Name: 50 Shades of Bulletproof Hosting: Understanding a Core Enabler of Cybercrime
Uploaded: 2026-03-24T16:31:00.487Z
Duration: 2 h 16 min 24 s
Description: 50 Shades of Bulletproof Hosting: Understanding a Core Enabler of Cybercrime

Transcript for "50 Shades of Bulletproof Hosting: Understanding a Core Enabler of Cybercrime": so you're in case. You're you're you're I mean, you're away. Hello, everyone. Nice to meet you. I guess we can we can get started. So today's subject is going to be about bulletproof hosting. I named this this session 50 shades of bulletproof hosting for a simple reason. Like, three years ago when I studied this started to study this subject, I understood that reality is very complicated from this description of what a bulletproof bulletproof hosting is. In the sense that there are so many different cases, so many different types of services that, like, this naming this label bulletproof is in fact is in fact far from really describing all this variety. So in this session, what we are going to try to achieve is that we are going to explore this under, like, underground ecosystem and this specific underground service. Yeah. And, like, most like, my main goal for today will be to will be to give you a clear definition of what a bulletproof bulletproof hosting is, what is, like, the typology of those bulletproof hostings, give you some historical background so you can understand, like, how this term was coined, like, how did it appear, give you some historical examples. Then I would like also to explore a little bit the technical side, you know, what is BGP, what is autonomous systems, names, and this kind of stuff. So just to give you the basic knowledge to to be able to do the investigation and to to explore this this type of services yourself. And, eventually, in the end, what I want to do is I will share with you an investigation that I've done three years ago, and that is still very relevant today because the service is still is still very much alive as we will see it. If you have any questions, do not hesitate to, like, drop them in the q and a part. I will try to have a look and, yeah, and answer them. So I would prefer it to be as dynamic as possible. So do not hesitate to to interrupt and ask. So let's let's get started. Yeah. Happy to see all of you, and do not hesitate to to interrupt me and ask question. So very shortly about me, I'm a city analyst. Like, you you see my social network. I have a blog, .com, where I mostly write about Russian speaking ecosystem. Yeah. So if you're interested, have a look. And, like, there are some materials already about breed proof hosting there that can be also interesting for you. So let's start with the most important part. What is a bulletproof hosting? Because there are so many people who pretend to provide bulletproof hosting service in, like, in into underground or, like, in even if you just look in Google for bulletproof hosting, you will find a lot of services that will advertise as a bulletproof hosting. But reality is that most often, they are not. At best case, they are what we could call offshore hosting. We are going to see what it is. So without further ado, let's let's try to understand what is a bulletproof hosting, at least in theory. So in theory, a bulletproof hosting is a type of cybercriminal service that is provided by cybercriminals for cybercriminals, and that helps them to host their website, host any files. So basically hosting services, even purchase a DNS. It can be a proxy. So any kind of hosting services that aims to help you conduct cybercrime and reduce the exposition in terms of abuse. So what what does it mean? It means that if I'm a Bluetooth hosting and I'm hosting your website, I will ignore the complaints, the abuses that may arrive at, like, at my email, at this email, and I will simply not consider them, and I will not take down your website. This is at least how it works in theory. In practice, as we are going to see, there is not really such a thing as as a 100% bulletproof hosting service. Like, it doesn't exist. So freight actors use bulletproof hosting not necessarily to be invincible. It's not possible. But because bulletproof hosting services will maintain their service for a longer period, and if, for example, their service or their IP address is going down because it's blacklisted, the service will provide a news another one, a new one, and, like, help the cybercriminal to maintain its operation as long as possible or provide him with a replacement. So I hope this is more or less clear. So, like, once again, is not a silver bullet, in fact. In fact, it's, like I said, that will help but not solve all the issues as we are going to see. Another very important factor of a boot proof hosting, but it can also apply to offshore hostings, is that they will basically allow you to host things that are illegal to different extent. So in the case of hostings, it can be anything related to cybercrime, to malware, to child pornography, to, like, terrorism, this kind of stuff. Once again, in theory, we are going to see that, in fact, a lot of people who are providing these type of services are at least claiming to have some limits. So this is the main difference, basically, with offshore hosting where, like, the type of illegal things that they are going to host is going to be mostly linked to, like, to to piracy. So, like, you know, pirated movies and or, like, basically, things that, like, you know, you used to stream stream stream movies and these kind of things. Storing books, like this kind of stuff. So offshore hosting will mostly exploit legal loopholes in a different jurisdictions in different countries. So for example, in Netherlands, it's kind of very, like, very useful and very easy to host pornography, for example, because they don't have the same same laws. So they they don't really stop hosting services from hosting this type of content. And same goes for, like, a policy related content. So offshore hosting are also accepting things that can be illegal in some countries, but not everywhere. And they will basically play with this gray zone and exploit different legal loopholes to provide the service. Another common point between brief postings and offshore hostings is that they will very often apply no QAC. What does it mean? It means that any, like, any customer can register their account anonymously without providing, like, his real name, his real banking information, this kind of stuff. Of course, they can accept payments with cryptocurrencies, which also, like, grant an like, a complimentary level of anonymity. We know that cryptocurrencies are not anonymous. Obviously, if you pay from your wallet on Binance that, you know, Binance requires your ID to open you a wallet account. Well, if you pay with with with some cryptocurrencies from a wallet that is linked to Binance, there is nothing anonymous about that, but it's a complementary layer. And, of course, cyber criminals have ways to obtain cryptocurrencies without, like, without having to open, like, accounts at at places like balance so they can avoid the QAC for cryptocurrency possession as well. But this is, like, another story maybe for for another time. So, like, the whole point of a brute proof hosting basically is to allow you to host your illegal malicious content anonymously and as as stably as long as possible, like, as disruption free as possible for this type of activity. So the main, categories of, cyber crime, that we can find on brute proof hostings are brute forcing, scanning, phishing, malware c two, so command and control, ransomware, sites, or at least ransomware FTP service, spam infrastructure. Of course, everything that is linked to docket a dark net marketplaces. So it can be forums. It can be, like, drug marketplaces. It can be also things linked to child pornography, unfortunately, or to terrorism. So this is, like, the broad examples of what can be what can be shared and what can be hosted on this type of on this type of services. I just have a question. Oh, yeah. Great question. Was Cyberbunker a real bulletproof hosting service? This is a great question, and we are going to answer it a little bit later on. The answer is kind of like, it's precisely you know, like, this service appeared at the, like, beginning of what we could understand, you know, as, like, the Internet and understand that it was it appeared at the beginning when the terms, the concept of bulletproof hosting was coined. So let's say that even if it's not, like, a real bulletproof hosting, it's as close as it was at that time, which is, like, beginning of two thousands. But we will get back to to this question again. So let's let's move on. So very often, when we talk about we, like, talk about a core enable of cyber crime. Why exactly? It's because, like, some services, like, but also, like, marketplaces, like forums, like cryptocurrency exchanges, illicit ones, are really the, like, the most basic and the most important services that will allow other cybercriminals to conduct their activities. So if you want, they are at the bottom of this pyramid. And because they exist, they will help other cybercriminals to conduct their activity. I will not tell that if if bulletproof hosting did not exist or if, like, it was not possible to create such a