PQ.Hosting (STARK INDUSTRIES SOLUTIONS LTD, formerly MoreneHost) sanctioned by EU
Looks like the EU has sanctioned STARK INDUSTRIES SOLUTIONS LTD, that is PQ.hosting and Ivan Neculiti, its founder.
STARK was primarily used as a shell company for their ASN, to not attract attention to their main brand, PQ. They started started selling servers under STARK brand too.
Among those listed are also Stark Industries, a web hosting service, its CEO Iurie Neculiti and owner Ivan Neculiti. They have been acting as enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber-attacks against the Union and third countries.
Those designated today will be subject to an asset freeze and EU citizens and companies will be forbidden from making funds available to them. In addition, natural persons will also be subject to a travel ban, which will prevent them from entering or transiting through EU territories.
https://www.consilium.europa.eu/en/press/press-releases/2025/05/20/russian-hybrid-threats-eu-lists-further-21-individuals-and-6-entities-and-introduces-sectoral-measures-in-response-to-destabilising-activities-against-the-eu-its-member-states-and-international-partners/ (archive)
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202500966 (archive)
They knew about it ahead of time, and have moved their ASN from STARK to their Moldovan company
Status of the network as of now
Comments
Seen this ASN pop up doing some nasty things in the Fortigate / Sonicwall CVE space recently, not surprised at all.
Its a gamble whether they will suspend you for malicious activity.
I have been suspended over a fake "botnet c2" report from some Chinese "researcher" before.
They also have(or used to) an interesting policy, where only the server gets terminated for abuse, but not the entire account. So you could just keep buying VPS over and over when suspended.
But there are also IP's that don't get suspended ever, makes you wonder who are their customers and why do they ignore reports for one group, but not another.
Connections to Russia get journo scum excited, but in this case I do think FSB is involved. There are many things I've heard over the years, that line up.
Without any sensitive info being given out - it is well known among cybersec that this group as well as a few others I won't name are state sponsored actors, acting as if they were not. They sell legitimate goods on the side to make it seem legit, but they mess up in strange ways, like only certain blocks are used for X activities.
You can tell the difference from say, Frantech / BuyVM - where you see one of these IPs in a log and it can be pretty bad - but then you check and it's like "oh, tor block, ez ban" Where these state sponsored / used hosts just don't have that obviousness to them. It's like they're trying to keep it low key while door knocking ~200,000 firewalls trying to exploit a CVE where a proof of concept was not yet released. They'll change ip block hands between each other etc. It's like they think we're stupid or something. Not like ARIN RIPE etc don't keep logs of that shit dawg. FR FR ong, no cap.
PQ sent this to their customers
Network status as of now, looks like its crumbling. 33 /24's down since the initial post was made.
Country list (archive)
Unsurprisingly, many are Russian.
As a part of damage control, PQ.hosting has renamed to THE.hosting. I do not believe its "new ownership and management", just a new shell.
https://the.hosting/en/news/pqhosting-thehosting-important-news-about-the-companys-transformation (archive)
Their ASN is still called "PQ HOSTING PLUS S.R.L.", however most subnets have been renamed to "WorkTitans B.V.".
What does a recruitment company have to do with hosting? Probably nothing, PQ either bought them to use as a shell, or they knew eachother prior to that.
Yep, just another ASN to add to the filter. This happens every 2-3 weeks btw, it just so happens that you are paying attention to this one.
Upon taking a closer look at "the.hosting" ORG on RIPE, I have found a someones personal email attached as a contact on MNT.
https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=THE-HOSTING-MNT&type=mntner (archive)
Its also shown on "ufo.hosting"(which is where PQ hosting RU customers were redirected before) MNT
https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=UFO42-MNT&type=mntner (archive)
"[redacted email]" appears to be Dmitrii Aleksandrovich Miasnikov(Мясников Дмитрий Александрович) aka "jimboframe", according to information gathered from leaked databases.
