Executive Summary

Bulletproof Hosting (BPH) providers represent a foundational pillar of the modern cybercrime ecosystem, offering resilient infrastructure services deliberately designed to shield malicious actors from legal and technical disruption. These providers ignore abuse complaints and law enforcement requests, creating safe havens for criminal operations such as ransomware, phishing, malware distribution, and illegal marketplaces. The BPH market has experienced a recent renaissance, marked by a global surge in providers, the evolution of sophisticated tactics like “Infrastructure Laundering” and the use of complex corporate structures for plausible deniability, and the rise of “Bulletproof Registrars” that create procedural roadblocks to takedowns. Operation Endgame Continues: CrazyRDP Bulletproof Hoster Dismantled as Dutch Police Seize Thousands of Servers in Coordinated Cybercrime CrackdownIn a major escalation of the international Operation Endgame cybercrime offensive, Dutch police have seized thousands of servers owned by CrazyRDP, a notorious bulletproof hosting provider implicated in 80 law enforcement investigations spanning cybercrime operations and child sexual abuse material (CSAM) distribution. The operation marks the latest andBreached CompanyBreached Company In response, international law enforcement has launched an unprecedented counter-offensive. Coordinated actions like Operation Endgame have dismantled major BPH providers such as CrazyRDP, seizing over 1,425 servers and disrupting malware families including Rhadamanthys, VenomRAT, and Elysium. Concurrently, coordinated government sanctions from the U.S., U.K., and Australia are targeting the financial and corporate networks of providers like Media Land LLC and Aeza Group, many of which operate from Russia, a jurisdiction described as a safe haven for such activities.

Despite these successes, the BPH industry remains resilient, adapting through rapid rebranding, IP address hopping, and the abuse of legitimate cloud and CDN services. The strategic response is shifting towards disrupting the entire BPH business model through enhanced public-private partnerships, stricter “Know Your Customer” protocols for infrastructure providers, and the widespread sharing of actionable threat intelligence. For defenders, this landscape necessitates a proactive strategy of continuous monitoring, robust network filtering using both IP and ASN-based blocklists, and a defense-in-depth approach that assumes adversaries will continually seek out and establish new operational infrastructure.

1. Understanding Bulletproof Hosting (BPH)

1.1. Definition and Core Characteristics

A Bulletproof Hosting (BPH) provider is an internet hosting service that deliberately ignores, resists, or fails to respond to legitimate abuse reports and law enforcement takedown requests. First termed in 2006 in relation to the “Russian Business Network,” BPH providers create environments where threat actors can operate with impunity.

Core Characteristics:

1.2. The Role of BPH in the Cybercrime-as-a-Service Ecosystem

BPH is the backbone of the modern cybercrime-as-a-service model, providing the stable infrastructure necessary for a wide range of malicious activities.

Key Criminal Uses:

  • Ransomware Operations: Hosting command-and-control (C2) servers, data exfiltration endpoints, data leak sites, negotiation portals, and payment infrastructure.- Malware Distribution: Serving as resilient platforms for hosting malware payloads, droppers (e.g., IcedID, SystemBC, Pikabot), and infostealers (e.g., Rhadamanthys, Lumma).- Phishing Infrastructure: Hosting spoofed websites and credential harvesting pages that can remain online longer.- Botnets and DDoS Attacks: Providing C2 infrastructure for botnets like Elysium used for Distributed Denial-of-Service (DDoS) attacks and other coordinated campaigns.- Illegal Marketplaces: Hosting platforms for drug trafficking, stolen data sales, and Child Sexual Abuse Material (CSAM).

1.3. Technical Operations and Evasion Techniques

BPH providers leverage the internet’s core architecture and have developed specialized techniques to maintain operations and evade detection.

Methods of Operation:

  • Autonomous System Number (ASN) Acquisition: BPH operators often acquire their own ASNs, granting them full control over their IP routing prefixes and traffic flow. This allows them to sustain operations even when parts of their infrastructure are targeted.- Fast-Flux DNS: Constantly and rapidly rotating IP addresses and domain names associated with a single domain to evade static blocklists and detection.- IP Space Migration (“IP Broker Hopping”): Quickly moving operations to new IP ranges when a network is blacklisted. They may rent IP space from legitimate providers or other BPHs, creating a complex web of dependencies.- Distributed Infrastructure: Spreading servers across multiple jurisdictions to complicate legal action and enforcement.- Proxy and Gateway Layers: Routing malicious traffic through ever-shifting intermediary reverse proxy servers to obscure the true origin of the malicious infrastructure.- Abuse of Legitimate Services: A growing trend involves moving domains behind major Content Delivery Networks (CDNs) like Cloudflare, abusing “too big to block” infrastructure. One Malaysia-based ISP was documented advising criminal clients to use Cloudflare to shield their networks.

2. The Evolution and Tactics of BPH Providers

The BPH industry has matured from brazen, monolithic entities to sophisticated, corporatized networks that exploit legal and technical loopholes.

