EDP / BPH Providers / Stark Industries Solutions / THE.Hosting / WorkTitans
Stark Industries Solutions / THE.Hosting / WorkTitans
Russia-aligned bulletproof hosting brand cluster // UK-registered, Moldova/Netherlands-hosted // Active February 2022 to present; core operators arrested May 2026
Degraded

Executive Summary and Provider Overview

Sanctioned and Arrested Operators — Escalated Module
Iurie (Iuri / Yuri) NECULITI
CEO, Stark Industries Solutions Ltd
Nationality: Moldovan (assessed)
Location: Moldova / EEA (not publicly confirmed)
Role: CEO of Stark Industries Solutions Ltd; associated with PQ Hosting and PQ Hosting Plus S.R.L. via corporate records
Legal status: Sanctioned; no indictment or arrest reported
EU RUSDA — 20 May 2025
Ivan NECULITI
Owner, Stark Industries Solutions Ltd
Nationality: Moldovan (assessed)
Location: Moldova / EEA (not publicly confirmed)
Role: Owner of Stark Industries Solutions Ltd; co-owner of PQ Hosting (Moldova)
Legal status: Sanctioned; no indictment or arrest reported
EU RUSDA — 20 May 2025
Youssef ZINAD
Director, WorkTitans B.V. / THE.Hosting
Age / Location: 57, Amsterdam, Netherlands
Corporate links: Formed WorkTitans B.V. in 2019 (y.zinad@worktitans.nl); linked to Fezzy B.V. (sole shareholder of WorkTitans) and MIRhosting
Legal status: Arrested 18 May 2026 by Dutch FIOD; charged with sanctions violations; case ongoing
ARRESTED — FIOD, 18 May 2026
Andrey NESTERENKO
Co-operator, MIRhosting / WorkTitans infrastructure
Age / Location: 39, The Hague, Netherlands
Corporate links: Managed hosting infrastructure linked to WorkTitans and MIRhosting; email thread with Zinad documented by KrebsOnSecurity (2024)
Legal status: Arrested 18 May 2026 by Dutch FIOD; charged with sanctions violations; case ongoing
ARRESTED — FIOD, 18 May 2026
Degraded
Operational Status
AS209847
Active Successor ASN
200+
Prefixes Active (Jun 2026)
800+
Servers Seized (May 2026)
4
Named Operators
EU RUSDA
Sanctions Authority
Feb 2022
Founded
Probable Listed
Spamhaus Status

Quick-Reference Attributes

Common NamesStark Industries Solutions Ltd; stark-industries[.]solutions; PQ Hosting; PQ Hosting Plus S.R.L.; THE.Hosting; the[.]hosting; WorkTitans B.V.; MIRhosting; WT Hosting; Misfits Media
Node TypeBulletproof Hosting Provider
StatusDegraded — 800+ servers seized May 2026; two operators arrested; AS209847 (WorkTitans / THE.Hosting) still announcing 200+ prefixes as of 6 June 2026
Entity Registration JurisdictionUnited Kingdom — Stark Industries Solutions Ltd (Companies House 13906017; 71-75 Shelton Street, London); Netherlands — WorkTitans B.V. (Hoge Bothofstraat 39, 7511 ZA Enschede); Moldova — PQ Hosting Plus S.R.L.
Infrastructure Hosting JurisdictionNetherlands (primary: Dronten, Enschede, Almere, Schiphol-Rijk); Moldova (secondary: PQ Hosting DCs)
Assessed Operator LocationNeculiti brothers: Moldova / EEA (not confirmed); Zinad: Amsterdam, Netherlands (arrested); Nesterenko: The Hague, Netherlands (arrested)
Active PeriodFebruary 10, 2022 to present (Stark entity); WorkTitans B.V. formed 2019; AS209847 active from June 24, 2025
Primary ASNsAS44477 — STARK-INDUSTRIES / PQ Hosting Plus S.R.L. (de-registered; announced=false as of June 2026); AS43624 — PQ Hosting, MD (de-registered; announced=false as of June 2026); AS209847 — THE WorkTitans B.V. (ACTIVE; 200+ prefixes announced as of June 2026)
Key IPv4 Ranges (AS209847)171.22.126.0/24; 171.22.127.0/24; 171.22.112.0/24; 171.22.113.0/24; 171.22.118.0/24; 171.22.131.0/24 (formerly in Stark /23 blocks; RIPE confirmed active June 2026)
RIPE Verification (June 2026)AS44477: holder="" announced=false (de-registered). AS43624: holder="" announced=false (de-registered). AS209847: holder="THE WorkTitans B.V." announced=true. Source: RIPE NCC RIPEstat API, queried 6 June 2026.
Upstream TransitMIRhosting (Almere, Netherlands) — physical colocation and transit to AMS-IX and DE-CIX Frankfurt. MIRhosting denied knowingly supporting illegal operations.
SanctionsEU Council (RUSDA program): Stark Industries Solutions Ltd, Iurie Neculiti, Ivan Neculiti — 20 May 2025. PQ Hosting and PQ Hosting Plus S.R.L. included in related EU hybrid-threat sanctions package.
OFAC / UK FCDOOFAC SDN: Not confirmed as of June 2026. UK OFSI / FCDO: EU-mirrored measures applied; independent UK listing not confirmed in open sources.
Primary ClientsNoName057(16) (DDoS / hacktivist); TAG-53 / Callisto / COLDRIVER-like cluster (credential harvesting); FIN7 (financial crime); LockBit, ALPHV/BlackCat, Qilin, Ursnif (ransomware/crimeware); RedLine Stealer and commodity RATs
State Nexus TierProbable Cooperation (Tier 3 of 4)
Corporate Shell ChainStark Industries Solutions Ltd (UK) owned by Neculiti brothers (Moldova); WorkTitans B.V. (NL) owned by Fezzy B.V. (Almere, NL); Fezzy B.V. linked to Zinad via phone number and email

Overall Assessment

Stark Industries Solutions Ltd is a UK-registered, Russia-aligned bulletproof hosting provider that emerged two weeks before Russia's full-scale invasion of Ukraine in February 2022 and rapidly became "prime real estate" for Kremlin-linked cyberattacks and disinformation campaigns. Operated through a layered corporate structure by Moldovan brothers Iurie and Ivan Neculiti, with Dutch infrastructure managers Youssef Zinad and Andrey Nesterenko, Stark hosted credential-harvesting operations for Russian state-aligned espionage clusters, DDoS infrastructure for hacktivist group NoName057(16), and server capacity for major cybercrime groups including FIN7 and multiple ransomware ecosystems.

