systematic co-location of state-aligned espionage clusters (TAG-53 / COLDRIVER) and hacktivist infrastructure (NoName057(16)) on the same ASNs, suggesting deliberate client selection or at minimum willful blindness.
- Emergence timing: provider formed February 10, 2022, two weeks before Russia's full-scale invasion, suggesting anticipatory infrastructure preparation aligned with Russian operational planning.
- Rapid, orderly sanctions preemption (April-May 2025) requiring advance intelligence about EU regulatory actions, suggesting access to information channels beyond public media.
Negative Evidence
- No public court documents or leaked communications showing direct FSB/GRU tasking of Stark operators.
- No technical evidence of shared administrative accounts between Stark infrastructure and Russian state agencies.
- No confirmed payments from Russian state entities to Neculiti brothers or associated companies in open sources.
- Both arrested operators (Zinad, Nesterenko) are Netherlands-based, not Russian nationals; their charging is under sanctions law, not espionage or state-directed cyber statutes.
Jurisdictional Separation
Law Enforcement and Regulatory Response
Sanctions and Policy Actions
| Date | Action | Authority | Targets |
|---|---|---|---|
| 20 May 2025 | EU Council sanctions (RUSDA program) | European Union | Stark Industries Solutions Ltd; Iurie Neculiti; Ivan Neculiti; PQ Hosting; PQ Hosting Plus S.R.L. |
| May 2025 | National mirror measures | Belgium, Latvia, France, and other EU member states | Mirror of EU RUSDA designations; all entities listed as "Active" in national registries |
| June 2026 | OFAC SDN | United States (OFAC) | Not confirmed on SDN list as of this writing |
| June 2026 | UK OFSI / FCDO | United Kingdom | EU-mirrored measures applied; independent UK-only designation not confirmed |
Indictments, Arrests, and Charges
Netherlands (FIOD), 18 May 2026: Dutch fiscal intelligence and investigation service (FIOD) arrested Youssef Zinad (57, Amsterdam) and Andrey Nesterenko (39, The Hague) following a multi-location enforcement operation. FIOD conducted raids at three business addresses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk. Seized: 800+ servers, laptops, phones, and administrative records.
Charges proceed under Dutch sanctions law (not pure cybercrime statutes): the suspects are alleged to have indirectly provided economic resources to Russian and Belarusian entities sanctioned by the EU, with the infrastructure assessed to have supported Russian Federation activity undermining democracy and security through cyberattacks, foreign interference, and disinformation. Cases are ongoing; both individuals are presumed innocent pending trial.
The Neculiti brothers have not been indicted, arrested, or charged in any jurisdiction as of June 2026.
Infrastructure Seizures and Takedowns
2024 (preliminary action): Dutch authorities confiscated several hundred servers during earlier enforcement actions against WorkTitans-linked infrastructure prior to the May 2026 raids. Specifics not fully documented in open sources.
May 18-22, 2026 (main FIOD action): 800+ servers seized from Dronten and Schiphol-Rijk data centers and three business addresses. This represents the largest single enforcement action against Stark-linked infrastructure to date.
Post-Disruption Client Migration
After EU sanctions (May 2025): Recorded Future and GreyNoise confirm near-immediate migration of malicious activity from AS44477 (PQ Hosting Plus) to AS209847 (WorkTitans / THE.Hosting) with minimal downtime, strong IOC continuity, and near-identical behavioral profiles. Clients experienced no apparent operational disruption.
After FIOD 2026 raids: Full migration patterns are still emerging as of June 2026. AS209847 remains active with 200+ prefixes three weeks after the arrests (confirmed RIPE data). Some operations likely shifted to alternative Russia-aligned BPHs; others may remain on surviving WorkTitans infrastructure. Complete post-2026 picture is an intelligence gap.
Impact Assessment
Short-term impact: Noticeable but temporary reduction in malicious traffic from seized IP ranges; some campaigns paused or retooled infrastructure. The 2026 physical server seizure removes hardware, which has a higher reconstitution cost than a legal entity rebrand.