2.1. From Physical Bunkers to Corporate Camouflage

Early BPH providers like McColo (shut down in 2008) and CyberBunker (operated from a decommissioned NATO bunker until its 2019 takedown) were relatively centralized. The modern BPH model, particularly in Western jurisdictions, has shifted to a “separation of liabilities” model.

This involves:

  • Reseller Schemes: Concealing BPH services behind lower-end, legitimate-seeming hosting providers.- Shell Corporations: Using shell companies registered in jurisdictions with minimal oversight (e.g., Wyoming, Delaware, Panama, UK, USA) to create “firewalls of plausible deniability.”- Compartmentalization: Separating datacenter ownership, server rental, and virtual machine management across different business entities to frustrate investigations.

The case of Media Land LLC exemplifies this, operating with a complex structure including subsidiaries like Media Land Technology and Data Center Kirishi, all managed by key executives with specific roles in operations, finance, and legal affairs.

2.2. Emerging BPH-like Tactics

Threat actors are continually developing new methods that mimic the resilience of traditional BPH.

  • Infrastructure Laundering: A practice where threat actors use illicitly acquired cloud hosting accounts (“account mules”) from mainstream providers like Microsoft and Amazon. They map IPs from this legitimate US-based infrastructure to their criminal client websites, making them appear less suspicious and load faster for US victims. The Philippines-based service FUNNULL was sanctioned by the U.S. Treasury in May 2025 for facilitating this scheme.- Dynamic DNS (DDNS) Providers: Services that rent subdomains (e.g., afraid[.]org) create BPH-like networks. They are heavily used by advanced threat actors (APT28, APT29, TA406, Scattered Spider) for C2 communications, but many lack clear abuse reporting mechanisms or effective enforcement.- Bulletproof Registrars: Domain registrars with policies that create significant barriers to takedowns. NiceNIC, headquartered in Hong Kong, is a primary example. It requires a “Power of Attorney” (POA) over a brand to submit an abuse takedown request, a provision that makes it nearly impossible for defenders to take down sites impersonating multiple brands at scale.

3. Law Enforcement Counter-Offensive

A recent surge in coordinated international law enforcement actions and government sanctions indicates a strategic shift towards dismantling the BPH ecosystem.

3.1. Operation Endgame: A Case Study in Coordinated Takedowns

Operation Endgame is described as the largest international effort ever to combat ransomware and cybercrime, focusing on disrupting the entire criminal business model. Coordinated by Europol and Eurojust, it involves a coalition of 11 nations and over 30 private sector partners.

Phase

Date

Key Actions & Targets

Phase 1

May 2024

Targeted malware droppers (IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee). Seized over 100 servers and made 4 arrests.

Phase 2

May 2025

Dismantled 300 servers and 650 domains. Targeted Bumblebee, Qakbot, Trickbot, and others. Issued 20 international arrest warrants.

Phase 3

Nov 2025

Dismantled the CrazyRDP BPH provider. Seized 1,025 servers and 20 domains. Targeted Rhadamanthys, VenomRAT, and Elysium. The main VenomRAT suspect was arrested in Greece with access to over 100,000 crypto wallets.

Cumulative Impact of Operation Endgame:

  • Servers Seized: Over 1,425- Domains Neutralized: Over 670- Infected Computers Identified: Over 600,000- Malware Disrupted: Rhadamanthys infostealer (responsible for 86.2 million “information stealing events”), VenomRAT, and Elysium botnet.

3.2. Government Sanctions and Key Targeted Providers

Governments, led by the U.S. Treasury’s Office of Foreign Assets Control (OFAC), are increasingly using financial sanctions to disrupt BPH operations.

Provider

Date of Action

Details

FUNNULL

May 2025

Philippines-based Infrastructure Laundering service sanctioned by U.S. Treasury for defrauding U.S. consumers of over $200 million.

Aeza Group

July 2025

Russian BPH provider sanctioned by U.S. Treasury for supporting ransomware groups. Later demonstrated resilience by rebranding through front companies (Hypercore Ltd. in UK, entities in Serbia and Uzbekistan).

Zservers (Xhost)

Feb 2025

Russian BPH provider sanctioned by the U.S., U.K., and Australia. Dutch police seized 127 servers.

LolekHosted

Aug 2023

Admin indicted by the U.S. DOJ after operating for nearly a decade and hosting NetWalker ransomware instances.

Media Land LLC

Nov 2025

Russian BPH provider (run by Alexander Volosovik, alias “Yalishanda”) sanctioned by U.S., U.K., and Australia for supporting LockBit, BlackSuit, and Play ransomware.

Stark Industries

May 2025

Web host sanctioned by the Council of the EU for enabling Russian state-sponsored cyber-attacks.

3.3. Challenges and the Role of Russia as a Safe Haven

Despite successes, enforcement faces significant hurdles, including jurisdictional complexity and the challenge of proving criminal liability. A prominent pattern is the operation of many BPH providers from Russia. A U.S. Treasury announcement noted that “Putin has turned Russia into a safe haven for these malicious cyber criminals, cultivating a dark criminal ecosystem with deep ties to the Kremlin.” This is further illustrated by connections between Evil Corp, LockBit affiliate Aleksandr Ryzhenkov, and former high-ranking FSB officials.