The provider demonstrated exceptional resilience against regulatory pressure. When EU sanctions were announced on 20 May 2025, the Neculiti brothers had already transferred AS44477 to a freshly-created RIPE organization (PQ Hosting Plus S.R.L.) on 16 May, migrated Russian infrastructure to UFO Hosting LLC as early as 10 April, and within weeks rebranded operations as THE.Hosting under Dutch entity WorkTitans B.V. with a new ASN (AS209847, created 24 June 2025). GreyNoise data confirmed a seamless migration of malicious activity between the two ASNs between August and November 2025, with virtually identical behavioral signatures, VPN profiles, and scanning patterns.

As of June 2026, Dutch FIOD arrested Zinad and Nesterenko on 18 May 2026 and seized 800+ servers from five locations. Despite this, AS209847 remains active with over 200 prefixes still routing as of 6 June 2026, confirmed by direct RIPE NCC RIPEstat query. The Neculiti brothers remain at large and sanctioned. The overall assessment is Degraded: infrastructure substantially disrupted but not dismantled, with high reconstitution capacity demonstrated by prior rebranding behavior.

Lineage and Organizational Heritage

Brand and Entity Structure

Brand / EntityTypeJurisdictionRoleActive WindowConfidence
Stark Industries Solutions LtdUK Limited Company (Companies House 13906017)United KingdomPrimary branded entity; focal point of EU sanctions; front for Neculiti-controlled infrastructureFebruary 10, 2022 to present (sanctioned entity)Confirmed
PQ Hosting / pq[.]hostingHosting service (Moldova)MoldovaEarly upstream and infrastructure partner; deeply intertwined with Stark from 2022; Neculiti-controlledPre-2022 through at least mid-2025; Moldovan DCsConfirmed
PQ Hosting Plus S.R.L.Moldovan company; RIPE org (ORG-PHPS1-RIPE)MoldovaNew RIPE organization created 13 May 2025 (7 days before EU sanctions); AS44477 transferred to it on 16 May 2025 as preemptive sanctions evasionMay 13, 2025 onwardConfirmed
WorkTitans B.V.Dutch company (Hoge Bothofstraat 39, Enschede)NetherlandsPost-sanctions corporate vehicle; held AS209847; presented as ostensibly separate hosting firm; sole shareholder is Fezzy B.V. (linked to Zinad); also traded as WT Hosting and Misfits MediaFormed 2019; active as BPH vehicle from ~May/June 2025 onwardConfirmed
THE.Hosting / the[.]hostingService brandNetherlandsRebranded service name post-sanctions; PQ.Hosting announced rebrand to THE.Hosting on 29 May 2025; inherits Stark infrastructure and clientsMay 29, 2025 to presentConfirmed
MIRhostingDutch hosting/colocation operator (Almere)NetherlandsPhysical server operator and transit provider; provided colocation and high-capacity connectivity to AMS-IX (Amsterdam) and DE-CIX (Frankfurt); Nesterenko-associated; denied knowing of illegal operationsActive throughout 2022-2026Confirmed
UFO Hosting LLCRussian hosting company (Moscow)RussiaRussian infrastructure migrated from Stark to UFO Hosting LLC as early as 10 April 2025, ahead of EU sanctions; assessed as a parallel migration for Russia-located workloadsFrom April 2025Credible [SINGLE SOURCE: Recorded Future Insikt]
Fezzy B.V.Dutch holding company (Almere)NetherlandsSole shareholder of WorkTitans B.V.; linked to Youssef Zinad via phone number (31651079755) and Facebook profile; corporate layer for Zinad's control of WorkTitansActiveConfirmed

Evidentiary Pillars for Lineage

Infrastructure continuity (CONFIRMED): GreyNoise Global Observation Grid data confirms a seamless migration of malicious activity from AS44477 (PQ Hosting Plus S.R.L.) to AS209847 (WorkTitans B.V.) between August and November 2025. The two ASNs share 24 VPN service signatures in common, with near-identical behavioral tags, JA4T hashes, scanning patterns, and geographic distribution. Recorded Future Insikt independently tracked prefix migration and client reappearance on AS209847.

Personnel continuity (CONFIRMED): EU and French sanctions registers identify Iurie and Ivan Neculiti as controlling both Stark Industries Solutions Ltd and PQ Hosting / PQ Hosting Plus via shared phone numbers and corporate records. KrebsOnSecurity documented that Nesterenko included Zinad in email correspondence as early as 2024, linking MIRhosting and WorkTitans to a shared operator circle. Dutch Chamber of Commerce records confirm WorkTitans' sole shareholder is Fezzy B.V., tied to Zinad.

Preemptive sanctions evasion (CONFIRMED): Insikt Group documents the Neculiti brothers received advance notice of EU sanctions via leaked Moldovan and EU media reporting on 8-9 May 2025, 12 days before the official designation. Between April 10 and May 16, the network migrated Russian infrastructure to UFO Hosting, created ORG-PHPS1-RIPE (PQ Hosting Plus), and transferred AS44477 to the new organization. By the time sanctions landed, the infrastructure was already repositioned.

Disputed Assessments

No substantial public dispute exists about the core Stark / PQ / WorkTitans / MIRhosting lineage. The primary analytical disagreement in open sources concerns how deliberate the state nexus is (see Section 07) rather than whether these entities are linked. MIRhosting publicly denied knowingly supporting illegal operations, claiming it acted on abuse complaints; FIOD's charging theory rejects this framing by treating infrastructure provision to sanctioned entities as sufficient for sanctions violation regardless of stated intent.

Operator Profiles

2.1 Iurie (Iuri / Yuri) NECULITI

Aliases: Iurie Neculiti; Iuri Neculiti; Yuri Neculiti (variations across EU and French sanctions documents). No confirmed online handles or forum nicks in open sources [Intelligence Gap].

Role: CEO of Stark Industries Solutions Ltd; associated with PQ Hosting and PQ Hosting Plus S.R.L. through corporate records and sanctions findings.

Assessed nationality: Moldovan (EU sanctions materials; Moldovan company registration for PQ entities).

Assessed current location: Moldova or EEA region; not publicly confirmed post-sanctions.

Legal status: Sanctioned by EU Council (RUSDA program), 20 May 2025. Mirrored in Belgian, Latvian, French, and other national sanctions registries. No public indictment or arrest as of June 2026.