service, cybercrime would not exist. But you need to think of it as an accelerator, something that will ease, like, simplify the the the conduct of cybercrime for other cybercrime. So this one is, I think like, this picture, I think it depicts quite well this idea. But once again, on the bottom of this pyramid, I could also add other services that are, like, very important. For example, I was talking about forums. So, for example, why forums are also an enabler of cybercrime is because they provide a place not only for discussion, but they also provide a place for for for monetary exchange. And by that, I mean that they will be guaranteeing that the exchange is going to happen and that the buyer and seller are going to get their service and their money. It's basically called the escrow system. And, the escrow systems, is like, like, for example, PayPal. How does it work? PayPal will take a fee, a commission from any transaction that occurs with this service. And, of course, PayPal will guarantee that the buyer will get its good and that the, like, the seller will get its money. And each time they take a commission for that. Well, forums are doing exactly the same. They are taking around, like, 10% commission for this type of thing. So bulletproof hostings are not the only enabled cybercrime, but they are one of, like, the core the core ones. It's more. I'm just checking that there are not other questions. Yeah. Good. So let's also, like, demystify it a little bit further Because very often, when you read, like, common out newspaper articles, like, for example, about Cyberbunker, you have the feeling that those infrastructure are absolutely invincible and that, you know, it's it's absolutely impossible or it's it's impossible to dismantle or, like, anyone that can use a boot proof hosting can do whatever they want and that they are not don't science from for using them. Well, first of all, as we are going to see, breed proof hostings are not an absolute necessity to conduct cybercrime, but later on in that one. And even more importantly, bulletproof hostings are themselves sometimes a liability for cybercriminals. One of the main problem when you just have a look at cybercrime forums where are offering their services, you see a lot of complaints from users about stability issues, about exit scams. You know? So basically, all the, like, normal problem that a cybercriminal can face, they will have to face it with with. But you have to add on top of that stability issue. Because as this infrastructure is not always very stable, we are going to see that there are different types of hosting services. Well, it can have an impact on operation. So let's say that the most advanced and the most, like, the most serious have a very high uptime, but even them even they can have problems. For example, one of the that I've studied had some legal issue with one of its data centers. And the data center simply cut access to the service at some point because there was some payment disputes. And because of that, well, the whole service basically was was down. Another example is when, like, you know, cybercriminals are very tough in terms of competition. And sometimes rival service will hack each other. What does it mean? It means that, for example, some, some, somebody may hire, hackers to, get inside the infrastructure of another one and simply wipe all of the data. This is a real example that happened and that was widely discussed on a on a Russian speaking forum. And, like, this is just another point of, you know, another another proof that, like, this type of hosting has its downsides because they don't necessarily have backups because maybe you don't want to have a backup for your illegal activities. So, like, you need to understand that they are not adapted to any type of activities. And as we will see, cyber criminals not always chew them every time. Another one, another very interesting example is law enforcement disruption. And I will just quote several cases that are, in my opinion, very revealing and very interesting. So, like, in 2008, there was a bulletproof hosting service that was called MC Colo. So it was a US based hosting provider that enabled spam botnets. And, basically, like, it was just it was itself responsible for around 66% in global spam. So when the American journalist Brian Krebs published an article about them, basically, they got what we called a d period by upstream ISPs. So imagine that I'm going to talk about it later, but it means that they were basically unplugged from from the Internet. And, like, all the spam traffic dropped very, very dramatically after that, which shows that there was a high concentration of this type of activity in on this network. Another example, more recent in 2016, it's the BPS was was called Avalanche Network. So this Bluetooth hosting was, like, costing 20 malware families, ransomware, banking, phishing. And it was dismantled via massive domain seizure and the sync calling. So, basically, it was an operation of law enforcement In this case, that asked all the all the providers to cut off the domains and remove the access to the IPs of of of this of this from the Internet. So another example. Then, like, more recently, we have other cases that are not as successful, but also very interesting. Have you heard about ISA Group? So we are going to talk about it a little bit later on. But ISA Group is group of hosting located in Saint Petersburg, Russia, and it's mainly responsible for for disinformation campaigns distributed by Russia, but also for cybercriminal hosting activities. So in this case, the operation law enforcement operation was not as successful because, like, the police tried to, like, impose sanctions on all of the people linked to this to this service and also try to conduct some deep hearing. But, nevertheless, the service is still up to date, like, live today and is still hosting malicious activity as we're going to see. So this is just, like, some examples of, like like, some of the most famous, like, takedowns and disruptions that occurred recently. And as we are as we see, like, they are not always always successful. Like, the best case scenario is when law enforcement can can seize the infrastructure, can unplug the IPs, the ISNs from the global Internet, and can impose sanctions and, of course, arrest people. But sometimes when it's not possible, like, the only thing that law enforcement will be able to do is just at least name and chain, which is, like, the least that that they can do, but it's it's still an act, and it still put pressure on on on these infrastructure providers. Do we have any questions? No. For the moment, it's all good. So this is, like, another point that I wanted to make. Cyber criminals do not always need boot proof hostings, And they perfectly know it. They are perfectly aware of of that. So they will adapt their like, where they host, like, with their with what exactly they are doing and what exactly they're trying to achieve. Very often, let's say that if you are hosting something like a leak site, like a c two server, like a scanning or a spamming service, yes, you will need bulletproof hosting because, like, the the infrastructure will be unstable. You will need to renew it, and, like, you basically need to to have access to this type of service. But if you want to, like, if you want to conduct a very discrete operation, if you want to distribute malware without being detected, if you want to abuse legal and real infrastructure that is, you know, that has a good reputation, IPs with good reputation where they're linked to major service providers like CDNs, Cloudflare, like AWS, Microsoft, where, in these cases, it can be very interesting for cybercriminals or threat actors to do what we call living of trusted services. And there are several examples that I wanted to mention with you today that are in my in my opinion, very interesting examples of such cases. So one of them occurred in 2015, and it's linked to the malware. So it's basically a Russian state's malware that delivered derived daily c two instructions from Twitter. So what it was doing is it was fetching task from GitHub and cloud storages and exfiltrated data over the same trusted platform, like, blending entirely into the normal traffic. So this is, like, an interesting example because the malware on, the infected devices was, coded to find the c two addresses directly on Twitter. So it's like you cannot block you cannot block Twitter. You know what I mean? It's super complicated. So it's a way to abuse real world services and hide. It's very hard to detect, and then it's very hard to block. Another example is a slug that occurred in 2019. So it's a targeted espionage malware that staged payloads on GitHub GISTs and use its Slack channels as a a live interactive c two bus, turning a corporate messaging tool into a covert command channel. So once again, this is another example. In this case, it was GitHub and Slack that was used. Well, we have other examples such as Dike Harris, which is the and I'm aware that it's linked to an Iranian EPT. In this case, it used a full Google Drive based c two pipeline using all notification and file porting for both tasking and excitation. So, like, once again, same idea, usage of Google Drive for c two pipeline. Well and, like, I