In this blog, the OWN-CERT will explore the current state of BPH (Bulletproof Hosting) services on two major Russian-language cybercrime forums: XSS and Exploit. We will highlight the diversity of these services and analyze cybercriminals' opinions on them. Detailed profiles of two BPH providers will be presented: "Alpha," a professional business in Moscow, and "Beta," a new service run by three friends. This comparison will illustrate the varying approaches and operational scales of BPH services in the cybercrime ecosystem.
Executive Summary
- Currently 40 BPH services are active on XSS and Exploit. In the past two years, no fewer than 17 new BPH services have emerged, but the market is still rather dominated by old reputable services.
- Although they all use the term “Bulletproof hosting” in their commercial threads, these services are very different from one another. The main differences are the type of services they offer and ToS, hardware, prices, their infrastructure and their reputation.
- Threat actors’ opinion about BPH providers shows that they are not a silver bullet. The main issues are stability, support quality and blacklisting by reputation-based security services.
- To hide their identity threat actors behind BPH services are frequently creating shell companies or finding people willing to register companies under their own names.
- Observed BPH services range from highly organized and professional entities employing dozens of people to opportunistic businesses ran by adventurers.
Why should we care about BPH and what is their role in cybercrime?
On May 7, 2024, Operation Cronos culminated in success when law enforcement agencies deanonymized M. Dmitry Khoroshev, the leader of the LockBit ransomware gang[1]. Simultaneously, several cybersecurity and intelligence companies shared their findings about M. Khoroshev and LockBit’s infrastructure.
One notable article was published by Chainalysis, a company specializing in blockchain analysis. Their report examined the transfers of cryptocurrencies from LockBit’s Bitcoin wallets to those of other criminal entities, revealing connections between LockBit and underground exchanges, darknet markets, and bulletproof hosting services (BPH)[2]. The fact that LockBit had to use at least three different BPH providers indicates that bulletproof hosting is a fundamental service in the cybercriminal ecosystem.
A BPH is a specific type of hosting service that allows clients to anonymously rent servers and buy domains to conduct grey or illegal activities. For cybercriminals, a BPH enables for instance the hosting of illegal marketplaces, running of Command-and-Control servers (C2), distribution of malware or spam, network vulnerability scanning, and launching of phishing campaigns. State-sponsored entities may also use BPH to host disinformation websites, while extremist organizations use them to promote their ideology, and hacktivists can use them to launch DDoS attacks[3].
LockBit has used BPH services to host its victim blog and help affiliates exfiltrate data from compromised companies. The group’s affiliates, like other threat actors, also use BPH to conduct vulnerability scans or hide their real IP behind a series of custom VPNs and proxies. Without these services, an enormous cybercriminal organization like LockBit, could probably not have existed. BPH are, as explained in a great Black Hat presentation from 2017, “The Core Enabler” of cybercrime[4].
If you search for "Bulletproof hosting" in a search engine, you will undoubtedly find a plethora of "BPH" and "Offshore Hosting" websites offering domain registration, virtual private servers, or dedicated servers. These providers accept cryptocurrencies for payment, promise to fully ignore copyright complaints (DMCA), and claim to preserve clients’ anonymity by not implementing the Know-Your-Client (KYC) policy. In fact, "BPH" is often conflated with "Offshore" hosting and encompasses a wide range of services that are not always necessarily illegal. Legislation varies from country to country and is exploited by hosting services. As one of these “BPH”explains himself:
“Each project must be approached individually. There are projects that are prohibited in one location but allowed in another. If you have a doubt, please contact live chat, our specialists will help you.”
The widespread use of the term "Bulletproof" by hosting services often gives a false sense of universality, suggesting that their servers can withstand any type of complaint because they are in a secret bunker. Cybercriminals themselves sometimes believe that if a seller advertises a BPH service, the servers must be in law-free zones like Transnistria or Donbass.
While such BPH do exist, they are quite expensive and usually do not last long. A famous example was "CyberBunker," based in a former Cold War bunker in theNetherlands and later in Germany, which was shut down by police in 2019[6]. These advanced bulletproof hosting services in private homes or unusual locations are rare. Most BPHs are found in normal data centers but are often hidden behind shell companies to shield their owners from unnecessary attention.