Designation basis: Providing web-hosting infrastructure used by Russian state-aligned threat actors to conduct cyberattacks, credential harvesting, and influence operations against EU and NATO-aligned targets including government, military, and critical infrastructure.

2.2 Ivan NECULITI

Role: Owner of Stark Industries Solutions Ltd; co-owner of PQ Hosting (Moldova).

Assessed nationality: Moldovan.

Assessed current location: Moldova or EEA region; not publicly confirmed.

Legal status: Sanctioned by EU Council (RUSDA program), 20 May 2025, jointly with Iurie. No public indictment or arrest as of June 2026.

Designation basis: Ownership and control of Stark Industries Solutions and PQ Hosting infrastructure used for cyberattacks and information operations aligned with Russian state interests.

2.3 Youssef ZINAD

Role: Director of WorkTitans B.V.; principal of Fezzy B.V.; linked to MIRhosting operations. Formed WorkTitans B.V. in 2019 using email y.zinad@worktitans.nl.

Age / Location: 57, Amsterdam, Netherlands.

Legal status: Arrested 18 May 2026 by Dutch FIOD. Charged with violating EU sanctions by providing economic resources (hosting and connectivity) to sanctioned Stark-linked entities. Case ongoing; presumed innocent pending trial.

Designation basis: Not individually sanctioned at time of writing. Charged under Dutch sanctions law for infrastructure support to EU-sanctioned entities.

2.4 Andrey NESTERENKO

Role: Co-operator of hosting infrastructure linked to WorkTitans and MIRhosting. Documented in 2024 KrebsOnSecurity email thread that included Zinad in correspondence, establishing the Nesterenko-Zinad-MIRhosting-WorkTitans operational link.

Age / Location: 39, The Hague, Netherlands. Nationality not stated in English-language reporting.

Legal status: Arrested 18 May 2026 by Dutch FIOD. Charged with sanctions violations. Case ongoing; presumed innocent pending trial.

Designation basis: Charged for providing hosting capacity and connectivity to EU-sanctioned Stark-linked entities; not individually sanctioned as of June 2026.

Operational and Business Model

Service Model

Stark and its successor brands operated as high-risk, abuse-tolerant infrastructure providers offering VPS and dedicated servers with liberal abuse handling, high-volume bandwidth suitable for DDoS and C2, and optional "bulletproofing" via ASNs resistant to quick de-peering. The provider targeted clients requiring persistent infrastructure immune to abuse complaints, law enforcement requests, and network-level takedown.

Primary service categories: VPS/dedicated servers (Moldova and Netherlands DCs); high-bandwidth nodes for DDoS campaigns; proxy and VPN relay infrastructure; VM images deployable via ISPsystem's VMmanager (enabling rapid re-provisioning).

Verbatim Advertising Copy

Intelligence Gap
Exact Stark forum advertising text (e.g., from XSS or Exploit.in threads) has not been reproduced in prioritized open sources. The following are reconstructed from vendor paraphrases.
GreyNoise, November 2025 — paraphrasing Stark marketing
"[Stark] offered all the bulletproof hosting classics: crypto payments, servers in jurisdictions with flexible abuse policies, and a business model built around plausible deniability."
KrebsOnSecurity / Coastline Cyber, September 2025
"A web hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns."

Onboarding and Vetting

No detailed documentation of KYC or vetting procedures is available in open sources. Available evidence is consistent with open signup via website with minimal verification, the standard BPH posture. The concentration of high-end state-aligned and criminal actors suggests possible informal vetting for especially sensitive services (dedicated boxes, high-bandwidth nodes), but this is ANALYST INFERENCE not directly evidenced.

Pricing and Service Tiers

Specific price tables and named service tiers are not captured in open sources. Stark's offerings appear in the mid-tier range compared to other BPHs on Russian-language forums, based on OWN-CERT's BPH landscape analysis. No historical price lists or archived website snapshots with pricing are available in the prioritized source set [Intelligence Gap].

Downstream Reseller Chain

Evidence points to downstream use of Stark / PQ / MIRhosting infrastructure via ISPsystem VMmanager installations, enabling third-party resellers to package and sell capacity. Sophos documents widely reused VM images associated with Stark infrastructure that served multiple criminal actors. Specific named reseller brands marketing Stark explicitly are not documented in open sources.

Abuse Handling and LE Posture

Phish.report and similar abuse services list STARK-INDUSTRIES-SOLUTIONS-AS, MD (AS43624) with standard abuse mailbox entries; however, CERT-EU and vendor reporting consistently notes that complaints resulted in slow or no action, consistent with bulletproof behavior. MIRhosting publicly claimed to act on abuse complaints; FIOD's May 2026 enforcement action rejected this as a defense against sanctions liability. The operator set's behavior across multiple rebrands (Stark to THE.Hosting to WorkTitans) demonstrates a consistently adversarial posture toward regulators and LE.

OPSEC and Support Channels

Stark's specific operational communications (Jabber, Telegram, ticketing portals) are not documented in open sources. A ticket-based support system via the stark-industries[.]solutions and later the[.]hosting portals is a reasonable inference from standard BPH operational models. No leaked chat logs or panel screenshots have appeared in the prioritized source set [Intelligence Gap].

Post-Sanctions Operational Adaptation
The PQ.Hosting-to-THE.Hosting rebrand included a public website migration to the[.]hosting, presentation of WorkTitans B.V. as an ostensibly new Dutch company with no apparent connection to Stark, and service continuity for existing clients (confirmed by GreyNoise migration data). This represents a documented, deliberate OPSEC protocol for sanctions evasion, not an ad hoc response.

Technical Capabilities and Infrastructure Footprint

ASN Summary

ASNRegistered NameStatus (June 2026)Notes
AS44477STARK-INDUSTRIES / PQ Hosting Plus S.R.L. (ORG-PHPS1-RIPE, created 13 May 2025)De-registeredholder="" announced=false per RIPE NCC RIPEstat API, 6 June 2026. Originally Stark's primary ASN; transferred to PQ Hosting Plus S.R.L. on 16 May 2025, 4 days before EU sanctions. Malicious activity migrated to AS209847 by Nov 2025.
AS43624STARK-INDUSTRIES-SOLUTIONS-AS, MD (PQ Hosting, Moldova)De-registeredholder="" announced=false per RIPE NCC RIPEstat API, 6 June 2026. Moldovan ASN with abuse contacts listed in phish.report. Now withdrawn.
AS209847THE WorkTitans B.V.Activeholder="THE WorkTitans B.V." announced=true per RIPE NCC RIPEstat API, 6 June 2026. Created 24 June 2025. Still announcing 200+ IPv4 prefixes as of 6 June 2026, three weeks after FIOD arrests and server seizures.