could enumerate other examples, but I think you you get the idea. We have also hazy, bacon, that was abusing AWS. And more recently, even Discord was used as a c two, transport. So as you can see, there are, like, different ways of of abusing real world services to distribute malware or, like, to to have your c twos. And not only threat threat actors are doing that. Bulletproof hostings are also abusing, like, trusted services. So for example, last year, there was an interesting case of a Chinese related that had it its own CDN, and that was basically abusing Microsoft and AWS IPs, to hide, various, like, malicious domains behind a CDN, behind these, these trusted IPs. So, like, once again, it just just showed that reality is not as simple as we we may think. I'm just checking. Do we have any question? No. We don't. I assume that I'm super clear if you don't have any question or super boring. So let's let's hope it's the first and not the the latter. Another case that, you know, it's a real world case that illustrates this logic of using both legitimate service and both bulletproof hosting is a case that occurred last year and that's like, was reviewed by a last year leak. Have you heard about Blackbuster? Blackbuster was a ransomware that existed up until last year. So it's a Russia based ransomware. And what happened last year in, like, beginning of the year is that that also internal chats of this this ransomware group leaked. Like, why exactly is they leaked? It's a it's a different story. But what was interesting is that is that we could learn a lot from those those chats and that we could understand both how the structure what how the group was structured, but also which infrastructure it was using and for which case. So in terms of structure, well, like, we could understand that, you know, it was it was basically running as a company. They had offices in Moscow. They were actually living in in the offices, so they were renting, like, very beautiful, like, apartments there. And they had a very hierarchical structure with different teams doing different things. And you had one team that was basically responsible for providing hosting for, like, everyone else. And when I when I was when I'm telling hosting, it's not only to store stolen data or to conduct exfiltration or to, like, deploy ransomware and, of course, to deploy the like, to go to host the website, the toll panel and leak site of of the Blackbuster group, but also to, like, to to have your c two servers and these kind of things. And what we learned from from these chats is that, basically, the group was using both grid proof hostings and legitimate services. So for example, in their case, you know, I'm going to show you, like, it in another screen. Do you see the screen? Yes. You should. So long story, very short. This is, like, the guy who was responsible for infrastructure in the, in the chat. And, like, this is some of the IP addresses that he shared, and that's what I basically could learn from them. So what was very interesting is that the main leaks leak site, so the Mentor leak site, you know, the place where you publish all the victims that you were able to hack and all of their data. Well, it was hosted at hetzner.d, so, like, a very legitimate and very normal very normal service. And how exactly did they did they acquire it? Of course, because Hertz now is asking you some minimal information. It's asking you, like, your ID. No. It doesn't accept necessarily cryptocurrencies. He wants a credit card. So what they have done is that they have purchased this service through a reseller. So there is a like, there there was and there still is a ransomware that we're processing that is called. And it it's it doesn't really have its own infrastructure. What it's basically doing is that it's purchasing services at legitimate hosting providers, and they are reselling them for cryptocurrencies to to cyber criminals. And in this case, it it reveals a very interesting point is that Blackbuster wanted its main leak site to be hosted at a very stable, very, like, yeah, very stable and very normal service. And the whole point was to to obfuscate the, like, the real IP of where it was hosted. So as we are going to see, some ransomware groups are sometimes, like, making some mistakes in the in the configuration of their, TOR websites, and they are sometimes leaking the real IPs, behind, those, websites. And, of course, when this leak occurs, law enforcement can can try to and identify where the servers are and can conduct some operation and these kind of things. So the whole game, if for cybercriminals who are using the HDMA services for crossing their websites or these kind of things, is to obfuscate them properly either through a CDN like Cloudflare or when they use, like, Tor to, like, a fully proper configuration. So in this case, the IP addresses were not leaking, but we were able to identify that those two websites were basically hosted there because it was mentioned in the chat. So, like, as you can see, they were basically using both bulletproof hostings and normal hosting services. You have also, like, some like, other ones that are nothing really crazy about them. And there are also mentions of cybercriminals that are present on forums, such as Jerry, who is running a very, like, infamous Bluetooth hosting service. And they were precisely contacting him to purchase servers for Cobalt Strike. So there was, like, a real separation of what they were doing on each server. So we had some service for FTP. You had some service for for hosting the website. You had some service for c two service and these kind of things. So as we can see, reality is not necessarily, like, black and white. It's it's it's a mix it's a mix of of both. So the most advanced the most advanced cybercrime groups will basically use both normal hosting, offshore hosting, and bulletproof hosting. So now that we have gone through the, like, the this introduction with definition, let's have a a look at, you know, some some historical examples. Do we do we have any questions? Yeah. Yes. Yes. Exactly. So the Chinese BPS you referred to is is it? Yes. Exactly. It's. I'm going to share a link. I just read it basically this morning. That's why I did not include it in in here. But yeah. So, yeah, if you want to to have a look at it, it's super interesting because the way they were able to hide, like, the malicious domains behind several loops of c names and eventually behind, like, a legit IP address. It's like, I really recommend you to have a look at this article. It's it's super interesting. Do the criminals use also infrastructure as a code for breed proof hosting? I do not entirely understand this question. Yeah. Well, maybe if you can explain it better, I can I can answer it, but I I do not understand, so I don't want to to tell some something that is not true? Like Terraform. Well, I'm not aware. What is what is Terraform? Let me have a look. It's interesting. You're going to teach me some stuff today. That's wonderful. Okay. Well, I I'm I cannot answer this question, but I will definitely do a follow-up on that. I need to I need to have a look. I need to have a look, so I don't want to tell you something that is not is not true. Thank you for the links. I will study it. But, yeah, right now, I cannot I cannot answer. Okay. So if we are if we are good, no other questions, let's let's continue. And, yeah, so we were talking about some some, like, historical cases, And we already had a question about cyber bunker. So, like, very, very quickly what what it is and why it's kind of, you know, shaped and coined as a whole idea of boosting like this this terminology. At least it took a huge part in it. So, like, in mid nineteen nineties, like, the Dutch citizen, I think he was Dutch or German, German, created his own hosting service inside a former NATO bunker in Zealand, Netherlands. So you are going to see some pictures afterwards. It's a real bunker, like, really, really, like, you know, concrete, huge building. And he converted it into a into a place where he had his service. So it's kind of interesting. And his late motif basically was that they are like, Cyberpunk Cyberpunker is hosting anything except child abuse and terrorism. Well, reality is more complicated than that. There are some suspicion that at least child abuse was hosted there, but we we will we're going to to see it after all. So after after it was established in the nineteen nineties, it basically slowly become famous, you know, as a landmark for freedom for this kind of stuff. It at least it was marketed in that way. And in the like, in around 2002, it had a it had a kind of bad adventure, but I think this adventure is also revealing a lot about the type of activities and the type of mindset of the people who were behind this service. So, apparently, they were also cooking drugs in these bunkers in this bunker, and more precisely, they were cooking in the MDMA. They had, like, a, like, a lab drug labs inside this bunker. And this this lab caught fire and burned the entire building. Of course, it attract it attract also a lot of information from a lot of attention from law enforcement. And that's why, you know, the service kind of closed and had to move also elsewhere. So eventually, mister opened again his his