Bulletproof Hosting: The Dark Infrastructure Behind Global Cybercrime
A recent report by the Knownsec 404 team highlights the pivotal role of bulletproof hosting services in facilitating global cybercriminal activities. These specialized hosting providers, often referred to as “dark internet service providers,” are critical enablers of illicit operations, offering robust logistical support for phishing, ransomware, and botnet activities.
Bulletproof hosting (BPH) services offer highly concealed internet infrastructure designed to evade legal oversight. These services allow cybercriminals to host malware, command-and-control servers, spam platforms, and even illegal content. “Bulletproof hosting services provide a ‘safe haven’ for cybercriminals, enabling them to carry out illegal activities without being tracked or suppressed in an unregulated environment,” the report explains.
Key characteristics of BPH services include:
- Lenient content policies that tolerate or even encourage illegal activities.
- Strategic location choices in countries with lax internet laws, such as Russia, Seychelles, and Moldova.
- Resistance to content deletion, often ignoring takedown requests and cooperating with users to evade legal actions.
The report delves into the activities of ELITETEAM, a well-known bulletproof hosting provider operating from Seychelles under the guise of “1337TEAM LIMITED.” ELITETEAM’s infrastructure supports a variety of criminal endeavors, including:
- Phishing: ELITETEAM’s IPs have been implicated in large-scale phishing campaigns, ranking 8th globally in malicious activity according to a 2021 phishing survey.
- Ransomware propagation: The network is linked to major malware families like Quakbot and Emotet, which have been used in high-profile ransomware attacks.
- Dark web operations: ELITETEAM’s services have facilitated cryptocurrency scams and money laundering on platforms like the Hydra market.
These activities demonstrate how BPH providers act as the backbone of cybercrime, enabling persistent and transnational operations.
Using the ZoomEye cyberspace search engine, the Knownsec 404 team analyzed ELITETEAM’s network segment, 185.215.113.0/24, uncovering numerous malicious indicators:
- All 256 IP addresses in this network were flagged as malicious.
- Common SSL certificate Subject values and fingerprints linked the segment to other suspected BPH networks, such as 185.208.158.0/24, suggesting shared control by a single hacker group.
- Open ports, unique HTTP content, and JARM values further corroborated the network’s use for cybercriminal activities.
“By understanding the operational methods of these services, we can clearly see how they provide shelter for cybercrime and enable malicious activities to persist by evading legal oversight,” the report concludes.
