A network of Russian hackers, including a well-known pianist, has been exposed in the Netherlands — Bloomberg
A large-scale operation against cybercriminals was carried out in the Netherlands. Law enforcement officials seized approximately 800 servers which, according to the investigation, were used to launch attacks on government and banking resources in Europe. It is also reported that a suspect was arrested as part of the operation.
This was reported by Bloomberg.
Last week, law enforcement officials raided two Dutch data centers. Approximately 800 servers belonging to the companies WorkTitans and MIRhosting were seized—they had been leasing the equipment to entities linked to Russian hackers.
According to the investigation, the actual beneficiaries were two Moldovan brothers—Yuriy and Ivan Nekuliti—who were added to the EU sanctions list in 2025 for assisting Russian state-sponsored hackers.
Two individuals were detained as part of the operation:
Yousef Zinad—owner of WorkTitans;
Andrei Nesterenko—founder of MIRhosting, a 39-year-old Russian citizen residing in the Netherlands. He is also known as a concert pianist and winner of music competitions.
On LinkedIn, Nesterenko acknowledged that he had previously collaborated with one of the Nekulita brothers but claims he ceased contact after sanctions were imposed. His company denies any wrongdoing—allegedly noticing nothing suspicious on its own network. WorkTitans declined to comment.
The seized servers are linked to the Russian hacking group NoName057(16), which Europol accuses of mass attacks on government websites and banking services. The group specializes in DDoS attacks—overloading websites with traffic until they crash completely.
Notable incidents include attacks on Danish government organizations last November and a Christmas attack on the French postal service, which caused massive delays in package delivery.
According to the U.S. Department of Justice, NoName057(16) is a covert project involving employees of the Kremlin-backed Center for Monitoring the Youth Environment. The group maintained a daily ranking of DDoS attacks and rewarded the most active volunteers with cryptocurrency.
Experts note that the group relies heavily on servers in Western countries, making it vulnerable to police operations. Last year, European investigators seized about 100 NoName057(16) servers—yet the group continued its activities.
As a reminder, the Russian hacking group Fancy Bear, which is linked to Russian military intelligence, hacked over 280 email accounts belonging to government and military institutions in NATO countries and the Balkans.
Prior to this, hackers gained access to data from the booking website Booking.com, the company reported. The attackers were able to obtain information about customer bookings, and some users received emails on Sunday notifying them of a possible data breach.