Representative IPv4 Ranges (AS209847, Active June 2026)

Direct RIPE NCC query of AS209847 on 6 June 2026 returned the following active /24 prefixes (non-exhaustive selection; 200+ total active prefixes confirmed):

PrefixActive as ofNote
171.22.126.0/246 June 2026Formerly in Stark /23 block (171.22.126.0/23)
171.22.127.0/246 June 2026Formerly in Stark /23 block
171.22.112.0/246 June 2026WorkTitans range
171.22.113.0/246 June 2026WorkTitans range
171.22.118.0/246 June 2026WorkTitans range
171.22.131.0/246 June 2026WorkTitans range
45.12.109.0/24, 45.12.132.0/24, 45.12.133.0/246 June 202645.12.x ranges (multiple active)
5.182.36.0/24, 5.182.37.0/24, 5.182.38.0/246 June 20265.182.x cluster
185.234.56.0/24, 185.234.57.0/24, 185.234.58.0/246 June 2026185.234.x cluster

Data Center Footprint

LocationEntityRoleStatus
Dronten, NetherlandsMIRhosting / WorkTitansData center; servers seized in FIOD raidRaided May 2026
Schiphol-Rijk, NetherlandsMIRhosting / WorkTitansData center; servers seized in FIOD raidRaided May 2026
Enschede, NetherlandsWorkTitans B.V. (Hoge Bothofstraat 39)Business address searched by FIODRaided May 2026
Almere, NetherlandsFezzy B.V. / MIRhostingBusiness address searched by FIODRaided May 2026
MoldovaPQ Hosting / PQ Hosting PlusMoldovan DCs; core early infrastructure; status post-EU-sanctions unclearDegraded (sanctions on PQ entities)

Stark and its successor entities leased or colocated hardware via PQ Hosting, MIRhosting, and WorkTitans rather than owning datacenter real estate directly. MIRhosting provided physical servers and transit to AMS-IX (Amsterdam) and DE-CIX (Frankfurt) as the connectivity backbone.

Upstream Transit Chain

Phase 1 (2022 to mid-2025): PQ Hosting (Moldova) as primary upstream and infrastructure layer; Stark-branded ASNs (AS44477, AS43624) routed via PQ facilities.

Phase 2 (mid-2025 to present): MIRhosting (Almere, Netherlands) as primary colocation and transit provider for WorkTitans / THE.Hosting (AS209847), with high-capacity connections to AMS-IX and DE-CIX Frankfurt. MIRhosting served as the transport layer through which THE.Hosting traffic entered European internet infrastructure.

De-peering events: EU sanctions on PQ Hosting and PQ Hosting Plus (May 2025) triggered financial exclusion and forced migration of RIPE resources to new entities. AS44477 and AS43624 are now fully de-registered. No documented upstream de-peering events targeted AS209847 before the FIOD arrests, explaining its persistence post-sanctions. As of June 2026, AS209847 continues to route despite the May 2026 arrests.

RIPE abuse contacts: AS43624 (PQ Hosting, MD) listed standard NOC/abuse mailboxes per phish.report. AS209847 (WorkTitans) lists a Dutch address and abuse mailbox in its RIPE object; these were the formal complaint channels for Stark/THE.Hosting traffic after the sanctions rebrand.

Resilience Techniques

Hosted Activity Types

Activity TypeEvidenceConfidence
Credential harvesting / phishing (state-aligned)Recorded Future / Insikt: TAG-53 / Callisto / COLDRIVER-like cluster infrastructure hosted on Stark ASNsConfirmed
DDoS / hacktivist infrastructureCERT-EU briefs: NoName057(16) C2, staging, and propaganda sitesConfirmed
Ransomware C2 and stagingSophos / OWN-CERT: LockBit, ALPHV/BlackCat, Qilin, Ursnif on widely reused Stark VM imagesConfirmed
Financial crime infrastructure (FIN7)Team Cymru / Silent Push: FIN7 credential-harvesting and fake corporate sites on Stark IPsConfirmed
Commodity stealer / RAT C2Centripetal: RedLine Stealer and NetSupport RAT C2 on Stark rangesConfirmed
VPN / proxy obfuscation nodesTRM Labs; GreyNoise (24+ VPN service signatures on AS44477/AS209847)Confirmed

Blocklist Standing

BlocklistStatusNotes
Spamhaus SBL / CBL / XBLProbable ListedVendor and CERT reporting confirms repeated listings for spam, malware C2, and abusive scanning on Stark-associated ranges. Specific SBL entry numbers and first-listing dates not publicly documented in prioritized source set. AS209847 continues to announce from the same IP space. [Intelligence Gap: complete historical listing table]
abuse.ch (Feodo, URLhaus, MalwareBazaar)Probable ListedMultiple individual IPs and domains resolving to Stark/WorkTitans ranges appear in abuse.ch feeds per Centripetal and vendor IOC reporting. Presented as IOC feeds rather than ASN-level narrative; no full enumeration available.
FireHOL level-1 / level-2Probable ListedFireHOL high-risk ASN lists historically included PQ Hosting ranges; Stark-specific annotations not called out by name in available sources.

Known Weaknesses Exploited

Dutch jurisdictional vulnerability: Concentrating physical infrastructure in Netherlands facilities created a jurisdictional exposure that FIOD leveraged in May 2026. Under Dutch sanctions law, providing economic resources (hosting, connectivity) to sanctioned entities constitutes a violation regardless of whether the provider claims ignorance of client identity. This enabled rack-level seizures, not just individual IP takedowns.

Limited operator set: Reliance on a small circle of operators (Neculiti brothers, Zinad, Nesterenko) and known corporate shells (Fezzy B.V., WorkTitans, MIRhosting) allowed sanctions packages to target overlapping individuals and companies, concentrating legal pressure even when technical impact was limited.

Shell company transparency: KrebsOnSecurity traced WorkTitans to Fezzy B.V. to Zinad through public Dutch Chamber of Commerce records and open-source OSINT on phone numbers. The shell structure was legally obfuscating but not operationally opaque.

Financial Infrastructure

Payment Methods

Direct evidence of Stark's payment interfaces is sparse in open sources, consistent with BPH operational security norms.