hosting service in a in another country in Germany where he once again, you know, formed a former German banker, and he rebuilt the infrastructure inside. And this time, what happened is that, like, around 2013, so the same year, Spam House, which is a service that we are going to talk about, Spam House basically blacklisted a lot of their domains, which was, like, a had a negative impact on the connectivity of the service and, like, also a negative impact on the reputation of the IP and of the hosting service. And in order to answer that, what Cyberpunker did is that they conducted one of the biggest DDoS attack, at least at that time, against Spam House in order to know you know, to retaliate and to demonstrate that, you know, they were not happy about about the fact that Spam House blacklisted their IPs. So just give you the idea of the mindset of people that were behind it. Eventually, around 2019, the German police got really tired of of of this activity, and they conducted a raid with over, like, several hundreds of officers involved. They saved, like, a huge amount of of service, and they were also able to conduct some research on the service to see who was hosting what, you know, and analyze what what is the type of cybercriminal activities that was going on there, basically, to conduct all the law enforcement operation and, like, dismantle some child abuse child abuse traffic. And this is kind of a very important point in a like, for for for this story because there is a legal aftermath, at least for Germany, is that in this case, the German court considered that the the hosting service was in part responsible for what was hosted by its customer on their service. So, of course, like, it was huge a huge impact a huge legal impact on other hosting services. So, like, they now they have to do they have to be more careful at least in Germany with with these type of things. So this is just, like, the picture so we have an idea of how it's looking like. So it's a real real bunker. I was not I was not joking. Of course, it's more it's more marketing idea rather than, you know, something necessary or logical. I'm not sure that it's the best place to to host, like, to have a data center inside. But just to show you that, like, the the idea that that some are really are really using very dark and in common places to to install the infrastructure is kind of true. And we are going to see that this is by far not the craziest example that that exists and that is real. Okay. Let's let's go on. Do we have any questions? No. Good. Another infamous case was Russian business network. So this one was active around 2006 and 2007. And the Russian business network is actually the name of a Russian company located in Saint Petersburg. Initially, it started as a legitimate Internet service provider. But at some point, like, this the owners of this service decided to pivot to cybercrime and to hosting cybercriminal activities because it was simply more profitable than, you know, normal hosting. And this service was really very advanced in the sense that the people who are behind it were technically extremely capable. If you really want to learn more about it, I joined, like, a link in the in the document that you have. It's a report made by David Bissell. It's an old report, but it's really excellent. Really, I advise you to to read it. If the link doesn't work in the file that I gave you, just open it for web archive so you will have the PDF. And it's not only super interesting to understand how, like, Russian business network worked, functioned, but also to understand how to investigate bulletproof hostings. So, like, you even today, it's the information is still relevant, and I really advise you to have a look. It's it's long, but it's it's really useful and interesting if you are interested in this topic. So, like, what was very interesting about this service is that they were excellent with as they were excellent with infrastructure management. So it was very hard to unplug them because they were very well interconnected to other autonomous systems and others service as we are going to see it later on. And that's why it was super hard for law enforcement just to, you know, to to to unplug them from the Internet. Because by unplugging them, you could basically unplug a lot of other perfectly normal services. And this is a whole game of some advanced Bluetooth hosting services is that they are so well interconnected and so well involved in the normal hosting ecosystem and in the normal Internet ecosystem that they are making it hard both to be like, not to be detected, but to it's very hard to unplug them without consequences for other services. So eventually, what happened is that, like, this service attracted a lot of attention from law enforcement, from researchers, from journalists. And it's probably one of the, like, most famous cases of that helped to coin to coin the the name of bulletproof hosting and also the discipline among the CTI researchers of analyzing this type of hosting services and eventually disappeared. So we don't really know exactly why, but the main idea is that it disappeared because it attracted too many too much attention. And it's probably, like it it probably rebranded, and it probably also was replaced by competitors. So their case basically proved that you can make a lot of money out of cybercriminal hosting. So for example, a report from suggests that they made at least, like, a $150,000,000 from, like, from hosting these various things. So it just give you an idea of how profitable this business was. Do you have any questions? Are we clear? Yep. I think we are. Yeah. For someone who wants to produce threat intelligence, what tools platform can you use? Well, can you recommend for well, okay. Yeah. So I think my colleagues already sent you the the, like, the document with all of the super useful tools. I will also be, like, showing them later on in the in the presentation. But, yeah, normally, with this document, you have everything that you need. Some of them are requiring more technical knowledge, especially if you are going to do a BGP investigation and these kind of things. But, honestly, like, just with basic knowledge, you could already do some very interesting investigation. Great. Let's move on. Oh, okay. So this one is a very interesting case, another one which is called Abdallah. This service was run by a Ukrainian national. So I'm not doxing anyone, by the way. All of this information is public, and, like, doxing is bad. Please don't do it. So this in this case, the name was revealed by the American secret service. So mister Mikhail Sergei Rytkov was responsible for one of the most, like, prolific and one of the most popular hosting services bulletproof hosting services that existed from mid two thousands to late two thousand tens. And why did he attract so many attention from, like, from law enforcement, especially the American one? Like, why what did he do to make them so mad that they deanonymized him and that they put him on a sanction list? Well, basically, the answer is quite simple. It's that thanks to the, like, service that he provided, there was a huge coding operation that was conducted against against several banks in The US. And, like, over 160,000,000 credit card numbers got stolen. So it had a, like, huge financial impact, on on The US, and they were really not happy about that. And that's why they basically managed to demonimize him. And because Ukraine is not extraditing, like, anyone from Ukraine. So you can be judged in Ukraine for your crimes, but you will never be extradited. You have a lot of countries like that. France, for example, is not extraditing its nationals, I think. Russia also does not. Ukraine does not. So if, like, if someone commits any crimes against another country inside those countries, well, low usually, if there is some law enforcement cooperation, what will happen is that the person will be judged in his own country. But reality is in unfortunately, more complicated than that Before the full scale invasion of Ukraine in 2022, cooperation between Western and Ukrainian law enforcement was not always super efficient. Let's put it that way. In Russia, it can work. It cannot work. It's really a matter of politics, in fact, as we are going to see. So this is just another example of, like, how hard it can be also to prevent those infrastructure from rebranding and from restarting the activity because it's basically what happened after, like, The US law enforcement sanctioned and then minimized Abdallah. What he did, he just did a rebranding, and he became a web host then host. And what is also very interesting is that this service was kind of responsible for hosting, like, majority of Russian speaking, like, underground forums and forums. And one of the stories that goes around in in, like, in the underground community, I cannot be sure if it's true or not, is that mister Rytkov was not really arrested or bothered a lot by by Ukrainian police because he allegedly, and I underlined allegedly, collaborated with Ukrainian law enforcement by giving them access to his service. So, basically, he give he he was supposedly given access to information about cybercriminals to Ukraine and, of course, like, I think also Western law enforcement. Like and one of