Medium-term impact: Limited. Prior behavior demonstrates high substitution capacity. The operator's documented ability to pre-position infrastructure before enforcement suggests additional shell entities or alternative upstreams may already exist. AS209847 remaining active three weeks post-arrest indicates the infrastructure layer is not fully dependent on Zinad and Nesterenko's continued freedom.
Structural impact: The arrests of two Netherlands-based operators and the seizure of server hardware represent a meaningful escalation above the purely sanctions-based pressure applied in 2025. However, the primary operators (Neculiti brothers) remain at large and sanctioned in jurisdictions (Moldova, possibly Russia) that have not extradited or arrested them.
Connected Groups and Ecosystem Relationships
Trajectory Assessment
Infrastructure Churn and Market Position
Stark / WorkTitans / THE.Hosting is best characterized as a major backbone provider in the Russia-aligned hybrid threat ecosystem, not a niche host. Its recurring appearance across high-profile CTI, the RUSDA sanctions package, and the FIOD enforcement action places it among the most extensively documented BPH operators in Europe. The breadth of hosted activity (state-aligned APT, hacktivist DDoS, ransomware, financial crime) indicates a provider serving the full spectrum of Russian-aligned threat actors rather than a speciality niche.
Disruption History
Trajectory Direction
Status: Degraded but Resilient. The FIOD 2026 server seizure represents the most impactful enforcement action against this ecosystem to date, removing physical hardware rather than merely imposing legal sanctions. However, the continued activity of AS209847 three weeks post-arrest indicates the infrastructure layer is not fully dependent on the arrested Dutch operators. The Neculiti brothers remain the assessed principals of the broader Neculiti-controlled network and have not faced arrest, prosecution, or extradition.
The pattern to date (2022-2026) demonstrates a provider with high reconstitution capacity: each disruption (sanctions, preliminary server seizures) has been followed within weeks by a functional rebrand. The 2026 FIOD action is more severe due to physical seizure, but the Neculiti-controlled corporate structure provides multiple reconstitution pathways.
Intelligence Gaps (Mandatory)
Where Stark/WorkTitans clients will consolidate after May 2026 Dutch seizures; whether a new successor brand or ASN emerges under Neculiti control. Events too recent; no follow-up migration analysis published as of June 2026. Close with: future CERT-EU briefs, GreyNoise ASN-level anomaly monitoring, vendor IOC feed divergence analysis.
Exact Stark ad texts on XSS/Exploit.in, including specific claims about abuse tolerance, no-logs policies, and accepted use cases. CTI write-ups summarize behavior rather than reproduce forum posts. Close with: historical XSS/Exploit screenshots, vendor collections of BPH ads, or forum leaks.
No cryptocurrency wallets or on-chain flows attributed to Stark operators or entities in public sources. Limits financial disruption options (OFAC wallet designation, exchange-level blocking). Close with: TRM Labs or Chainalysis entity-specific analysis behind customer portals; law enforcement blockchain tracing disclosures.
No pseudonymous handles for Neculiti brothers on forums or chat platforms identified in open sources. Internal panel screenshots and support portal URLs not leaked. Close with: forum intelligence, law enforcement document disclosures, or leaked support panel dumps.
Exact dates and ranges of Spamhaus SBL/CBL/XBL/PBL listings, abuse.ch Feodo/URLhaus/MalwareBazaar listing history, and FireHOL entries by ASN. Public sources mention repeated listings without full timeline. Close with: direct DNSBL query of AS44477, AS43624, AS209847 IP blocks with historical snapshots; Spamhaus AS-level data.
No confirmed price tables or named tiers for Stark or THE.Hosting. Close with: archived copies of stark-industries[.]solutions and the[.]hosting websites; criminal forum sales threads.
Whether OFAC has placed Stark entities on the SDN list, and whether UK OFSI has issued independent (non-EU-mirrored) designations, is unconfirmed as of June 2026. Close with: direct OFAC SDN list search; UK OFSI consolidated list search.
Precise residence of Iurie and Ivan Neculiti post-sanctions; whether any jurisdiction has issued arrest warrants, requested extradition, or begun criminal proceedings beyond EU sanctions. Close with: Moldovan law enforcement disclosures; EU criminal cooperation channels; investigative journalism.