Wallet Clusters and On-Chain Analysis

Intelligence Gap — Critical
No public TRM Labs, Chainalysis, or Elliptic reporting attributes specific on-chain wallet clusters to Stark operators or entities. TRM Labs' EU/UK crackdown blog names Stark as part of a "Russian hybrid threat network" but does not publish wallet addresses. If Stark-specific wallets exist in blockchain analytics platforms, they are behind customer portals or law enforcement channels only.

Three-Phase Laundering Model

The three-phase laundering pattern (acquisition, layering, extraction) cannot be reconstructed from open sources given the absence of wallet IOCs. This remains a significant intelligence gap that limits financial disruption options (OFAC wallet designation, exchange-level blocking).

Sanctions and Risk Ratings

AuthorityEntity / IndividualDesignation DateProgramStatus
EU CouncilStark Industries Solutions Ltd20 May 2025RUSDA (Russia destabilizing actions)Active
EU CouncilIurie Neculiti20 May 2025RUSDAActive
EU CouncilIvan Neculiti20 May 2025RUSDAActive
EU CouncilPQ Hosting; PQ Hosting Plus S.R.L.20 May 2025RUSDAActive
National mirrors (BE, LV, FR, others)All of the aboveMay 2025EU mirrorActive
OFAC (US Treasury)Stark entities / operatorsN/AN/ANot confirmed on SDN list as of June 2026
UK OFSI / FCDOStark entities / operatorsN/AN/AEU-mirrored measures applied; independent UK listing not confirmed in open sources as of June 2026

TRM Labs and other risk-rating vendors classify Stark as a high-risk "hybrid threat infrastructure" entity, but specific VASP-level risk scores are not public.

Client Profile and Hosted Operations

Crimeware Verticals by Evidence Tier

Client VerticalEvidenceTier 1 HostingTier 2 Operational
Russia-aligned APT / Espionage
TAG-53 / Callisto / COLDRIVER-like cluster
Recorded Future Insikt: credential-harvesting and phishing infrastructure hosted on Stark ASNs; technical infrastructure overlap (ASNs, domains) Confirmed Credible
Pro-Russian Hacktivist / DDoS
NoName057(16) and related fronts
CERT-EU briefs (CB24-06, CB25-10): IP/ASN overlap, campaign timing and targeting patterns; De Volkskrant (May 2026) links WorkTitans to NoName057(16) DDoS attacks Confirmed Credible
Ransomware Ecosystems
LockBit, ALPHV/BlackCat, Qilin, Ursnif
Sophos: widely reused Stark-heavy VM images; OWN-CERT: BPH landscape placing Stark-type hosts; NetSupport RAT and Ursnif observed on Stark ranges Confirmed Analyst Inference
High-End Financial Crime
FIN7
Team Cymru: Stark-assigned IPs hosting FIN7 credential-harvesting and fake corporate sites; Silent Push Year-in-Review referencing Stark infrastructure Confirmed Analyst Inference [SINGLE SOURCE: primarily Team Cymru / Silent Push]
Commodity Stealers / RATs
RedLine Stealer, NetSupport RAT
Centripetal: RedLine and NetSupport RAT C2 on Stark ranges Confirmed Analyst Inference

Client Geography

Client infrastructure concentrated in Moldova and Netherlands IP ranges, but used to target EU, UK, US, and Ukrainian entities. No evidence of a CIS exclusion zone, consistent with a provider serving Russian state-aligned actors targeting outward rather than protecting domestic interests. Campaign targeting patterns documented in CERT-EU confirm EU and NATO-aligned government, military, energy, and democratic institutions as primary targets.

Notable Hosted Cases

EU/UK hybrid threat sanctions package (May 2025): Stark cited as a key enabler of Russian cyber and information operations in the RUSDA sanctions package. Underlying EU designation narratives summarized in TRM Labs and Cyfluence highlight use for campaigns against military, energy, logistics, and democratic institutions, though the full technical annex is not public.

Dutch FIOD enforcement action (May 2026): 800+ servers used by Russian-aligned cyberattack and disinformation operations seized from five locations. FIOD and De Volkskrant explicitly linked the seized infrastructure to Stark / WorkTitans / MIRhosting and to NoName057(16) DDoS operations against Danish infrastructure.

State Nexus Assessment

Assessed Tier: Probable Cooperation (Tier 3 of 4)

Evidence supports more than tolerated safe harbor. The EU sanctions designation explicitly states that Stark "enabled Russian state-sponsored cyber operations" including information manipulation, cyberattacks, and destabilizing hybrid activities. CTI reporting shows systematic and repeated hosting of infrastructure for Russia-aligned APT and influence clusters, not merely generic cybercrime. The emergence of the provider two weeks before Russia's February 2022 invasion, the consistent alignment of hosted operations with Russian state objectives (targeting NATO democracies, Ukrainian entities, EU critical infrastructure), and the use by TAG-53 / Callisto / COLDRIVER-like clusters (assessed FSB-linked by multiple vendors) collectively support probable cooperation.

Tier 4 (Direct Control) is not justified: no public leaks, court documents, or technical evidence show direct FSB/GRU tasking, payment flows to Stark operators from Russian state actors, or shared infrastructure administration accounts between Stark and Russian state agencies.

Evidence Supporting Probable Cooperation

Negative Evidence

Jurisdictional Separation

Entity Registration Jurisdiction
United Kingdom / Netherlands / Moldova
Stark Industries Solutions Ltd: UK (Companies House 13906017). WorkTitans B.V.: Netherlands (Enschede). PQ Hosting Plus S.R.L.: Moldova. Fezzy B.V.: Netherlands (Almere).
Infrastructure Hosting Jurisdiction
Netherlands (primary) / Moldova (secondary)
Primary DCs: Dronten, Enschede, Almere, Schiphol-Rijk (Netherlands). Secondary: PQ Hosting facilities (Moldova). No confirmed Russian-hosted infrastructure for the primary Stark/WorkTitans footprint.
Assessed Operator Location
Moldova / Netherlands
Neculiti brothers: Moldova (assessed; not confirmed post-sanctions). Zinad: Amsterdam, Netherlands (confirmed; arrested). Nesterenko: The Hague, Netherlands (confirmed; arrested). Russian-aligned clients / tasking: Russia / proximate jurisdictions.