the services that was really critical at that time was Java messaging service. I I don't know. Do have you heard about Java? Java is a very old, like, messaging platform, but not platform, but service protocol, XMVP protocol that is still to this day kind of very popular among amongst other criminals. It's it has to be centralized, so it it you have to have a server to run to run it. And in this case, the Java service of of exploit inform was allegedly hosted at web host or host. So he could have transmitted some of the, like, cybercriminal discussions, everything that was basically not encrypted. Yeah. Exactly. But don't forget to turn on OTR. Exactly. So, basically, everything that was not encrypted with OTR could have under underlying, they could have been intercepted by the Ukrainian law enforcement. After that, mister Abdullah also had, like, some other issues with Ukrainian police. We are going to see a red on on his on his service that occurred recently, like, in 2019. I'm going to show you at like, how how it looked like. And lately, we don't really know if this person continues his activity or not. Like, did he rebrand? Did he restart his activity? Like, we we don't know. So I will not speculate speculate on that, but I want to show you something interesting. I think you will like it. So this is a video from from the. Exactly how, like, how it was hidden and where is the service we are located. So as you can see, it's it's a normal house. Yes. It's probably a little bit messy. But then when you get inside, you discover this thing. So what do you think it is? It is a diesel generator. Yeah. Well, what is this? But yeah. So why someone normal would have a huge electricity diesel generator inside the house? Well, the the answer for that is probably because we don't want to disclose that you have a huge electricity consumption. And if power goes down, maybe you don't want that your server your server room goes down with it also. So we can see that there are a lot of cables, and those cables are going underground. And we are going to see where where they I'm going to accelerate it a little bit. Okay. If you're using this in five part. Oh, they discovered a button. Wow. There is an underground. So, you know, some myths about, you know, bulletproof hosting services being in, like, in crazy places are true. It's really the minority. It's a very, very, like, small minority of bulletproof hosting services, but some of them are really located in such places. As we are going to see today, like, they are even with guns. Wow. Crazy. As you Yeah. So I was we will see, like, majority of boosting services, their rack services service are, like, in normal places, like, in data centers. They are they don't really do this kind of crazy stuff. But this is, the the most advanced and the most, yeah, the most crazy that you can get with with these kind of things. Yeah. So as you can see, like, yeah, well, a little bit of money. Why not? Yeah. Well, you you you get the idea, basically. Let's let's go back to to another example. Yeah. I will I will share all the slides so you'll have access to the video. The video is not listed on YouTube. It's delisted, so you cannot really find it. I have no idea how myself I stumbled on that. I think it was posted on a cybercrumb cybercriminal forum. But, like, yeah, it's it's really it's it's really a gem. This video, I I really love it. Our last example that was also also, like, very famous and that got spoken a lot about is a brief processing that's called AISM. It's still active to this day. And it shows that, you know, even, like, when law enforcement are trying to take some action and are trying to unplug you from the Internet or even sanction people who are linked to you and to your web hosting service, Well, it doesn't work always, unfortunately. So why ISO was famous? Actually, it become famous thanks to article written by Quirim and by by another service. I don't remember which one is it. Oh, yeah. By. So the article was published. The research was published in July 2024, and it was an analysis of the things that were hosted on this this brief processing service. And it was mainly linked to Russian state disinformation campaign as it was called doppelganger. And what was doppelganger? It was basically a huge amount of fake news websites. So it was copies of of real websites of, like, I don't know, any big like, The Times or whatever you want. And on those copies, created, like, fake articles about, I don't know, Ukraine, the West, about NATO, and these kind of things. And the the goal was kind of to, like, disseminate it as much as possible through social media and make it really as plausible and as, yeah, like, as plausible as possible for someone who will not check, you know, just open it and not see that the domain is not actually from The Times, but, you know, like, something that is very close to the legitimate domain of The Times. But still, like, if you don't pay attention just by the look of the website itself, you can be fooled, and you can think that you are on the real on the real thing, on the real website. So what happened in to either in like, last year was super interesting is that its CEO got arrested and sanctioned. Like, first, got sanctioned in The US and the West, obviously, and he also got arrested in Russia. And this is kind of interesting because it doesn't happen very often. And, like, one of the reasons why, like, the CEO Yuri Bozoyan could have been arrested is also because AISA was not only, like, distributing disinformation websites and these kind of things, but also hosted drugs marketplaces. Like, for example, one of the like, most infamous one of them in in, like, in Russia, which is black spot. And black spot, like, there are others drug marketplace. There's a permanent conflict between those marketplaces because drugs are generating a huge amount of money. And they are also generating a huge amount of corruption amongst officials, of course. But in this case, it seems that Russian police didn't like at all the fact that was hosting this this market drugs marketplace. And, officially, it's because of that he got arrested. So, apparently, they were not really disturbed by the fact that, you know, there was a huge huge disinformation campaign that was running through the hosting of Aiza, and that Aiza was also, you know, a host for Marrowaved families such as Lima and Medusa Infostillus for phishing campaigns, for scam traffic, you know, these kind of stuff. They even hosted credential theft market, like shop esn.esu. Well, apparently, this was not really the problem for, like, Russian police or at least officially not only the problem. And the the things that conducted to the arrest could be more linked to to the drugs marketplace. Just to give you an idea about how it was looking like, you can see some of the screenshots from, like, the reports from. So this is, like, screenshots of posts on Twitter. So this was the main dissemination model, but, basically, we're also doing exactly the same through Meta. And they are still to up to this day doing exactly the same for Meta. So for example, on on Twitter, what they will be doing is that they will be creating a huge of a huge a huge amount of bot accounts and, you know, just, you know, copy and paste these fake articles. On meta, it's a little bit more sophisticated because they will not only, like, create fake accounts, obviously, what they need to do, but they will also pay for for advertisement. So this is a kind of touchy topic because from one side, Meta claims that they are doing a lot of things to prevent those paid campaign to be advertised on on Facebook and on Instagram. From another side, CTI researchers who are studying, like, the advertisement advertisement market on meta are basically telling that Meta is not doing enough and that they are kind of profit like, taking profit from this disinformation campaigns that are advertised. So, like, I would not take any position on that. Like, I know it's it's super complicated probably to eliminate all of those all of those disinformation campaigns, but probably yeah. Well, you get the idea. So, like, maybe last last point before we we are going to dive in a little bit into the typology. What is all what also has changed dramatically since, like, several years and more precisely from last year is that law enforcement is also kind of adapting and trying to be more proactive and more efficient in taking down, like, those bulletproof hosting services. And it's also linked to the evolution of the bulletproof hosting services themselves. As we are going to see, they are less less what we call monolithic bulletproof hosting services and more services that are kind of, you know, diversified and that as we are going to see, they are not really owning the, like, the the totality of their infrastructure. We are going to talk a bit about that a little bit later on. But the main idea is that law enforcement is today trying not only to say the service to take service and to arrest, like, the owner. They are also trying to target the whole ecosystem. So they will sanction shell companies. They will try to con like, they will try to unplug the the hosting from the Internet. They will also strike at upstream connectivity. So basically, they will ask people who