4. Profiles of BPH Infrastructure

Analysis of specific BPH providers and their associated Autonomous Systems reveals common red flags and patterns of malicious activity.

4.1. Self-Declared and Vetted BPH Providers

Provider

ASN

Location

Key Characteristics and Marketing Claims

AlexHost

200019

Moldova

Operating since 2008. Openly advertises “Offshore DMCA Ignored Hosting.” Hosts numerous sites that flout copyright laws.

Abolly Web Solutions

N/A

Leased

Boasts on Facebook of being a “100% anonymous and DMCA ignored Offshore server.” Maps clients via NS records on a single IP on Hetzner Networks.

Phanes Networks

49042

Netherlands

Explicitly lists “Bulletproof VPS” and states “No need to worry about DMCA Complaints now.” Spamhaus recommends blocking this ASN.

Shinjiru

45839

Malaysia

Operates since 2000. Customer support confirmed “We operate under the DMCA ignored policy.” Has a documented 12-day abuse desk response time and a 10-day grace period for abuse complaints. Hosts phishing pages and investment scams.

4.2. Actionable Intelligence on High-Risk ASNs

Silent Push analysis identified numerous ASNs with consistent red flags, primarily used for hosting DGA-generated domains and various scams.

AS Number

AS Name

Key Red Flags

152194

CTGSERVERLIMITED-AS-AP

Heavy DGA usage; Spamhaus blocklist; 24-day abuse response time.

214351

FEMOIT GB

Unknown website; disposable ProtonMail abuse contact; Spamhaus blocklist; 26-day abuse response time.

213194

NECHAEVDS-AS RU

Unknown website; disposable TutaMail abuse contact; low IP density; heavy DGA usage.

48589

SOW-A-AS UA (“Tiger Net”)

Unknown website; Gmail abuse contact; low IP density; heavy DGA usage; Spamhaus blocklist.

49217

HOSTYPE US

Wyoming shell company registration; Gmail abuse contact; low IP density; Spamhaus blocklist.

140224

SGPL-AS-AP STARCLOUD GLOBAL

Suspicious residential address (Colorado); phone number shared with other suspicious sites; hosts “Triad Nexus” threat actor infrastructure.

5. Defense Strategies and Recommendations

The fight against BPH requires a multi-faceted approach combining advanced threat intelligence, robust technical defenses, and industry-wide policy changes.

5.1. BPH Identification Methodologies

Silent Push analysts employ a multi-stage review process to identify BPH infrastructure:

  • Tracking Infrastructure Shifts: Using Indicators of Future Attack™ (IOFA™) to detect threat actors relocating infrastructure to new ASNs and providers.- Analyzing IP Density and Peering: BPHs often have few IP addresses and limited peering relationships due to their illicit activities.- Identifying Suspicious WHOIS Records: Use of disposable or free email addresses (Gmail, Proton Mail) for abuse contacts is a major red flag.- Exposing Corporate Registration Loopholes: Identifying BPHs incorporated in jurisdictions with minimal oversight.- Correlating with DGAs: BPHs frequently service clients that use Domain Generation Algorithms (DGAs).- Cross-Referencing with Industry Lists: Using trusted resources like the Spamhaus DROP list as an initial data point, while recognizing its scope may not cover all types of scams (e.g., phishing and financial fraud).

5.2. Official Guidance and Industry Best Practices

In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released guidance on mitigating BPH risks, encouraging a proactive stance from infrastructure providers.

Key CISA Recommendations:

  • Enhanced Customer Vetting: ISPs should implement stricter “Know Your Customer” protocols, verifying identity and banking details.- Traffic Analysis: Monitor network traffic to identify suspicious hosting patterns.- ASN-Based Blocking: Deploy blocklists based on Autonomous Systems to preemptively block criminal operations that rapidly cycle through IP addresses.- Outbound Traffic Filtering: Restrict and monitor outgoing traffic to prevent communication with malicious destinations.- Rapid Response: Establish standards for blocking malicious IP ranges for up to 90 days.- Industry Standards: Create sector-wide codes of conduct for responding to abuse reports.

5.3. Recommendations for Organizations

  • Monitor for BPH Indicators: Use threat intelligence feeds to watch for connections to known BPH IP ranges, domains, and ASNs.- Implement Layered Network Filtering: Deploy both IP-based and ASN-based blocklists at the network perimeter. Additionally, use domain-based blocklists (like Spamhaus DBL) to counter BPH abuse of trusted CDN services.- Track Sanctions Lists: Monitor OFAC and other international sanctions to ensure no business is conducted with designated entities.- Adopt an Assume Breach Mentality: Implement a defense-in-depth security posture, recognizing the persistent and adaptive nature of the BPH threat.- Report Suspicious Activity: Share indicators of compromise with industry partners and information sharing organizations to contribute to the collective defense.