Law Enforcement and Regulatory Response

Sanctions and Policy Actions

DateActionAuthorityTargets
20 May 2025EU Council sanctions (RUSDA program)European UnionStark Industries Solutions Ltd; Iurie Neculiti; Ivan Neculiti; PQ Hosting; PQ Hosting Plus S.R.L.
May 2025National mirror measuresBelgium, Latvia, France, and other EU member statesMirror of EU RUSDA designations; all entities listed as "Active" in national registries
June 2026OFAC SDNUnited States (OFAC)Not confirmed on SDN list as of this writing
June 2026UK OFSI / FCDOUnited KingdomEU-mirrored measures applied; independent UK-only designation not confirmed

Indictments, Arrests, and Charges

Netherlands (FIOD), 18 May 2026: Dutch fiscal intelligence and investigation service (FIOD) arrested Youssef Zinad (57, Amsterdam) and Andrey Nesterenko (39, The Hague) following a multi-location enforcement operation. FIOD conducted raids at three business addresses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk. Seized: 800+ servers, laptops, phones, and administrative records.

Charges proceed under Dutch sanctions law (not pure cybercrime statutes): the suspects are alleged to have indirectly provided economic resources to Russian and Belarusian entities sanctioned by the EU, with the infrastructure assessed to have supported Russian Federation activity undermining democracy and security through cyberattacks, foreign interference, and disinformation. Cases are ongoing; both individuals are presumed innocent pending trial.

The Neculiti brothers have not been indicted, arrested, or charged in any jurisdiction as of June 2026.

Infrastructure Seizures and Takedowns

2024 (preliminary action): Dutch authorities confiscated several hundred servers during earlier enforcement actions against WorkTitans-linked infrastructure prior to the May 2026 raids. Specifics not fully documented in open sources.

May 18-22, 2026 (main FIOD action): 800+ servers seized from Dronten and Schiphol-Rijk data centers and three business addresses. This represents the largest single enforcement action against Stark-linked infrastructure to date.

Post-Disruption Client Migration

After EU sanctions (May 2025): Recorded Future and GreyNoise confirm near-immediate migration of malicious activity from AS44477 (PQ Hosting Plus) to AS209847 (WorkTitans / THE.Hosting) with minimal downtime, strong IOC continuity, and near-identical behavioral profiles. Clients experienced no apparent operational disruption.

After FIOD 2026 raids: Full migration patterns are still emerging as of June 2026. AS209847 remains active with 200+ prefixes three weeks after the arrests (confirmed RIPE data). Some operations likely shifted to alternative Russia-aligned BPHs; others may remain on surviving WorkTitans infrastructure. Complete post-2026 picture is an intelligence gap.

Impact Assessment

Short-term impact: Noticeable but temporary reduction in malicious traffic from seized IP ranges; some campaigns paused or retooled infrastructure. The 2026 physical server seizure removes hardware, which has a higher reconstitution cost than a legal entity rebrand.

Medium-term impact: Limited. Prior behavior demonstrates high substitution capacity. The operator's documented ability to pre-position infrastructure before enforcement suggests additional shell entities or alternative upstreams may already exist. AS209847 remaining active three weeks post-arrest indicates the infrastructure layer is not fully dependent on Zinad and Nesterenko's continued freedom.

Structural impact: The arrests of two Netherlands-based operators and the seizure of server hardware represent a meaningful escalation above the purely sanctions-based pressure applied in 2025. However, the primary operators (Neculiti brothers) remain at large and sanctioned in jurisdictions (Moldova, possibly Russia) that have not extradited or arrested them.

Connected Groups and Ecosystem Relationships

Two-Tier Confidence Applied
All connected entity claims use two separate confidence labels. Tier 1 (infrastructure): did Stark host their infrastructure? Tier 2 (operational): did Stark operators knowingly coordinate with the client? These are analytically distinct claims requiring separate evidence.
TAG-53 / Callisto / COLDRIVER-like Credential-Harvesting Cluster
Russia-aligned espionage cluster; assessed FSB-linked by multiple vendors
Two-Tier Confidence
Tier 1 — Infrastructure hosting:Confirmed
Tier 2 — Operational relationship:Credible
Recorded Future Insikt Group documents credential-harvesting and phishing infrastructure attributed to TAG-53 hosted on Stark ASNs (AS44477 and predecessor ranges). Technical infrastructure overlap confirmed via ASN attribution and domain resolution analysis. Tier 2 assessed Credible rather than Confirmed based on Stark's consistent alignment with Russian state interests and deliberate hosting of this cluster, but no direct evidence of coordination between Stark operators and TAG-53 principals.
Recorded Future Insikt CERT-EU CRC Blog (Cyfluence)
NoName057(16) and Pro-Russian DDoS Fronts
Pro-Russian hacktivist group; DDoS campaigns against NATO/EU targets
Two-Tier Confidence
Tier 1 — Infrastructure hosting:Confirmed
Tier 2 — Operational relationship:Credible
CERT-EU briefs (CB24-06, CB25-10) confirm IP/ASN overlap between Stark/WorkTitans infrastructure and NoName057(16) C2 and staging nodes. Campaign timing and targeting patterns (EU government, military, critical infrastructure) align with the RUSDA sanctions narrative. De Volkskrant (May 2026) further links WorkTitans specifically to NoName057(16) attacks on Danish infrastructure.
CERT-EU De Volkskrant (May 2026) EU sanctions narrative
FIN7
Russia-linked financially motivated threat actor; credential harvesting, fake enterprise sites
Two-Tier Confidence
Tier 1 — Infrastructure hosting:Confirmed
Tier 2 — Operational relationship:Analyst Inference Single Source
Team Cymru blog ("FIN7: The Truth Doesn't Need to Be So Stark") and Silent Push Year-in-Review identify Stark-assigned IPs hosting FIN7 credential-harvesting and fake corporate sites. Infrastructure clustering of FIN7 IOCs on Stark IPs confirmed. Tier 2 is Analyst Inference as no evidence shows Stark operators coordinating specifically with FIN7 principals; the attribution is based on IOC-level infrastructure overlap.
Team Cymru Silent Push No other corroborating vendors identified
Ransomware Ecosystems (LockBit, ALPHV/BlackCat, Qilin, Ursnif)
Multiple ransomware affiliates and crimeware operators using shared Stark VM infrastructure
Two-Tier Confidence
Tier 1 — Infrastructure hosting:Confirmed
Tier 2 — Operational relationship:Analyst Inference
Sophos documents widely reused Stark-heavy VM images (ISPsystem VMmanager deployments) with LockBit, ALPHV/BlackCat, Qilin, NetSupport RAT, and Ursnif payloads observed. OWN-CERT BPH landscape analysis places Stark-type hosts as a key ransomware enabler. Detection telemetry from Stark/WorkTitans IP ranges. Tier 2 is Analyst Inference: Stark's profile and behavior strongly suggest awareness of ransomware clients, but no direct evidence of operator-level coordination with specific ransomware groups.
Sophos OWN-CERT Centripetal