give access to as a autonomous system names of of, like, these hosting services to basically delete them and stop stop, like, giving them connectivity. They will also track the financial flows for cryptocurrency exchanges. In this case, companies such as Channeledis and Terum Labs are really the leaders, and they have a huge a huge amount of of crypto addresses cryptocurrency addresses that are associated with, those services. So they basically can understand who paid when, and for what, or at least to to some extent. And this is also useful because it can it can help assess how profitable this kind of business are, but also, like, track the money la loading pass because, of course, after, like, cryptocurrency needs to be cashed out. And this is, like, a, like, a very sensitive part because once you have a cash, you need to load it in a way. So, of course, like, law enforcement are also trying to to analyze these these steps. So we see, like, the that law enforcement are kind of stepping their games, but this is also the the case for grid proof hosting. Let me have a quick look. Do we have any question? For CTI, do you think researching okay. Well, I think it's the same question that I had previously. No. For CTI, do you think researching VPS services is a great strategy for investigating other threat intelligence pathways? Well, I think yes, but it depends really of your use case and of your situation. Let's say that I don't know. If you're at a company and you're permanently being targeted by, I don't know, spam, like, spam campaigns or you see that there is a connectivity, like like a DDoS attack or I I don't know. These kind of things that occur, and you can see that there are some IPs that you can attach to a precise infrastructure, to a precise autonomous system names, to a precise organization, then in this case, yes, it makes sense because you can you can basically understand where, like, where the the malicious activity is hosted. And you can then, like, you can send some abuse and some complaints for a takedown. Well, if you're not lucky, at least, then you can you can use services such as this townhouse, you know, that will also list and blacklist these kind of services. So it can be it can be interesting. And, of course, it can be interesting if you can monitor the wall IP ranges that you know are malicious because it will show you that what type of activities is occurring there. But it's, like, it's supposes that you have access to, yeah, that you have access to tools that allow you to monitor activity. If you, like, if you if you don't have access to these kind of things, you have tools such as brain noise, for example, that are not very costly or even free that can, you know, kind of tell you what type of activity is occurring on a on a IP range or on a s. For example, I'm going to show it right here. Yeah. I wanted to show it later on, but you get the idea. So in this case, I search for this autonomous system name that, like, belongs to p f cloud p f cloud that is, you know, kind of a bulletproof hosting that also is reselling its its IP addresses to other services and to other bulletproof hosting. So we know it's a kind of middleman as we are going to see. And you can see in here that they are, like just like for for this IS, they are, like, around a 112 IP addresses that are associated with a malicious activity, 27 that are suspicious, and, like, a 149 that are unknown. And you have some more information here, like, with the type of malicious activity that occurs. So we can basically assess if it's interesting for you or not. Does it answer your question, rabbit hole? I hope yes. So let's do a little bit of typology very quickly and understand what type of I'm sorry. Yes. Okay. Perfect. What type of services exist and how we can classify them? You have basically two approach approaches to classify bulletproof hosting services, either by capabilities or by by the structure. So the first one, this approach was kind of invented by Trend Micro is the one that I used in my blogs also. I adapted it to to to a way, but it's really like, I joined also the the report from Trend Micro. It's, like, it's a little bit old now, but once again, the methodology and the idea behind it is really wonderful, and I I will advise you to read it. So, like, this diagram is from their report. I just adapted it for the sake of of this presentation, but all merit goes to them. So in this case, basically, we can classify by capability in free categories. So the services that are going to cost the less are mostly going to sell you compromised or stolen assets. So what does it mean? It means that if if a freight actor simply, like, retrieved from inform information from Infosilos logs, they retrieve the credentials to connect to an AWS server or, you know, these kind of things. Well, they can basically steal it and resell it. The main point like, the main advantage of this, like, this type of hosting services is that the IP addresses are going to be, like, not blacklisted. They are going to be highly trusted by other services. But the downside, of course, is that the stability of this service is going to be very low, And, like, this server can be like, the real owner of this server can ask Amazon or any other service provider to give you give give it back to to him. So, like, the lifespan of this service will be super short. And, of course, everything that you will be doing on this server will be logged, and there is basically no privacy at all. So if you store anything super, like, confidential or malicious or you don't want to be discovered. This is not the place to do that. But it's mostly used to conduct scanning, brute forcing, and spamming attacks. So for this type of short lived campaigns, it's just perfect. And, yeah, it's it's basically good good for that. Then you have with some kind of infrastructure. By that, I mean that they are usually buying IP ranges from from other services. They are buying, like, they'll they will be reselling access to other service. So mostly, yeah, mostly, it's people who are going to resell you things or just subrent IP ranges and hosting services. So once again, like, no secrecy. Like, if if some abuse complaints will get received by the owner, it will be basically unplugged almost, in the second. So it's not really done to resist to abuse complaints, but it's good for short term campaigns and for fishing, you know, for these kind of things. So it's a little bit more resistant in terms of time that the compromised assets, but still, like, nothing perfect. And very often, it's marketed as bulletproof by the owner, but in fact, it's absolutely not bulletproof at all, and it doesn't really resist to abuse complaints. And, eventually, you have the last type of of service. So this one has its own infrastructure. It it can or at least it's, you know, it's collocating them in a data center. So it's basically the case of Abdallah or or host that I showed you in the video. This is, the most advanced cases. Those guys, they, like, they own, like, they own the infrastructure. They very often have a status of local Internet registry. They very often own entire IP ranges. They very often, like, own autonomous system names. So, like, it's a much more structured and much more well organized, yeah, structure entity. And in this case, like, the the best use case is going to be to store and to host there your critical infrastructure. So everything that you want not to lose, everything that you need to to keep, you will be basically hosting there. So this is, like, the most advanced part. And, usually, it's kind of rather like, it it can be it can be very abuse resistant in the sense that when you are going to contact those guys and you they will very often ask you what exactly do you want to perform, what exactly want, you want to do, on their on their service. And, depending on your answer, they will give you a specific, a specific IP, a specific cost that they know will be the best adapted to this type of, to this type of activity. So let's say if you want to store, like, you want to host something really, really very, like, illegal or, you know, sensitive, like terrorism or this kind of stuff, well, they will give you they will give you a server that is expandable for them, but that is still kind of stable. And they will help you to obfuscate to obfuscate your domain, for example, and to obfuscate your your website so nobody can find the real IP and the real place where all of these things are hosted. So they would be not only providing you a hosting service, but they can also provide advanced services such as fast food services. Like, very swiftly on fast food, we don't really have time. Like, a fast through service is something that is going to rotate IP addresses on a record and sometime on, like, NS records. So it's very hard for someone who is investigating this domain to understand, where it's really hosted. And, it's very hard to perform a takedown because, like, the IPs are permanently, rotated. So this is, some of the most advanced services that are offered, but just to give you give you an idea. Do you have any question? Yeah. Knowledge customer service in crime. Yeah. Well, honestly, this is, like, the the value of what some of those services are advertising on forums. They are