While it is relatively easy to find hosting providers that ignore minor copyright complaints, allow gambling or porn websites, and overlook internet scanning, things get tougher for more obviously malicious activities. Even BPH providers need to be cautious about what occurs on their networks to avoid having their entire IP block ranges blacklisted by companies like SpamHaus and attracting law enforcement attention.
Thus, most "Bulletproof" or "Offshore" hosting providers that are easily found will not openly accept to host ransomware victim blogs or tolerate the spread of malware. This type of activity is allowed, to varying extents and under certain conditions, by BPH providers present on cybercriminal forums and marketplaces.
In the case of LockBit, its leader and many of its affiliates are from the former USSR, they are often active on Russian-language cybercrime forums like XSS, Exploit, orRAMP. It is likely on these forums that LockBit and other Russian-speaking threat actors seek out BPH providers.
According to a paper written by Intel471[7], the former USSR area is a fertile soil for BPH services, the most famous of them are “yalishanda”, “ccweb”, or “whost” aka “Abdallah”. Before he got arrested by the Ukrainian police in 2019, “whost” aka M. Mykhailo Rytikov, was among other things hosting the Jabber servers of the forum Exploit[8]. Recently other infamous BPH providers went dark, possibly because they were affected by the Russian invasion of Ukraine in 2022. One of them is the BPH “FLOWSPEC”, notably known for providing DDoS protection for major Russian-language cybercrime forums[9]. Another example is “MikaSweet7” who was supposedly able to conduct DDoS attacks that were powerful enough to put offline CloudFlare‘s servers[10].
Understanding how BPH functions on the Russian-speaking segment of the cybercriminal underground is, in my opinion, critical to identify the infrastructure of these hosting providers and thus limit the ability of cybercriminals to efficiently use bulletproof hosting.
In today’s blog, OWN-CERT would like to explore the current landscape of BPH services active on two major Russian-language cybercrime forums: XSS and Exploit. More importantly, we wish to highlight the substantial variety of BPH services and analyze what cybercriminals themselves think about these hosting providers. While BPH are definitely “the core enablers of cybercrime,” they are not a silver bullet.
Eventually, we would like to present in detail the profiles of two BPH services that we were able to study thoroughly. They are a great illustration of how different BPH services can be. The first one, which we will call BPH “Alpha,” is a highly professionalized business employing at least a dozen people in a Moscow office. It has been active on cybercrime forums for around ten years under different handles and hides behind several shell companies.
The second BPH, which we have named “Beta”, is a relatively new hosting provider run by three friends from a Russian city. Incredibly, the spouse of one of the associates is openly advertising this BPH on the Internet.
This last point convinced us to anonymize my findings because a mistake on our part could have severe consequences for the individuals we believe to be behind this BPH. Let’s leave the deanonymization to law enforcement agencies.
2024 BPH Landscape - 40 shades of BPH on XSS and Exploit
When we started to study the presence BPH providers on RLCF last year, we noticed that the highest concentration of bulletproof hosting services was observable on two forums: XSS and Exploit. Thereby, this year we decided to focus precisely on these two communities and analyze in detail BPH that are presently commercialized there. Please keep in mind, that what is covered in this article is only the tip of the iceberg, many other BPH like for example “kyun”, “exservers” or“njala” are mentioned by threat actors on cybercrime forums but will not be covered in this article.
Enduring veteran BPH and numerous, rather ephemeral, newcomers
In June 2024, 40services on XSS and Exploit claim to sell bulletproof hosting. The oldest of these entities has been active since 2008, while the newest appeared in early2024. Compared to last year, it is notable that BPH services such as “SollHost”and “QuaHost” have either ceased operations or rebranded.
In the past two years, no fewer than 17 new BPH services have emerged, highlighting the high volatility and constant renewal of these services. However, veteran BPH providers like “ccweb,” “grizlii,” “yalishanda,” and “tunastock” remain active and generally enjoy a positive reputation within the Russian-speaking cybercriminal community.
A closer examination of some BPH offers and infrastructures reveals that some of them are owned by the same entity operating under different BPH brands and handles. Thus, the actual number of unique BPH providers is slightly smaller than the identified 40. Additionally, a few BPH have decided to cooperate with each other to enhance the quality of their services.
As shown in our previous paper[11],the prominence, and specialization on cybercrime, of XSS and Exploit allow these forums to stand above other Russian-language cybercriminal communities and attract threat actors from all around the world. Among the 40 threat actors selling BPH services on these two forums, 13 are not native Russian speakers and mainly communicate in English. Some of them are from Netherlands,Switzerland and Romania. Interestingly, all the veterans BPH belong to Russian-speaking threat actors while most of the newcomers that appeared this year like “BulletHost”, “DarkSecure”, “AnonVM” and “superlative” are not.