Trajectory Assessment

Infrastructure Churn and Market Position

Stark / WorkTitans / THE.Hosting is best characterized as a major backbone provider in the Russia-aligned hybrid threat ecosystem, not a niche host. Its recurring appearance across high-profile CTI, the RUSDA sanctions package, and the FIOD enforcement action places it among the most extensively documented BPH operators in Europe. The breadth of hosted activity (state-aligned APT, hacktivist DDoS, ransomware, financial crime) indicates a provider serving the full spectrum of Russian-aligned threat actors rather than a speciality niche.

Disruption History

February 10, 2022
Stark Industries Solutions Ltd incorporated in UK (Companies House 13906017), two weeks before Russia's full-scale invasion of Ukraine. Rapid emergence as prime infrastructure for Russian-aligned cyber and influence operations.
2023-early 2025
Infrastructure heavily used by TAG-53 / Callisto cluster, NoName057(16), FIN7, and ransomware affiliates. Recorded Future, Team Cymru, Cyfluence, and CERT-EU publish attribution linking Stark to Russian hybrid threat ecosystem. Stark well-known in CTI community.
April 10, 2025
Russian infrastructure begins migration to UFO Hosting LLC, indicating advance intelligence about forthcoming EU sanctions (confirmed Insikt Group). Preemptive sanctions evasion phase begins.
May 13-16, 2025
New RIPE organization PQ Hosting Plus S.R.L. (ORG-PHPS1-RIPE) created May 13; AS44477 transferred to it May 16, four days before EU sanctions. Shell repositioning complete before official designation.
May 20, 2025
EU Council (RUSDA program) sanctions Stark Industries Solutions Ltd, Iurie Neculiti, Ivan Neculiti, PQ Hosting, and PQ Hosting Plus S.R.L. Limited operational impact due to preemptive infrastructure migration.
May 29, 2025
PQ.Hosting announces rebrand as THE.Hosting, presenting WorkTitans B.V. as the new corporate entity. Website migration to the[.]hosting.
June 24, 2025
AS209847 (THE WorkTitans B.V.) created and begins routing. Becomes the successor ASN for THE.Hosting / WorkTitans operations.
August-November 2025
GreyNoise data confirms seamless migration of malicious activity from AS44477 to AS209847. AS44477 peak activity Aug 18 to Sep 15; near-complete abandonment by Nov 10. AS209847 ramp-up from Aug 25. Both ASNs share 24 VPN signatures; behavioral profiles virtually identical.
November 17, 2025
GreyNoise publishes "The Stark Industries Shell Game," documenting the full migration analysis and confirming THE.Hosting / WorkTitans as the operational successor to Stark's sanctioned infrastructure.
May 18, 2026
Dutch FIOD arrests Youssef Zinad (Amsterdam, 57) and Andrey Nesterenko (The Hague, 39). Raids at five locations in Enschede, Almere, Dronten, and Schiphol-Rijk. 800+ servers, laptops, phones, and administrative records seized.
June 6, 2026 (current)
AS209847 (WorkTitans B.V. / THE.Hosting) confirmed ACTIVE by direct RIPE NCC RIPEstat query: holder="THE WorkTitans B.V." announced=true; 200+ IPv4 prefixes routing. Neculiti brothers remain sanctioned and at large. Cases against Zinad and Nesterenko ongoing. Post-2026 client migration patterns not yet documented in open sources.

Trajectory Direction

Status: Degraded but Resilient. The FIOD 2026 server seizure represents the most impactful enforcement action against this ecosystem to date, removing physical hardware rather than merely imposing legal sanctions. However, the continued activity of AS209847 three weeks post-arrest indicates the infrastructure layer is not fully dependent on the arrested Dutch operators. The Neculiti brothers remain the assessed principals of the broader Neculiti-controlled network and have not faced arrest, prosecution, or extradition.

The pattern to date (2022-2026) demonstrates a provider with high reconstitution capacity: each disruption (sanctions, preliminary server seizures) has been followed within weeks by a functional rebrand. The 2026 FIOD action is more severe due to physical seizure, but the Neculiti-controlled corporate structure provides multiple reconstitution pathways.

Intelligence Gaps (Mandatory)

1. Post-2026 client re-homing patterns

Where Stark/WorkTitans clients will consolidate after May 2026 Dutch seizures; whether a new successor brand or ASN emerges under Neculiti control. Events too recent; no follow-up migration analysis published as of June 2026. Close with: future CERT-EU briefs, GreyNoise ASN-level anomaly monitoring, vendor IOC feed divergence analysis.

2. Verbatim advertising copy on criminal forums

Exact Stark ad texts on XSS/Exploit.in, including specific claims about abuse tolerance, no-logs policies, and accepted use cases. CTI write-ups summarize behavior rather than reproduce forum posts. Close with: historical XSS/Exploit screenshots, vendor collections of BPH ads, or forum leaks.

3. On-chain financial data

No cryptocurrency wallets or on-chain flows attributed to Stark operators or entities in public sources. Limits financial disruption options (OFAC wallet designation, exchange-level blocking). Close with: TRM Labs or Chainalysis entity-specific analysis behind customer portals; law enforcement blockchain tracing disclosures.

4. Operator handles and OPSEC details

No pseudonymous handles for Neculiti brothers on forums or chat platforms identified in open sources. Internal panel screenshots and support portal URLs not leaked. Close with: forum intelligence, law enforcement document disclosures, or leaked support panel dumps.

5. Full structured blocklist history

Exact dates and ranges of Spamhaus SBL/CBL/XBL/PBL listings, abuse.ch Feodo/URLhaus/MalwareBazaar listing history, and FireHOL entries by ASN. Public sources mention repeated listings without full timeline. Close with: direct DNSBL query of AS44477, AS43624, AS209847 IP blocks with historical snapshots; Spamhaus AS-level data.

6. Detailed pricing and service tier history

No confirmed price tables or named tiers for Stark or THE.Hosting. Close with: archived copies of stark-industries[.]solutions and the[.]hosting websites; criminal forum sales threads.