And sure enough, 91.207.183.0/24 coming from his personal ripe org, ru.ripe7 is announced on UFO Hosting ASN.
I still stand by that WorkTitans B.V. is just a front, PQ/THE appears to be still operated by Russians.
Krebs just covered it, seems like WorkTitans B.V. is one of MIRhosting shells. And MIRhosting is basically Serverius for the Russian market, they share(or shared) employees and operate from the same facilities.
https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/ (archive)
Erm... I am lost... basically some company is using shell companies to circumvent the law and doing business? Sounds pretty normal to me... Don't most companies that get barred do this?
Most companies do not get sanctioned by the EU, and most companies are not a front for state-sponsored hacking.
OpenVPN installer | WireGuard installer
I have redacted the email due to the connotations of "leaked databases". If it is publicly available I can edit it back in.
Michael from DragonWebHost & OnePoundEmail
That email was public on RIPE. Looks like they have updated it, and for whatever reason my archive links aren't working.
You might be interested in reading this:
https://lowendtalk.com/discussion/209752/dedirocks-website-seemingly-got-hacked-and-is-showing-a-phishing-page
If this is the post you have in mind
PQ/THE always bundled VPS with NS hosting from what I remember, so you can use these nameservers for anything you want.
https://dns.the.hosting/
Also, looks like they started a "registar" a few months ago too https://pq.domains/en/ , under "WEISS HOSTING SERVICES LIMITED" shell. They resell https://www.onlinenic.com/en/
There appears to be roughly ~150 unique results for domains with ns*.the.hosting NS on Silent Push WHOIS scanner.
PQ/THE.hosting had it's Netherlands infrastructure taken down. Over 800 dedicated servers have been seized from Serverius(now Kolo) datacenters, where they colocated with MIRHosting. At least two arrests have been made for enabling sanction evasion.
A few days ago PQ sent this cryptic Email to their customers
This has been posted today by Dutch Tax authorities, FIOD
https://www.fiod.nl/fiod-houdt-twee-verdachten-aan-wegens-overtreding-sanctiewetgeving/ (archive)
According to "de Volkskrant" the two men arrested are
Over 100 /24's have disappeared from PQ's AS209847, and downstreams are of course also affected.
While at it, why dont we shut down Facebook for state sponsored meddling.
And why dont we shut down AWS for Cambridge Analytica.
Half the western clouds host the same Fortinet/Sonicwall scanning and phishing and C2 and nobody seizes 800 servers over it.
Closer the fall of the empire, crazier it laws are
Im not happy about it
VPS Lisbon&Prague €3.72: 2vCores/4GB/100GB (ZFS SSD or Ceph HA) - Max.oversell 3:1, no CPU cap - Xeon Gold only -https://euronodes.com AS199053
I recon by next year I will have to do a facial scan to use a public toilet in the UK, maybe even not a public one.
Regulations are out of control.
TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
FREE tokens on sign up, try before you buy. | Join us on Reddit
I would usually be like that too, but not in this case. I know too much about them (6 years+) and was also a customer.
They most definitely deserve to be arrested or sanctioned. Just like Aeza.
Don't they smile into a camera to pay for groceries in China? It's because they are happy. And don't have much.
@treesmokah Pretty good investigative report by Volksrant on the arrests here:
https://volkskrant.nl/binnenland/how-a-consultant-and-a-concert-pianist-from-the-netherlands-aided-pro-russian-hackers~b60acffb/
Those pesky russkie hakiery. And north koreans, dont forget koreans.
Whole NK has single /22 subnet probabliy blocked on every router - and look mate how they steal those NFTs
I wonder if any western country will train one
VPS Lisbon&Prague €3.72: 2vCores/4GB/100GB (ZFS SSD or Ceph HA) - Max.oversell 3:1, no CPU cap - Xeon Gold only -https://euronodes.com AS199053
It is well proven that both Russian and North Korean sponsored actors have very significant campaigns targeting Western interests. This is not a political opinion but a proven fact.