40 BPH – 40 different offers and sets of rules
When it comes to the type of services the identified BPH providers are trying to sell, logically most of them advertise either virtual or dedicated servers. Several minor services sell only virtual servers, often because they resell services they purchase from either white or grey hosting providers.
"Bulletproof domains" are also among the most common and sought-after services. Typically, BPH providers resell domains they purchase from companies like"nicenic", “shinjiru”, "r01", "flokinet", or "webnic". Chinese domain registrants are particularly favored by threat actors on XSS and Exploit because they are slow to respond to abuse complaints.
Another part of the BPH business is the sale of obfuscation services like for example VPN, FastFlux[12] and proxies. Residential proxies are usually in high demand and are sold by numerous specialized services, BPH providers are clearly not leading the market on this front. Nevertheless, technically advanced services like FastFlux, that consists in associating a pool of IPs addresses with one domain name and frequently rotate these IPs by changing the the Domain Name System (DNS) records associated with that domain name, are usually advertised only by the most prominent BPH.
Eventually, a minority of BPH openly admit that they possess a Local Internet Registry (LIR) status which allows them to purchase, and then rent to their customers, entire blocks of IPs. This fact is particularly interesting because membership in a Regional Internet Registry (RIR) is required to become a LIR, which implies that these BPH have left information that can be exploited to find and study them.
An additional illustration of the variety and specificity of the identified BPH services is the “terms of service” that they explicitly mention in their commercial threads. Please note that if a rule is not explicitly mentioned by a BPH, it does not necessarily mean that the activity is authorized. Almost half of all BPH are clearly stating that they will not tolerate the hosting of any content that is linked to child pornography, terrorism, extremism or any activity that targets the Community of Independent States (CIS) and Russia. This set of rules is very common and is meant to protect the BPH owners that live in the former USSR countries by limiting their legal responsibility if any type of these content is hosted on their network (supposedly) without their knowledge.
Ignoring SpamHaus[14] blocklisting is apparently a challenge for a substantial amount of BPH as is the targeting of financial and governmental entities. SpamHaus is a company providing information about the reputation of IPs, domains and ASNs associated with not only spam but also phishing, malware, and ransomware. This shows once again that not all BPH accept to expose their network to blocklisting.
On the opposite, terms of service explicitly allowing particular types of activities and content give a good hint at how the cybercriminals can use these services.
The analysis of all this content helps to build a classification for the 40 BPH that we are studying here, nevertheless one thing is missing to clearly categorize each BPH– an analysis of user reviews.
Threat actors’ feedback – support and stability of service: the main problems
When we started studying the feedback of threat actors about BPH in the commercial and arbitration threads of XSS and Exploit, we were surprised by the lack of understanding some threat actors had about what they were purchasing. Indeed, a fair number of negative comments were related to complaints about a BPH not being a "real" BPH. These disputes often arose because the threat actors neglected to read the Terms of Service and fell victim to the myth that a BPH can ignore any type of abuse. On the other hand, in a few cases, threat actors opened arbitrations against BPH that were not as bulletproof as they claimed to be. Overall, negative reviews were the most interesting to read as they often revealed information about the real limitations of a service and its network infrastructure.
Even when a BPH delivered what it promised, one of the most widespread complaints was related to poor customer support or difficulties in getting in touch with the seller. Communication is not always fluid between BPH providers and threat actors. Only24 BPH have a commercial website, while others rely on messengers like Telegram, Tox, or Jabber. Furthermore, numerous complaints about the stability of servers were also observed. These types of issues can be particularly problematic for threat actors who need servers with high uptime to conduct their malicious activities.
Positive reviews, with a few exceptions, are prevalent. Fake comments left by the BPH themselves under different handles are quite common but do not constitute the majority of reviews for the most reputable services. Sometimes, threat actors involved in known malicious schemes, like the development and distribution of infostealer malware, also leave reviews, which helps to identify which BPHs can potentially host their backends.
