Briefing on the Bulletproof Hosting Ecosystem

Executive Summary

Bulletproof Hosting (BPH) providers represent a foundational pillar of the modern cybercrime ecosystem, offering resilient infrastructure services deliberately designed to shield malicious actors from legal and technical disruption. These providers ignore abuse complaints and law enforcement requests, creating safe havens for criminal operations such as ransomware, phishing, malware distribution, and illegal marketplaces. The BPH market has experienced a recent renaissance, marked by a global surge in providers, the evolution of sophisticated tactics like "Infrastructure Laundering" and the use of complex corporate structures for plausible deniability, and the rise of "Bulletproof Registrars" that create procedural roadblocks to takedowns.

Operation Endgame Continues: CrazyRDP Bulletproof Hoster Dismantled as Dutch Police Seize Thousands of Servers in Coordinated Cybercrime Crackdown

In a major escalation of the international Operation Endgame cybercrime offensive, Dutch police have seized thousands of servers owned by CrazyRDP, a notorious bulletproof hosting provider implicated in 80 law enforcement investigations spanning cybercrime operations and child sexual abuse material (CSAM) distribution. The operation marks the latest and

Breached CompanyBreached Company

In response, international law enforcement has launched an unprecedented counter-offensive. Coordinated actions like Operation Endgame have dismantled major BPH providers such as CrazyRDP, seizing over 1,425 servers and disrupting malware families including Rhadamanthys, VenomRAT, and Elysium. Concurrently, coordinated government sanctions from the U.S., U.K., and Australia are targeting the financial and corporate networks of providers like Media Land LLC and Aeza Group, many of which operate from Russia, a jurisdiction described as a safe haven for such activities.

Despite these successes, the BPH industry remains resilient, adapting through rapid rebranding, IP address hopping, and the abuse of legitimate cloud and CDN services. The strategic response is shifting towards disrupting the entire BPH business model through enhanced public-private partnerships, stricter "Know Your Customer" protocols for infrastructure providers, and the widespread sharing of actionable threat intelligence. For defenders, this landscape necessitates a proactive strategy of continuous monitoring, robust network filtering using both IP and ASN-based blocklists, and a defense-in-depth approach that assumes adversaries will continually seek out and establish new operational infrastructure.

1. Understanding Bulletproof Hosting (BPH)

1.1. Definition and Core Characteristics

A Bulletproof Hosting (BPH) provider is an internet hosting service that deliberately ignores, resists, or fails to respond to legitimate abuse reports and law enforcement takedown requests. First termed in 2006 in relation to the "Russian Business Network," BPH providers create environments where threat actors can operate with impunity.

Core Characteristics:

• Permissive Policies: A hands-off approach to hosted content and a willingness to host services designed to shield clients from disruption.
• Resistance to Takedowns: Actively ignoring or delaying responses to abuse complaints and legal requests. Many advertise services as "Offshore DMCA Ignored Hosting" to signal tolerance for illegal content.
• Anonymity: Advertising and providing complete anonymity and protection from authorities.
• Cryptocurrency Payments: Universally accepting cryptocurrency to obscure financial trails and client identities. Silent Push notes it has never found a BPH that did not accept cryptocurrency.
• Infrastructure Resilience: Offering rapid infrastructure replacement when services are disrupted and employing technical obfuscation methods.

The Bulletproof Fortress: Inside the Shadowy World of Cybercrime Hosting Infrastructure

How ‘bulletproof’ hosting providers enable billions in ransomware attacks—and why law enforcement is finally fighting back In the ongoing war against cybercrime, there’s a critical battlefield that rarely makes headlines: the digital infrastructure that keeps criminal operations running. While ransomware gangs like LockBit and malware operators grab attention with

Breached CompanyBreached Company

1.2. The Role of BPH in the Cybercrime-as-a-Service Ecosystem

BPH is the backbone of the modern cybercrime-as-a-service model, providing the stable infrastructure necessary for a wide range of malicious activities.

