Cybercrime can be a lucrative business if you do it well. But how do criminals ensure the success of their schemes without interference from law enforcement or industry-led interventions, such as takedowns?

The answer is a criminal service known as “bulletproof” hosting.

Possibly the largest facilitator of online crime, so-called “bulletproof” hosters provide protected internet infrastructure for serving up illicit content, whether that be malware command and control servers, phishing pages, online shops selling stolen credit cards, money-mule recruitment sites or in fact, most other online criminal schemes. These services will often not respond to requests to remove material, or alternatively, respond as if they had taken the right steps but simply move the material to another location on infrastructure they control.

In an historical case, the creators of the banking malware known as Gozi were accused of being responsible for tens of millions of dollars of losses. In the case, despite having no knowledge of the malware itself, one of the accused was indicted for his role in the conspiracy for knowingly providing bulletproof hosting to the malware operators.

Hosters can buy or rent servers from upstream providers to resell and can be based anywhere in the world. In the Gozi case, the operator was based in Romania, where local law-enforcement there were able to work with US investigators leading to the arrest but in jurisdictions where relationships between countries are not as good, this can prove a major obstacle.

It is not always obvious if a hosting provider is acting with criminal intent – some hosters may be unknowingly exploited by criminals. However, some are rather more obvious about it. See Figure 1 for an overt example such a service, which openly offers solutions for all your malware and phishing needs.

bullet proof hosting

Figure 1 – dark web advertisement for bulletproof hosting.

Costs for bulletproof services can be much higher than legitimate hosting solutions and the service continues to prove popular on the criminal underground, offering a potentially low risk, high reward and scalable business model. If done carefully, operators can act with anonymity and impunity, making them difficult for law-enforcement to detect and bring to justice.

For organizations that suffer from such activity, bulletproof hosting can be problematic. However, by tracking threat actors, their techniques and motivations, organizations can better understand the threat landscape and adjust their security postures accordingly.