really, like, putting forward the fact that they're not only going to give you infrastructure, give you hosting services, but also advise you where to purchase your domain names, how to obfuscate properly your website. So it's not only not not only hosting, it's also an entire, like, service. So this is another type of typology. This one, like, is from Spam House. And they are it basically depicting a shift in the way are functioning today. So previously, most we're forecasting were kind of monolithic in the sense that it was the same entity who was, like either own the data center or was located in a data center. They, like, own the hardware. They were, like, owning all the autonomous system names. They were owning the IP ranges, IP prefixes, and, like, managing the customer relationship, you know, these kind of things. So this type of v p reprocessing service still exists. It's a minority. It's mostly located in, like, places where law enforcement cannot really have a, like, a big impact. So mostly Russia or, like, so Southeast Asia, these kind of places. But what we, witness right now is that there is a a shift, and there is what we call, like, appearance of, other type of, services that are more, divided and, are functioning in a different way. In this case, for example, like, the person who is going to, advertise the service will not own the IP addresses. It's going to be purchasing them from a reseller. The reseller is going to not own the autonomous system names. It's going to, like, buy it from someone else. And so, basically, it's a way to, like, complete not only to make the system more complicated, but also to dilute responsibility. Because if you have several entities that can be responsible for something, in fact, nobody is responsible for anything. And this is, like, a type of a type of service that we see right now. They are, like, hosting services that are not providing directly Bluetooth hosting to customers. What they will do is that they will resell IP ranges and, like, service and capabilities, hardware, I mean, to others who will do the dirty business for them. And those others will have, like, their own front companies, their own shell companies. So to to investigate it, it's kind of a nightmare, and it requires a very good understanding of, like, how the world, system works. So very quickly, this is, a summary from from SpamHouse. Like, what is the difference from, like, a monolithic BPSh and nonmonolithic BPSh. So they basically gave you two two example of two services located in Dutchland. So in the case of the monolithic BPS, the server, a VPS offering, like, full public facing website easily attributable in to involve entities. And in the case of a nonmonetary BPS, so shell corporation with no public facing website advertised on underground form forums and via cloud hosted website. So, basically, get it gives you idea. Yeah. Everything is, like, separated, and it's very hard to follow. You will have the slides anyway, and I will send you the link also. You also have the link to Spam House articles. So if you want to have a closer look, you can. So let's have a very quick look at, like, how this typology can be applied to the real world, both the, you know, the the capability typology and the monolithic this non monolithic monolithic typology. So this is a screenshot that I took yesterday from XSS. So this is, to this date, one of the most prominent Russian speaking cybercrime forum. And I went simply to the to the section that is the place where all of the hosting services are advertising. So as we can see, like, you have some people who will advertise proxy, some people who will advertise, like, bulletproof abuse resistance service. Some people will, like, tell you that everything is anonymous and, you know, this kind of stuff. But what is interesting is that I made a study basically a few years ago, and I kind of, like, made a list of all of those services that existed at that point. And, like, I was kind of surprised because this image was produced three years ago, and almost nothing changed. Like, it's it's really very funny because, like, yes, sure. Some services disappeared. Some new service services appeared. But, like, if you can see on this image in 2024, for example, there was a service that loops host that appeared well. It's still there. Beer host that appeared in 2039 is still there. So a lot of those services that, like, are still advertised on on one of these forums are still present. And what is also interesting is that by just investigating a little bit, like, what these people write, the communication handles they share, you can very easily understand that a lot of them, in fact, are the same entity. So it's it's once again, it highlights that you can have several brands, several selling channels, but behind it, it might be the same people. So, for example, in this case, we like you it's very easy just by reading the forum to understand that Viewhost that was created in 2019 is also underground created in 2021, is also TunaStock created in 2016, is also Voodoo service created in well, at least advertised in 2023. I think it's older than that in in reality. So you basically get the idea. Like, some of them some of them are just like fronts, and even different accounts can be controlled by the same the same people. Now when we we were speaking about kind of capabilities, so what exactly are those services offering? So among the around 40 that I so 40 services that I studied back then, but it's still very valid today. Majority of them was offering like a VPS or like virtual private server or virtual dedicated server. Like, some of them were also selling domains, which is once again, like, it highlights that it's not only about hosting. It's also about the whole the whole infrastructure, the whole things that we need to conduct cybercrime. Some of them also were, like, selling VPNs, proxy services, fast flu. Some of them were also clearly stating that they had a local Internet registry status and that they could either sell you entire AP ranges or a like, autonomous system names. So this is basically very interesting for all the services who want to resell. Like, yeah, if you want to open a Bluetooth hosting service and you don't want to register anything, you go to those guys, you buy from them, and you you basically resell. So you you you build your own offering. You build your own pricing. And as long as you pay the, like, the the year, the, like, the the bulletproof local Internet registry that is advertising on these forms, they are basically happy. This one is, I think, also very interesting, especially the slide on the left side. It shows you what bulletproof hosting services claim that they allow on the the service and what they do not allow. So this is just purely claims. We cannot really trust it, but it gives you a good hint of what is authorized and what is forbidden. So as we can see, one of the some of the most, like, common authorized authorized activities are, like, everything that is linked to piracy, so DMCA. You can also conduct spam. You can also conduct brute force, scan, mass scan, pentest, hacking, phishing, malware botnet, DDoS, pawn spoofing. When we look at what is explicitly forbidden, so obviously, child pornography targeting the community of independent states. So it's like Russia, Russia, Kazakhstan. So your activity must not target these places. Terrorism, extremism, weapons. And, like, just for you to understand these three categories, the three first categories are usually mentioned to protect legally the the hosting service. I think, like, if you do it anyway, if you they don't take down your service, they they don't really care. So it's more it's more a way for them to protect themselves rather than a real a real constraint. And, yeah, you can see that some of them also, like, forbid drugs and this kind of stuff. So all of this, like, taken together, if you remember the capability typology of Trend Micro, like, I could classify basically the, like, the 40 the 40 services that I was studied in the, like, different tiers. So majority of them are just basically people who are going to sell you who are going to sell to threat actors stolen and, like, yes, stolen assets and stolen hosting accounts. Some of them, like like, around 16 are kind of in the middle. They have some infrastructure, but not, like, not something very extensive. And only a minority, like, has Leo status, has their IP ranges, like, has their own data center or is at least collocating it somewhere. So, like, this is precisely what gave me the idea of the title of 50 shades of Bluetooth hosting because as you can see, the reality is is is really, really huge between each service. So yeah. Well, I'm going to speed up. Let's let's maybe just have a look. Do we have any questions? No. We don't have any questions. Wonderful. So let's let's go and continue. So, yeah, let's have a quick look at, I know, the the thing that was mentioned previously. The the fact that BPH are shifting from monitoring to, like, a scattered scattered system. So this the members of this scattered system are called by recorded feature. They are called freight activity enablers. So, basically, it can be it can be a data center. It can be an IP broker. It can be a transit provider. It can be a hosting reseller. It