Key Criminal Uses:

• Ransomware Operations: Hosting command-and-control (C2) servers, data exfiltration endpoints, data leak sites, negotiation portals, and payment infrastructure.
• Malware Distribution: Serving as resilient platforms for hosting malware payloads, droppers (e.g., IcedID, SystemBC, Pikabot), and infostealers (e.g., Rhadamanthys, Lumma).
• Phishing Infrastructure: Hosting spoofed websites and credential harvesting pages that can remain online longer.
• Botnets and DDoS Attacks: Providing C2 infrastructure for botnets like Elysium used for Distributed Denial-of-Service (DDoS) attacks and other coordinated campaigns.
• Illegal Marketplaces: Hosting platforms for drug trafficking, stolen data sales, and Child Sexual Abuse Material (CSAM).

1.3. Technical Operations and Evasion Techniques

BPH providers leverage the internet's core architecture and have developed specialized techniques to maintain operations and evade detection.

Methods of Operation:

• Autonomous System Number (ASN) Acquisition: BPH operators often acquire their own ASNs, granting them full control over their IP routing prefixes and traffic flow. This allows them to sustain operations even when parts of their infrastructure are targeted.
• Fast-Flux DNS: Constantly and rapidly rotating IP addresses and domain names associated with a single domain to evade static blocklists and detection.
• IP Space Migration ("IP Broker Hopping"): Quickly moving operations to new IP ranges when a network is blacklisted. They may rent IP space from legitimate providers or other BPHs, creating a complex web of dependencies.
• Distributed Infrastructure: Spreading servers across multiple jurisdictions to complicate legal action and enforcement.
• Proxy and Gateway Layers: Routing malicious traffic through ever-shifting intermediary reverse proxy servers to obscure the true origin of the malicious infrastructure.
• Abuse of Legitimate Services: A growing trend involves moving domains behind major Content Delivery Networks (CDNs) like Cloudflare, abusing "too big to block" infrastructure. One Malaysia-based ISP was documented advising criminal clients to use Cloudflare to shield their networks.

2. The Evolution and Tactics of BPH Providers

The BPH industry has matured from brazen, monolithic entities to sophisticated, corporatized networks that exploit legal and technical loopholes.

2.1. From Physical Bunkers to Corporate Camouflage

Early BPH providers like McColo (shut down in 2008) and CyberBunker (operated from a decommissioned NATO bunker until its 2019 takedown) were relatively centralized. The modern BPH model, particularly in Western jurisdictions, has shifted to a "separation of liabilities" model.

This involves:

• Reseller Schemes: Concealing BPH services behind lower-end, legitimate-seeming hosting providers.
• Shell Corporations: Using shell companies registered in jurisdictions with minimal oversight (e.g., Wyoming, Delaware, Panama, UK, USA) to create "firewalls of plausible deniability."
• Compartmentalization: Separating datacenter ownership, server rental, and virtual machine management across different business entities to frustrate investigations.

The case of Media Land LLC exemplifies this, operating with a complex structure including subsidiaries like Media Land Technology and Data Center Kirishi, all managed by key executives with specific roles in operations, finance, and legal affairs.

2.2. Emerging BPH-like Tactics

Threat actors are continually developing new methods that mimic the resilience of traditional BPH.

• Infrastructure Laundering: A practice where threat actors use illicitly acquired cloud hosting accounts ("account mules") from mainstream providers like Microsoft and Amazon. They map IPs from this legitimate US-based infrastructure to their criminal client websites, making them appear less suspicious and load faster for US victims. The Philippines-based service FUNNULL was sanctioned by the U.S. Treasury in May 2025 for facilitating this scheme.
• Dynamic DNS (DDNS) Providers: Services that rent subdomains (e.g., afraid[.]org) create BPH-like networks. They are heavily used by advanced threat actors (APT28, APT29, TA406, Scattered Spider) for C2 communications, but many lack clear abuse reporting mechanisms or effective enforcement.
• Bulletproof Registrars: Domain registrars with policies that create significant barriers to takedowns. NiceNIC, headquartered in Hong Kong, is a primary example. It requires a "Power of Attorney" (POA) over a brand to submit an abuse takedown request, a provision that makes it nearly impossible for defenders to take down sites impersonating multiple brands at scale.

3. Law Enforcement Counter-Offensive

A recent surge in coordinated international law enforcement actions and government sanctions indicates a strategic shift towards dismantling the BPH ecosystem.

