An IT company founded in the Republic of Moldova had server infrastructure in over 40 countries around the world, served more than 150,000 active customers, and managed a pool of over 400,000 IP addresses. Despite this, the company was effectively pushed out of the European market by competitors following a chain of events that raises serious questions: from cyber-attacks to a coordinated media campaign and, ultimately, international commercial isolation.
We are talking about PQ HOSTING, a company founded in 2019 by Moldovan entrepreneur Ivan Neculita which in a short time came to provide hosting services for an international server solutions provider and manage an extensive infrastructure, characteristic of the major players in the global hosting industry.
Technical attacks: terabit traffic
It should be noted that, according to BBC publications, the large-scale “hacker war between Ukraine and Russia” began much earlier, and in various episodes, the attackers used the infrastructure of several hosting providers for their own purposes.
“The attacks reached peaks of up to 2 Tbit/s — we are talking about hundreds of gigabits per second, not tens. Based on the characteristics of the traffic, they appeared to be generated globally and were directed directly at the networks of our customers in the EU and the Republic of Moldova”, said Ivan Neculita.
Such volumes are characteristic of coordinated operations, not isolated attacks. Official documents from the Cybersecurity Agency confirm that DDoS attacks of this magnitude are usually associated with internationally distributed infrastructures, and the large number of requests to hosting providers does not automatically indicate their involvement in illegal activities.
It is also worth noting that, in the context of Operation Doppelgänger, referred to in some publications, the investigation conducted by Insikt Group (Recorded Future) directly shows that the infrastructure of this campaign used server resources from a large number of international hosting providers, including Amazon Technologies, Inc., Namecheap, Inc., and firstcolo GmbH. Thus, the report confirms the systemic nature of the use of hosting infrastructure rented by third parties. The presence of a particular provider’s IP addresses or servers in such operations does not indicate their involvement or knowledge but reflects a practice typical of the modern internet ecosystem, where malicious actors frequently use short-term rented VPSs and distributed infrastructures.
From technical attack to public discrediting
The temporary service outages were followed by a second, much more dangerous wave—a coordinated media campaign. Initially appearing in the European and US press, it was later picked up by portals in the CIS countries, which began accusing the company and its partners of “supporting Russian propaganda”.
“It’s a classic scenario: a technical attack, then a reputational attack, and finally pressure on partners and authorities. We see exactly the same pattern in contemporary geopolitical conflicts”,says Neculita.
Industry sources confirm that the hosting market in Eastern Europe is extremely competitive and unfair methods are no exception. DDoS attacks are sometimes used as an economic tool to destabilize inconvenient competitors without leaving any direct traces.
In 2024, the Republic of Moldova became the target of cyber-attacks on government online resources, including through the creation of phishing copies of official websites and the use of other similar methods. The infrastructure of several large hosting providers was used in these attacks, including M247 Europe SRL, one of the leading European operators with global coverage and a business model comparable to that of other international players on the market.
What state institutions say
Official responses from the National Investigation Inspectorate show that between 2023 and 2025, the institution sent 412 requests to hosting providers in the Republic of Moldova, most of which came from foreign authorities. At the same time, the INI explicitly states that the large number of requests does not automatically mean that the company is guilty, but often reflects the size of the infrastructure and the number of customers.
For its part, the Cybersecurity Agency mentions that it has not received any official notifications regarding DDoS attacks on private companies, but emphasizes that responsibility for customer content does not lie with the hosting provider in the absence of a clear legal notification.
What the technical expertise says
An independent legal and technical opinion prepared by MikroTik expert Vadim Skornici shows that hosting providers do not have the legal right to preventively monitor customer content in accordance with the GDPR and EU legislation. Moreover, modern infrastructure (HTTPS, VPN, encryption) makes it impossible to analyze content without breaking the law.
According to Skornici, the contemporary internet operates almost entirely on the basis of end-to-end encryption: protocols such as HTTPS, the widespread use of VPNs, traffic tunneling and other forms of encryption mean that hosting providers can only see technical metadata (traffic volume, IP addresses, ports), not the actual content of communications.
“The infrastructure provider cannot read what its customers are doing without breaking or bypassing the encryption. Any attempt of this kind would constitute either illegal interception or the implementation of surveillance mechanisms incompatible with European law”, notes the expert. In practice, providers can detect traffic anomalies or obvious breaches of contractual conditions (e.g., excessive resource consumption), but they cannot determine the nature of the content or the exact purpose of the activity without the intervention of the competent authorities, Skornici emphasized.
An expert from the European Union specializing in cybersecurity, quoted in a separate technical-legal report attached to the journalistic investigation, notes that automatically associating an IP address with illegal activities is a common mistake that ignores how modern internet infrastructure and hosting services actually work.
