Bulletproof Hosting Providers Targeted by Law Enforcement
Dutch police have taken action against a bulletproof hosting provider (BPH). CISA provides tips for risk mitigation.
(Image: politie.nl)
Last week, Dutch police successfully cracked down on a bulletproof hosting provider (BPH), seizing numerous servers. The US Cybersecurity and Infrastructure Security Agency (CISA), along with international partners, is also providing guidance on how to mitigate the risks posed by BPH.
Already last week, Dutch police were able to seize thousands of servers as part of investigations into a fraudulent hosting company, as they announced on their website. According to police information, the host was used exclusively for criminal activities – since 2022, it had been involved in more than 80 investigations into cybercrime, including at an international level.
The affected bulletproof host advertised itself as absolutely secure, offering complete anonymity for users – and also claiming not to cooperate with law enforcement agencies. This is typical for bulletproof hosts; they enable criminals to carry out malicious activities on the internet undetected and without consequences – unlike "regular" hosts that, for example, host company websites and their internet services.
Hosts for Criminals
On November 12, Dutch police seized around 250 physical servers in data centers in The Hague and Zoetermeer from the BPH that offered criminals "secure" internet access. These hosted thousands of virtual servers. Law enforcement is now examining these as part of ongoing investigations. Further criminal activities are no longer possible through this infrastructure. Previously, malicious actors used the host for storage space, but also for executing ransomware attacks, controlling botnets, phishing fraud, and distributing child pornography.
Furthermore, the US Department of the Treasury announced on Wednesday this week joint sanctions by Australia, the USA, and the United Kingdom against Russian cybercrime infrastructures that support ransomware. These target the Russia-based bulletproof host "Media Land," as well as "Hypercore Ltd." and "Aeza Group LLC." These provided essential services for cybercriminals. The sanctions include, for example, that all assets of the accused individuals and hosts in the USA must be frozen and reported to the Office of Foreign Assets Control (OFAC) of the US Department of the Treasury. Financial institutions cooperating with the criminals can also become targets of sanctions.
Videos by heise
On Wednesday, the US cybersecurity agency CISA, along with other US law enforcement agencies and international partners, also released a guide on mitigating risks from bulletproof hosting (PDF). They clarify that BPH poses a significant risk to the resilience and security of critical systems and services. The agencies provide tips for Internet Service Providers (ISPs) and network operators who want to protect their facilities. Additionally, there are separate tips exclusively for ISPs.
These include trivial guidance such as, maintaining a list of malicious resources and setting up filters that block malicious traffic – without disrupting regular traffic. Analyzing traffic and checking for anomalies helps populate the list of malicious resources. Law enforcement also recommends using logging systems. ISPs and network operators should record ASNs (Autonomous System Numbers) and IP addresses, trigger alarms for malicious activities if necessary, and keep logs up to date. Furthermore, exchanging the gathered information with public and private entities helps strengthen cyber defense. Interested parties can find more details in the PDF.
(dmk)