Coupling these reviews with the types of services and ToS of the studied BPH helps to categories them in 3 categories:
- The first one – Tier 1 – is composed of BPH providers that offer low quality services or with strict limitations. For instance, in this category can be found BPH that are performant only for activities like network scanning or brutforcing. BPH supposedly allowing somewhat more advanced types of activities but with a substantial number of negative reviews also belong to this category. A BPH from Tier 1 is not necessarily a bad choice for a cybercriminal if he knows what exactly he needs and wishes to get a cheap solution.
- BPH from Tier 2 are generally composed of services that do not care about SpamHaus blocklist, that own their servers or that possess racks in datacenters.
- Eventually,Tier 3 BPH are the most technically advanced and reputable services, they often possess their own servers and a LIR status and sell FastFlux.
BPH limitations - an expensive service that is not always necessary for cybercriminal activity
As we have seen, not all BPH services are equal, and they do not always meet threat actors’ expectations. Some limitations of BPH servers include lack of stability, low reliability or lack of backups, high costs, and the blacklisting of their IPs. To circumvent these issues, threat actors can implement several solutions. One effective method is the obfuscation of legitimate servers behind proxies or using FastFlux networks.
The issue with FastFlux is that it remains an expensive method for hiding malicious activity, and the IPs associated with BPH and FastFlux can still be identified and blacklisted. Among the seven BPH providers currently offering FastFlux services, prices for a single domain range from over $50 to over $400 per month.
Several reputable members of the cybercriminal community, such as the threat actor "bratva", have stated that using BPH is not always necessary[15]. In fact, it can sometimes attract unwanted attention and reduce the success rate of malicious operations. Instead, obfuscating malicious payloads can be a more effective and cost-efficient solution than purchasing expensive BPH servers.
The same logic supposedly applies to domains. Registering them with reputable suppliers helps to bypass reputation-based solutions and thereby rises the success rates of malicious campaigns.
The hijacking of white hosting services is a well-known tactic among cybercriminals. For instance, the threat actor "Dread Pirate Roberts" explains that his servers are often targeted by scans and bruteforce attacks from white hosting services. It is quite easy to purchase stolen or anonymously registered accounts for AWS, OVH, and other popular hosting services on cybercriminal forums.
BPH Alpha and Beta - an illustration of the variety of bulletproof hosting providers
Now that we have an overall picture of the BPH landscape on XSS and Exploit, and have somewhat demystified the myths surrounding these cybercriminal services, let's take a closer look at two specific BPH providers.
BPH Alpha – a highly professionalized veteran hosting provider
The first BPH we would like to explore with you is a veteran of the Russian-speaking cybercriminal underground. This Tier 3 BPH began its illicit activities between2010 and 2020, and the entity controlling it currently operates no fewer than four different BPHs on XSS and Exploit. Threat actors purchasing services from these four BPHs are likely unaware that they are dealing with a single entity.The decision by the owners of BPH Alpha to split their activities into four brands is quite intriguing and demonstrates a well-thought-out commercial strategy. This strategy has proven very profitable, helping BPH Alpha generate a turnover of more than $10 million in recent years.
On the other side of the coin, behind these four BPH, is a well-structured legitimate hosting business registered in Russia, with its IPs and AS registered to companies in Europe and China. This Russian company has an office in Moscow and employs at least a dozen IT specialists, support staff, graphic designers, and sales personnel. The hosting company has long-standing partnerships with leading data centers and hosting providers in Moscow. Its website advertises entirely legitimate services, provides information about the company and its infrastructure, and highlights events where company representatives were present.
Several operational security mistakes made by BPH Alpha’s management during the early stages of this entity's development allowed to piece together the puzzle.
Interestingly, the BPH business of Alpha has been much more stable than the legitimate hosting companies owned by this entity. Since the start of BPH Alpha's activities, four hosting companies have been created and subsequently declared bankruptcy. This cycle of bankruptcies suggests that the revenues generated by the four BPH are the only significant source of income for Alpha. However, its owners cannot include these illicit earnings in the balance sheets of their legal companies, forcing them to periodically rotate companies by closing old ones and registering new ones.
The observation of the over 5000 IPs that belong to Alpha also hints that the service is mainly used for cybercriminal purposes. The company has several AS and IPs blocks that are dedicated to specific malicious activity to avoid the blacklisting of the whole network.
When we were searching for information about Alpha’s IPs, we stumbled upon a report analyzing an APT operation. According to this report, one of the IPs belonging to BPH Alpha was used as a C2 server allegedly controlled by an APT group. This highlights the proximity and interconnections that sometimes exist between the cybercriminal world and state-sponsored malicious campaigns.