7. OFAC and UK OFSI independent designations

Whether OFAC has placed Stark entities on the SDN list, and whether UK OFSI has issued independent (non-EU-mirrored) designations, is unconfirmed as of June 2026. Close with: direct OFAC SDN list search; UK OFSI consolidated list search.

8. Neculiti brothers' current location and legal exposure

Precise residence of Iurie and Ivan Neculiti post-sanctions; whether any jurisdiction has issued arrest warrants, requested extradition, or begun criminal proceedings beyond EU sanctions. Close with: Moldovan law enforcement disclosures; EU criminal cooperation channels; investigative journalism.

Developments (2022-June 2026)

February 2022
Stark Industries Solutions Ltd incorporated (Companies House 13906017), two weeks before Russia's invasion of Ukraine. Rapid emergence as infrastructure provider for Russian-aligned hybrid threat operations.
2023-2024
Recorded Future Insikt Group, Team Cymru, CERT-EU publish attribution linking Stark's ASNs to TAG-53 / Callisto credential-harvesting infrastructure, FIN7 operations, and NoName057(16) DDoS campaigns. Stark becomes a standard reference in CTI reporting on Russia-aligned BPH.
May 20, 2025
EU Council (RUSDA program) sanctions Stark Industries Solutions Ltd, Iurie Neculiti, Ivan Neculiti, PQ Hosting, and PQ Hosting Plus S.R.L. Infrastructure already prepositioned via early April-May migration to UFO Hosting and PQ Hosting Plus RIPE org; sanctions have minimal immediate operational impact.
August-November 2025
GreyNoise documents seamless migration of malicious activity from AS44477 (PQ Hosting Plus S.R.L.) to AS209847 (WorkTitans B.V. / THE.Hosting). Migration complete by November 2025; identical behavioral signatures confirmed. Blog published November 17, 2025: "The Stark Industries Shell Game."
August 27, 2025
Recorded Future Insikt Group publishes "One Step Ahead: Stark Industries Solutions Preempts EU Sanctions" (CTA-2025-0827), documenting the preemptive sanctions evasion maneuvers and THE.Hosting / WorkTitans rebrand in detail.
September 2025
KrebsOnSecurity publishes "Bulletproof Host Stark Industries Evades EU Sanctions," documenting WorkTitans' corporate structure (Fezzy B.V. shareholder, Zinad email connection), the Neculiti brothers' preemptive infrastructure moves, and Augur Security's analysis of continued malicious activity post-sanctions.
May 18, 2026
Dutch FIOD arrests Youssef Zinad and Andrey Nesterenko; raids five locations in Enschede, Almere, Dronten, and Schiphol-Rijk; seizes 800+ servers. Charges: violating EU sanctions by providing economic resources to sanctioned entities. Cases ongoing.
June 6, 2026 (current)
AS209847 confirmed active by direct RIPE NCC RIPEstat query: 200+ IPv4 prefixes routing under holder "THE WorkTitans B.V." AS44477 and AS43624 de-registered (holder="" announced=false). Post-2026 client migration analysis not yet published.

Sources and Evidence Base

[1]Recorded Future Insikt Group, "One Step Ahead: Stark Industries Solutions Preempts EU Sanctions" (CTA-2025-0827), August 27, 2025. recordedfuture.com
[2]KrebsOnSecurity, "Bulletproof Host Stark Industries Evades EU Sanctions," September 2025. krebsonsecurity.com
[3]GreyNoise (boB Rudis), "When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game," November 17, 2025. greynoise.io
[4]BleepingComputer (Bill Toulas), "Netherlands seizes 800 servers of hosting firm enabling cyberattacks," May 22, 2026. bleepingcomputer.com
[5]KrebsOnSecurity, "Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks," May 2026. krebsonsecurity.com
[6]Augur Security, "European Union Sanctions Force Stark Industries Solutions Ltd. to Rebrand Again," 2025. augursecurity.com
[7]Recorded Future Insikt Group, "Exposing TAG-53's Credential Harvesting Infrastructure for Russia-Aligned Espionage Operations." recordedfuture.com
[8]CERT-EU Cyber Brief CB25-10, 2025. cert.europa.eu
[9]CERT-EU Cyber Brief CB24-06, 2024. cert.europa.eu
[10]Team Cymru, "FIN7: The Truth Doesn't Need to Be So Stark." team-cymru.com
[11]Silent Push, "Year In Review" report (2024-2025), referencing Stark infrastructure. silentpush.com
[12]Sophos, "Malicious Use of Virtual Machine Infrastructure" (documents Stark-heavy VM images). sophos.com
[13]Centripetal, "Insights into the Persistence and Resilience of Bulletproof Hosting: A Case Study on Stark Industries Solutions." centripetal.ai
[14]EU Sanctions Tracker, Stark Industries Solutions Ltd (EU-175827-213604). data.europa.eu
[15]OpenSanctions, Stark Industries Solutions Ltd and Neculiti profiles. opensanctions.org
[16]TRM Labs, "EU and UK Crackdown on Russian Hybrid Threat Networks," 2025. trmlabs.com
[17]Cyfluence Research (CRC Blog), "Stark Industries Solutions: A Threat Activity Enabler and Influence Operations." cyfluence-research.org
[18]Coastline Cyber, "Bulletproof Host Stark Industries Evades EU Sanctions" (mirror of KrebsOnSecurity). coastlinecyber.com
[19]SafeState / Safestate.com, "Dutch Authorities Seize 800 Stark Industries Servers in Sanctions Crackdown," May 2026. safestate.com
[20]TechTimes, "Dutch FIOD Seizes 800 Servers of Bulletproof Hoster Powering Russian Cyberattacks," May 2026. techtimes.com
[21]OWN Security (OWN-CERT), "50 Shades of Bulletproof Hosting: BPH Landscape on Russian-Language Cybercrime Forums." own.security
[22]RIPE NCC RIPEstat API — AS44477, AS43624, AS209847 status queries, performed 6 June 2026. stat.ripe.net
[23]Phish.report abuse contacts, STARK-INDUSTRIES-SOLUTIONS-AS, MD. phish.report
[24]LowEndSpirit forum discussion, "PQ.Hosting (Stark Industries Solutions Ltd, formerly MoreneHost) sanctioned by EU." lowendspirit.com
[25]The Record from Recorded Future News, "Dutch authorities arrest men suspected of providing infrastructure for Russian cyber operations," May 2026. therecord.media