3.1. Operation Endgame: A Case Study in Coordinated Takedowns

Operation Endgame is described as the largest international effort ever to combat ransomware and cybercrime, focusing on disrupting the entire criminal business model. Coordinated by Europol and Eurojust, it involves a coalition of 11 nations and over 30 private sector partners.

Cumulative Impact of Operation Endgame:

• Servers Seized: Over 1,425
• Domains Neutralized: Over 670
• Infected Computers Identified: Over 600,000
• Malware Disrupted: Rhadamanthys infostealer (responsible for 86.2 million "information stealing events"), VenomRAT, and Elysium botnet.

3.2. Government Sanctions and Key Targeted Providers

Governments, led by the U.S. Treasury's Office of Foreign Assets Control (OFAC), are increasingly using financial sanctions to disrupt BPH operations.

3.3. Challenges and the Role of Russia as a Safe Haven

Despite successes, enforcement faces significant hurdles, including jurisdictional complexity and the challenge of proving criminal liability. A prominent pattern is the operation of many BPH providers from Russia. A U.S. Treasury announcement noted that "Putin has turned Russia into a safe haven for these malicious cyber criminals, cultivating a dark criminal ecosystem with deep ties to the Kremlin." This is further illustrated by connections between Evil Corp, LockBit affiliate Aleksandr Ryzhenkov, and former high-ranking FSB officials.

4. Profiles of BPH Infrastructure

Analysis of specific BPH providers and their associated Autonomous Systems reveals common red flags and patterns of malicious activity.

4.1. Self-Declared and Vetted BPH Providers

4.2. Actionable Intelligence on High-Risk ASNs

Silent Push analysis identified numerous ASNs with consistent red flags, primarily used for hosting DGA-generated domains and various scams.

5. Defense Strategies and Recommendations

The fight against BPH requires a multi-faceted approach combining advanced threat intelligence, robust technical defenses, and industry-wide policy changes.

5.1. BPH Identification Methodologies

Silent Push analysts employ a multi-stage review process to identify BPH infrastructure:

• Tracking Infrastructure Shifts: Using Indicators of Future Attack™ (IOFA™) to detect threat actors relocating infrastructure to new ASNs and providers.
• Analyzing IP Density and Peering: BPHs often have few IP addresses and limited peering relationships due to their illicit activities.
• Identifying Suspicious WHOIS Records: Use of disposable or free email addresses (Gmail, Proton Mail) for abuse contacts is a major red flag.
• Exposing Corporate Registration Loopholes: Identifying BPHs incorporated in jurisdictions with minimal oversight.
• Correlating with DGAs: BPHs frequently service clients that use Domain Generation Algorithms (DGAs).
• Cross-Referencing with Industry Lists: Using trusted resources like the Spamhaus DROP list as an initial data point, while recognizing its scope may not cover all types of scams (e.g., phishing and financial fraud).

5.2. Official Guidance and Industry Best Practices

In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released guidance on mitigating BPH risks, encouraging a proactive stance from infrastructure providers.

Key CISA Recommendations:

• Enhanced Customer Vetting: ISPs should implement stricter "Know Your Customer" protocols, verifying identity and banking details.
• Traffic Analysis: Monitor network traffic to identify suspicious hosting patterns.
• ASN-Based Blocking: Deploy blocklists based on Autonomous Systems to preemptively block criminal operations that rapidly cycle through IP addresses.
• Outbound Traffic Filtering: Restrict and monitor outgoing traffic to prevent communication with malicious destinations.
• Rapid Response: Establish standards for blocking malicious IP ranges for up to 90 days.
• Industry Standards: Create sector-wide codes of conduct for responding to abuse reports.

5.3. Recommendations for Organizations

• Monitor for BPH Indicators: Use threat intelligence feeds to watch for connections to known BPH IP ranges, domains, and ASNs.
• Implement Layered Network Filtering: Deploy both IP-based and ASN-based blocklists at the network perimeter. Additionally, use domain-based blocklists (like Spamhaus DBL) to counter BPH abuse of trusted CDN services.
• Track Sanctions Lists: Monitor OFAC and other international sanctions to ensure no business is conducted with designated entities.
• Adopt an Assume Breach Mentality: Implement a defense-in-depth security posture, recognizing the persistent and adaptive nature of the BPH threat.
• Report Suspicious Activity: Share indicators of compromise with industry partners and information sharing organizations to contribute to the collective defense.