BPH Beta – an opportunistic business started by three friends
On the other side of the BPH spectrum exists a more modest enterprise run by three friends from a Russian city. Their journey is more chaotic and opportunistic, reflecting their constant willingness to adapt to new trends and profitable opportunities. BPH Beta does not has its own AS or IP blocks but instead rents servers from legal and grey hosting services. The owners also advertise the creation of offshore companies on cybercriminal forums.
It appears that the criminal activities of BPH Beta's owners began in the realm of financial fraud. Their decision to start a cryptocurrency exchange and to sell a no-KYC payment service to underground shops further demonstrates their aim to capitalize on new popular trends. This behavior continued when the three friends decided to start a BPH service in the 2020s, advertising it on the same forums that had helped them profit from their early cybercriminal activities. Incredibly, one of the founder’s spouse is openly advertises this service on the Internet, which could highlight the lack of discernment and understanding of the illegal nature of activities related to the possession of a BPH.
Sources:
[1] Matt Burgess,“The Alleged LockBit Ransomware Mastermind Has Been Identified,” Wired,May 7, 2024, https://www.wired.com/story/lockbitsupp-lockbit-ransomware/
[2] “InternationalAgencies Sanction Dmitry Khoroshev, LockBit Leader,” May 7, 2024, https://www.chainalysis.com/blog/nca-ofac-sanctions-dmitry-khoroshev-lockbit-ransomware-2024/
[3] “StarkIndustries Solutions: An Iron Hammer in the Cloud – Krebs on Security,” May 23,2024, https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/
[4] RBN Reloaded - Amplifying Signals from the Underground, 2017, https://www.youtube.com/watch?v=PGTTRN6Vs-Y
[5] Vladimir Kropotov, Robert McArdle, and Fyodor Yarochkin, “Inside the Bulletproof HostingBusiness: Cybercriminal Methods and OpSec - Security News” (Trend Micro,October 6, 2020), https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/inside-the-bulletproof-hosting-business-cybercrime-methods-opsec
[6] SeanGallagher, “German Police Seize ‘Bulletproof’ Hosting Data Center in FormerNATO Bunker,” Ars Technica, September 30, 2019, https://arstechnica.com/information-technology/2019/09/german-police-seize-bulletproof-hosting-data-center-in-former-nato-bunker/
[7] “Here’s Who IsPowering the Bulletproof Hosting Market,” Intel471, March 3, 2021, https://intel471.com/blog/top-bulletproof-hosting-providers-yalishanda-ccweb-brazzzers-2021
[8] “UkrainianHacker Sought by US Arrested,” Yahoo News, July 16, 2019, https://www.yahoo.com/news/ukrainian-hacker-sought-us-arrested-152808009.html
[9] “Арбитраж - Exploit.IN - Forum & Jabber DDOS, SweetMika& Co, @sweetMika7_sweet,” XSS[.]is (ex DaMaGeLaB), January 20, 2021, https://xss[.]is/threads/47046/
[10] “Forum &Jabber DDOS, SweetMika & Co, @sweetMika7_sweet,” Exploit[.]IN Forum, January20, 2021, https://forum.exploit[.]in/topic/182703/
[11] “RussianLanguage Cybercriminal Forums – Analyzing The Most Active And RenownedCommunities,” accessed July 2, 2024, https://www.own.security/ressources/blog/russian-language-cybercriminal-forums---chapter-iii-analyzing-the-most-active-and-renowned-communities-english-only
[12] “What Is DNSFast Flux? | DNS Fast Flux Attack,” accessed July 2, 2024, https://www.cloudflare.com/learning/dns/dns-fast-flux/
[13] Janos Szurdi, Rebekah Houser, and Daiping Liu, “Fast Flux 101: How Cybercriminals Improve theResilience of Their Infrastructure to Evade Detection and Law EnforcementTakedowns,” March 2, 2021, https://unit42.paloaltonetworks.com/fast-flux-101/
[14] “Who Is Spamhaus - the Leader in IP & Domain Reputation Data,” accessed July 2,2024, https://www.spamhaus.org/who-is-spamhaus/
[15] “Мануал/Книга - Список Анонимных Хостеров Принимающих Крипту,” XSS[.]is (ex DaMaGeLaB), January 6, 2022, https://xss[.]is/threads/60934/