Have you ever heard of bulletproof hosting? Every online criminal operation needs somewhere to live.
Whether it is a phishing site impersonating a bank, a ransomware command server coordinating attacks, or a marketplace selling stolen credentials, cybercrime depends on infrastructure connected to the Internet. Malware may receive the headlines and hackers may attract the attention, but neither can operate without the digital foundations that support them.
The hosting problem
For legitimate organisations, obtaining hosting services is relatively straightforward. Businesses purchase server space, deploy applications, and rely on providers to maintain network connectivity and security. Those same providers, however, are expected to enforce acceptable use policies and respond to complaints involving abuse, fraud, malware, or other illegal activities.
For cybercriminals, this creates a problem. A phishing website that is taken offline within hours generates little profit. A malware campaign that loses its command-and-control infrastructure may collapse entirely.
Criminal enterprises require hosting providers willing to tolerate activities that conventional companies would immediately terminate. This demand gave rise to one of the most important service sectors within the cybercrime ecosystem: bulletproof hosting.
Bulletproof hosting: selling persistence instead of security
The term “bulletproof hosting” is somewhat misleading. These providers are not immune to law enforcement action, nor are their systems technically invulnerable.
Instead, the term refers to their willingness to resist complaints, ignore abuse reports, delay investigations, or otherwise allow questionable customers to remain online for longer than would normally be possible.
Their product is not server space, it’s persistence.
For a cybercriminal, remaining online for an extra week may mean thousands of additional victims. For a ransomware operation, a few extra days can translate into millions of dollars in extortion payments. In this environment, uptime becomes a valuable commodity.
Some providers openly advertise anonymity, cryptocurrency payments, minimal customer verification, and resistance to takedown requests. Others operate more discreetly, presenting themselves as ordinary hosting companies while quietly attracting customers involved in cybercrime.
Regardless of their marketing approach, the underlying business proposition remains remarkably consistent. They offer an environment where risk is transferred from the customer to the provider.
The hosting provider that helped power global spam
One of the earliest examples that drew widespread attention to this issue was the hosting company known as McColo.
During the mid-2000s, security researchers discovered that a significant portion of the world’s spam operations depended on infrastructure associated with McColo. The company was linked to numerous botnet operators who used its services to control infected computers and distribute enormous volumes of unsolicited email.
When upstream providers eventually disconnected McColo from the Internet in 2008, researchers observed a dramatic decline in global spam traffic. The event highlighted an important lesson that continues to influence cybersecurity strategy today.
Rather than focusing exclusively on individual criminals, disrupting the infrastructure that supports them can produce far-reaching effects across the entire ecosystem.
The evolution of criminal-friendly hosting
As law enforcement agencies and security researchers became more effective at identifying malicious infrastructure, hosting operators adapted.
Many providers began distributing their services across multiple jurisdictions. Servers might be physically located in one country, owned through a company registered in another, and leased to customers residing elsewhere. This complexity made investigations significantly more difficult.
Some organisations became notorious within cybersecurity circles for their apparent willingness to host malware, phishing campaigns, fraud operations, and other criminal activities. Among the most frequently discussed was the Russian Business Network, a provider that became synonymous with criminal hosting during the late 2000s.
Whether every allegation made against such organisations was accurate remains debated, but their reputations illustrate how certain providers became embedded within the broader cybercrime economy.
These were not simply companies renting servers. They were facilitating an entire ecosystem of criminal services.
Building resilience through infrastructure
Modern cybercriminal organisations increasingly assume that portions of their infrastructure will eventually be discovered and disrupted. As a result, resilience has become a central design principle.
Hosting providers catering to high-risk customers often support techniques such as rapid server migration, distributed hosting arrangements, proxy networks, and fast-flux DNS configurations. These approaches make it more difficult for investigators to identify the true location of malicious services and allow operators to recover quickly when infrastructure is removed.
The objective is not necessarily to remain invisible forever. Instead, it is to make disruption expensive, time-consuming, and operationally difficult.
This philosophy mirrors business continuity planning in the legitimate world. Just as organisations prepare for outages and disasters, cybercriminals prepare for investigations and takedowns.
Cyberbunker and the limits of protection
One of the most well-known examples of alleged bulletproof hosting emerged from a facility known as CyberBunker Investigation.
Operating from a former military bunker, the organisation developed a reputation for hosting controversial and high-risk customers. Its operators allegedly promoted a philosophy of accepting almost any content except material specifically prohibited under their own rules.
For years, the facility became a symbol of resistance to conventional Internet governance and abuse enforcement.
Eventually, however, law enforcement agencies coordinated an extensive international investigation that resulted in arrests and infrastructure seizures.
The case demonstrated an important reality. Bulletproof hosting may delay intervention, but it does not eliminate risk. Persistence is not the same as immunity.
Why law enforcement targets infrastructure
As cybercrime matured into a service-based economy, investigators increasingly shifted their focus toward infrastructure providers rather than individual attackers.
This strategy became evident during the dismantling of the Avalanche Network Takedown. Instead of pursuing a single malware family or criminal group, authorities targeted a platform that supported phishing operations, malware distribution, and money laundering activities affecting victims worldwide.
More recently, international initiatives such as Operation Endgame have continued this approach by focusing on the infrastructure and services that enable criminal activity at scale.
The logic is straightforward. Removing one phishing site may stop one campaign. Disrupting a hosting provider or infrastructure network can affect hundreds or thousands of operations simultaneously.
Infrastructure creates leverage.
The landlords of the underground economy
When people think about cybercrime, they often focus on the criminals who conduct attacks. Yet many of the most important players never directly target victims. They provide services, maintain infrastructure, process payments, and create the conditions that allow others to operate.
In many respects, bulletproof hosting providers function as landlords within the underground economy. Their customers may change, their servers may move, and their corporate structures may evolve, but their role remains remarkably consistent.
They provide the digital real estate upon which cybercrime is built.