For your information, those KP subnets you are taking about are useless for global internet access due to sanctions, and North Korean actors use Chinese uplinks to connect to the internet.
OpenVPN installer | WireGuard installer
Im afraid you completely missed the point and everything between the lines
VPS Lisbon&Prague €3.72: 2vCores/4GB/100GB (ZFS SSD or Ceph HA) - Max.oversell 3:1, no CPU cap - Xeon Gold only -https://euronodes.com AS199053
Enlighten me then?
OpenVPN installer | WireGuard installer
It has nothing to do with nationality of agencies involved. PQ has been used by state-actors and has permitted these servers to stay online for much longer than they would with anyone else. They are clearly affiliated, if years of shitshow showed you anything.
I openly supported Russian businesses before on this forum, but I'm not going to treat them any different than "western" hosts and not talk about their shady side.
Besides PQ being involved in questionable activity, it's also an awful provider for "normal" use with 15 years old hardware and massively oversold networks with constant downtime (and that was long before any sanctions or high profile attention). I have used it for close to a year, just to get suspended over bogus abuse report.
Another funny tactic they deploy is allowing you to order more servers after one has been suspended for what they believe to be illegal activity, I was simply told to buy another server. My account was untouched, but that particular server couldn't be unsuspended.
It's what made it very popular for fastflux too, for criminals that weren't state affiliated.
It's fine
I would assume that every provider is involved in questionable activity, some of them just dont know it
Pointing everything at the russkies while our own Palantir is blessed, holy and beloved is, pardon my French, idiocy, good for a mom and pop Facebook feed, not a geeks forum.
And if anything should be sanctioned, it's this crapware in the first place.
Let's do mental exercise: European-made surveilance platform targeting US citizens.
Just flip the roles and imagine the result.
I can almost certainly guarantee that russkie propaganda would be the last thing US would be considering at this point
The rest of the practices you described are quite frankly shocking TBH.
But thats my whole point, criminal as it - it's not the Kremlin stealing your money and providing shitty service. People keep mixing the two
Im pretty sure real state hackers operate from inside of campuses, compromised banking infrastructures, municipal small datacenters where the admin is one Jose, 45 y.o. with 3 kids working 9-5 weekends off and his nephew installed Windows for him etc.
Not from shitty hosting that everyone knows and have enough of it
This whole seizure is a smoke and mirrors, "we do something" pure, green, organic, 100% gluten free horseshait.
VPS Lisbon&Prague €3.72: 2vCores/4GB/100GB (ZFS SSD or Ceph HA) - Max.oversell 3:1, no CPU cap - Xeon Gold only -https://euronodes.com AS199053
Being used (as a provider) for something illicit is different than being complicit with it.
I do not like Palantir either, you are trying to make it a nationality issue while it isn't. I hate them all
Nothing to do with propaganda, active exploitation of Govt and corporation servers is. And the insane amount of abuse coming from that hosting provider.
I do not rely on mainstream media reports on this provider, I'm aware of what is going on having following their activity for years.
How else can they have 1k+ /24's all with different geoip and physical location behind a "legitimate" looking shell? It's how many PQ had at its peak. Residential proxies wouldn't be viable for the kind of bandwidth they need, nor stable considering abuse reports.
They can have all the hardware they want, but its hard to stay unnoticed if you need a lot of IP's, bandwidth and engage in high profile activity.
Not to mention that operator of PQ is a seasoned criminal who previously ran porn sites (with allegations of CSAM) among other things.
The point is that you're just a whataboutist rusophile.
so say we all
PQ/THE.hosting announced they are shutting down. I suspect they will rename again, but we'll see.
https://the.hosting/en/news/notice-of-service-discontinuation-and-account-closure (archive)
Current status of announced prefixes on AS209847
