CISA/FBI/NSA Unite to Dismantle Bulletproof Hosting Ecosystem with New Global Defense Guide

In a joint announcement, the Cybersecurity and Infrastructure Security Agency (CISA)—alongside the NSA, FBI, DoD Cyber Crime Center, and international cybersecurity partners—has published a comprehensive guide aimed at dismantling the global ecosystem of bulletproof hosting (BPH) providers, the behind-the-scenes infrastructure powering ransomware, phishing, data theft, and other cybercriminal operations.

The guide, titled Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers, marks one of the most unified global efforts yet to combat criminal hosting networks. As the document notes clearly: “A BPH provider is an internet infrastructure provider that knowingly and intentionally markets and leases their infrastructure to cybercriminals.”

The agencies warn that such providers have become deeply entrenched in campaigns targeting critical infrastructure, financial institutions, and high-value enterprises, often enabling ransomware groups and other threat actors to operate with impunity.

The guide outlines how BPH operators use permissive abuse policies, fraudulent sign-up schemes, jurisdictional arbitrage, and infrastructure obfuscation to protect cybercriminal customers.

According to the report, “BPH providers continue to pose a significant risk to the resilience and safety of critical systems and services.”

These providers frequently avoid complying with subpoenas, delay takedown requests, and actively advertise themselves as “law enforcement proof.” Some even demand unrealistic documentation before responding to abuse complaints—stalling long enough for attackers to rotate infrastructure.

The guide highlights that cybercriminals rely on BPH systems for:

• fast-flux hosting
• malware distribution
• command-and-control operations
• phishing campaigns
• hosting illicit content
• supporting ransomware and extortion operations

One of the most challenging findings: BPH networks often blend seamlessly into legitimate cloud ecosystems.

The guide warns: “BPH infrastructure is integrated into legitimate internet infrastructure systems, making it difficult for defenders to mitigate the cybercriminal activity.”

Threat actors exploit:

• leased servers from reputable cloud providers
• rapid ASN registration
• constant IP cycling
• temporary communication channels
• CDN-like load distribution

Block an ASN today, and criminals may simply reappear under a new one within days.

Rather than broad ASN blocking—which risks collateral damage—the guide pushes for precision filtering, emphasizing that defenders should weigh the impact on legitimate users.

Key recommendations for ISPs and network defenders include:

1. Curate a High-Confidence Malicious Infrastructure List

Use a combination of threat intelligence feeds, traffic analysis, and community sharing to build and maintain a validated list of malicious IPs and ASNs.

2. Conduct Traffic Baseline Analysis

Identify outlier behaviors—such as fast-flux patterns—that may indicate BPH infrastructure.

3. Implement and Audit Filters

Filters must be logged, reviewed, and updated frequently to avoid blocking legitimate traffic.

4. Share Intelligence Broadly

Sharing provides industry-wide validation and reduces the risk of accidental over-blocking.

5. Use Upstream Providers with Secure-By-Design Practices

ISPs should pressure providers to adopt stricter customer verification and routing security.

The guide places special emphasis on the critical role ISPs play in reducing BPH terrain.

ISPs are urged to:

• notify customers when malicious filters might impact availability
• offer optional pre-built blocklists for high-risk customers
• establish sector-wide conduct standards
• implement “know your customer” vetting to prevent fraudulent signups
• enforce routing security to prevent BGP hijacking or obfuscation

This includes verifying banking details, identity documents, and contact information to limit anonymous abuse.

Related Posts:

• Threat Actors Continue to Exploit Legitimate RMM Tool ScreenConnect
• Bulletproof Hosting: The Dark Infrastructure Behind Global Cybercrime
• Qilin Ransomware’s Resilience Exposed: Bulletproof Hosting Network Underpins Asahi Group Holdings Attack
• PROSPERO & Proton66: Unmasking the Bulletproof Hosting Connection
• Massive Cyber Campaign Exploits 4,000 ISP IPs in the U.S. and China for Credential Theft and Cryptojacking