The expert explains that in modern network architecture, IP addresses are reusable technical resources, dynamically allocated and used simultaneously or successively by thousands of different customers, especially in the case of large VPS and dedicated server providers. Therefore, the presence of an IP address in a security report or preliminary investigation does not prove the provider’s control, intent, or complicity, but only indicates that its infrastructure has been used by a third party.
The report emphasizes that, according to EU practice and European case law, hosting providers have neither the right nor the obligation to carry out preventive monitoring of customer traffic or content, as such monitoring would violate data protection, communications privacy, and trade secret laws. Any proactive intervention without a legal basis may expose the provider to serious penalties.
In this context, the only legally recognized mechanism is the “notice-and-takedown” principle: the provider can and is obliged to act only after receiving an official notification from a competent authority or on the basis of a court decision. Only then must the infrastructure operator verify the specific case and apply proportionate measures, such as suspending the service or restricting access, without affecting other bona fide customers.
The expert warns that transferring criminal or reputational liability to providers solely on the basis of superficial technical correlations (IP address, ASN, traffic) sets a dangerous precedent. “If such a standard is adopted, no hosting provider in the EU will be able to operate safely, as its infrastructure can be used at any time by third parties, including state actors or criminal groups, without its knowledge”, the report says.
This position is fully in line with the conclusions of several European courts, which have established that infrastructure neutrality is a key principle of the digital economy. Hosting providers cannot be turned into investigative bodies and cannot be held liable for the actions of their customers in the absence of clear evidence of direct involvement or refusal to cooperate after an official notification.
The conclusion of the European Union expert is unequivocal: the appearance of IP addresses in an investigation does not constitute evidence of complicity, and any restrictive measures applied to providers outside the procedure provided by law risk being not only disproportionate but also contrary to European law.
A pattern known beyond Moldova
The PQ HOSTING case is not an isolated one. A similar pattern has been documented repeatedly in the European Union, particularly in the hosting and IT infrastructure markets, where competition is extremely fierce and the commercial stakes are high. Technical investigations carried out by companies specializing in mapping internet infrastructure show that large-scale DDoS attacks are often only the first stage in a more complex process of eliminating an inconvenient provider.
It is essential that the Censys report describes attacks launched from servers belonging to a wide variety of hosting providers, including leading international companies. The French hosting giant OVH is explicitly mentioned, as well as an entire data center in Switzerland, whose infrastructure was also found to be involved in malicious activity.
Thus, the report demonstrates that the existence of attack traffic originating from a hosting provider’s servers is not evidence of its involvement or complicity, but reflects a systemic vulnerability in open hosting infrastructure, exploited by malicious actors globally.
According to the analysis, DDoSia uses a volatile, globally distributed infrastructure consisting of short-term rented VPS servers with an average lifespan of only 2–3 days. Such an architecture is specifically designed to make it difficult to attribute attacks and to allow the infrastructure to be quickly moved from one jurisdiction to another.
The report shows that such attacks not only target state institutions or government targets, but also frequently affect private hosting providers, whose networks are intentionally overloaded. The direct consequences are not only the temporary unavailability of services, but also the triggering of a chain of suspicions: loss of customers, suspension of cooperation from partners, and, subsequently, the emergence of public narratives suggesting complicity or negligence.
In a number of European countries, this mechanism has been followed by media smear campaigns, in which hosting providers have been associated with the illegal activities of individual customers, without a clear distinction between neutral infrastructure and hosted content. Western cybersecurity experts are drawing attention to this phenomenon, warning that the mere presence of IP addresses in an incident is not equivalent to the guilt of the network operator.
In some of these cases, European courts subsequently intervened, ruling that the restrictive measures imposed on providers were disproportionate and that liability had been wrongly attributed. The judges emphasized that, in the absence of official notifications and concrete evidence, hosting providers cannot be required to carry out preventive monitoring of traffic or content, as such a practice would violate European legislation on data protection and confidentiality of communications.
The Censys analysis also highlights another key element of this pattern: the use of attacks as an economic tool, not just a political one. When a provider becomes large enough to attract customers from Western European or North American markets, it can become a target for competitors who resort to indirect methods to eliminate it, avoiding open commercial competition.
In this context, the PQ HOSTING case fits into a pattern already familiar at the European level: a large-scale technical attack, followed by reputational damage and, ultimately, commercial isolation. The difference is that, in the case of the Republic of Moldova, the institutional and legal protection mechanisms are more fragile, and a local company entering the global market can quickly become vulnerable to such hybrid attacks. Preliminary outcome: the European Court.