can be a payment service because, like, you need to understand that a lot of these services, what they were doing previously that to to accept the payment on cryptocurrency, they were simply they were simply giving you showing you, like, a crypto address on which you could pay, and and that's what basically it. The problem with this approach is that it's it's not scalable. You know? You need to you need to always keep track of who paid for what. And it's also super easy to track because if a fair factor shares with you, like, a wallet that was already used, well, you can already see through the blockchain, you know, all the payments that were occurred there. You know, it's very easy to track. So it's not very like, it's not really good for anonymity of their own of their own payment system. So what they are doing right now is that they are mostly using service providers for cryptocurrency payments, such as crypto crypto mouse. I forget it's crypto mouse. It's one of the most famous of them, and I think Brian Krebs wrote an article about them maybe last year. So if you want to have a look, it's it's kind of very interesting. And what crypto mouse are doing is that they're basically acting as a proxy, as an intermediary between you and the BPR service. So it's much harder to follow the the path of the crypto, and it's more harder to find to find the real wallets of of services. So once again, I could just show you the, like, the the fact that the system is breaking apart. Now some example of of, like, great, like, freight activity enables that we we are aware of. One of the, like like, the one that made a lot of noise lately was probably Auralogic. Auralogic is a hosting service that basically we say is reselling its own infrastructure to others. So itself, it's not going to be, like, linked to any malicious activity, but it's going to enable also bulletproof hosting services to, like, to to conduct this activity by selling them IP ranges, by selling them also autonomous system names that are very absolutely necessary to, like, to for Internet connectivity. I'm going to talk about that a little bit later on, but, like, you you get the idea. Another one that was also interesting is virtual line technologies, also known as RailNet. So it's a Bluetooth hosting advertised on cybercrumba forums. Like, if you want, I can I can have a look and just show you what what they are their accounts? Yeah. It's going to be another one. But, yeah, let's do it right now. So this is basically a platform. And what I'm doing right now is that I'm looking for this keyword. Yeah. Okay. So it was super easy. So you see that mutual line is basically advertising both under its commercial name and its under its, like, freight actor name on the the same the same entity, and they are present on various forums and on Telegram. So, yeah, you you basically get the idea. Let's come back. So what what was interesting about VirtualLine is that they have zero downstream autonomous systems and only two upstream, Aura Aura Logic and Cloud. So what does it mean? It means that they are at the bottom of the Internet. And it means that if law enforcement wanted to unplug them, it could be super easy. But they are kind of, like, protected by the entities that are above them, in this case, our logic and the cloud. And this is, like, what is making it, like, very difficult. Just from a technical perspective, because they are at the bottom, it could be very easy between plug them. But because there is an entity above that is protecting them that is basically help them to stay to stay connected. Well, it makes it it makes it harder for law enforcement to act. So you get the idea. There there are other examples. I'm going to show you the slides. If you want, you can can explore it. Now let's just have a very quick query very quick focus on some technical aspects of investigation. So you have, like, the basic ideas of how to do that. It's really not advanced. I like, I'm not being the best person to teach you that. So I really suggest you to have your like, to take some time and to to look at the resources that I shared because, like, it requires you to test and to do it by yourself to really learn, but I think you you will get the idea quite fast. Do we have any questions? What are the requirements or steps to access the Flare platform for CTI? Okay. So, like, you can basically go on our website. You can go on our website, and you can ask for a trial. We will are requiring you to, like, connect from like, share your corporate email. So we are going to verify if your company is existing because we don't really want we really don't want to share, like, any access to people that might be, you know, malicious and not really into CTI, not really into cybersecurity. So in order to get access to our platform, you need to go for a very short screening and basically prove that, yes, you are a real individual. You are working for a real company, and that you have a legitimate need to access the platform, which is nothing complicated if if it is is the case. Yeah. So let's let's talk a little bit about the Internet and how it works because I was talking a lot about like, regional Internet registries, about local Internet registries, about I autonomous system names and numbers, about IPs block and these kind of things. But I didn't really explain why is it important. And I think it's it's a moment to do that. So how Internet works on like, in terms of of infrastructure? Basically, what happens is that you have an entity that is called e a n a. So it's basically the Internet assigned numbered authority that has, among other things, two thing two missions. So the main two missions are to allocate IP blocks to original internet registries and to allocate autonomous system names and numbers to the same, like, regional Internet registries. So once it's done, you have, like, five regional Internet registries. Each one of them is responsible for a specific geographical location. So for example, RIPE is responsible for Europe, Middle East, Central Asia, Russia. Air r e n is responsible for North America and parts of Caribbean. APNIC is responsible for Asia Pacific, and LACNIC is responsible for Latin America and Caribbean. And, eventually, AfriNIC is responsible for Africa. So each one of these entity is then going to distribute and basically sell, like, IP blocks and ISN to, like, your local Internet providers, to mobile phone companies, you know, to these kind of things. So to any hosting companies, they are going to sell it to what we call local Internet registries. So local Internet registries, it can be your Internet provider. It can be, like, a small hosting service. It can also be a company that needs to have its own IP blocks and own iSense, you know, like, that needs to own its own Internet infrastructure, at least from from from a, like, IP IP point of view. And so so as you can understand, it can be a lot of different entities at the same time. So once the regional Internet registry allocates IP blocks to local Internet registries, what they can do is that they can assign those IP blocks to end customers. This is the easiest case. Like, if if I want to, like, to purchase IP blocks or one IP address from, like, I don't know, my my Internet service provider, I will be the end user. And in this case, it's end of the story. I cannot really resell it. But you can also have another status, which is suballocation. And this one is more complicated because sub allocation can like, you can do it several times. So for example, my ISP can sub allocate an IP range to me, but I can then sub allocate it to someone else if my ISP gives me the authorization to do that. But you you understand that there are several, like, several layers potentially involved there. Then, like, we have on the other side of the of the diagram, we have the ISN allocation. So as we're going to see, ISNs are super important. It's basically groups of policy of for for BGP. So I'm going to explain on the next slide. It's going to be much easier. Yes. So imagine, like, right now, just for the IP before, we have over 4,000,000,000 IP addresses. Imagine if you want to go from, like, your computer to a hosting server somewhere, I don't know, in in North America. You need to find a path to go there. And this is basically the mission of BGP protocol that is going to help you find this path thanks to what we call autonomous system groups. So why do we have to create them? Because imagine, if you have 4,000,000,000 IP addresses, we cannot allocate, you know, a specific policy and specific path to follow for each one of these 44,000,000,000 addresses. It will be simply insane. It will be too much. So the easier way to do that is to create groups that we call autonomous system names, IS, autonomous systems. And those groups are going to have their own IP ranges inside of them, and they will apply the same routing policy to all of those all of those IP ranges. So the main goal of BGP is to basically create contacts between those ISN groups and, like, ensure that each group can communicate between each other and tell, okay. I'm, like, I'm responsible for those IP groups. And, like, I'm connected to a nice system that is above me. And I'm also peering to another system name. I'm going to show you on the next slide so it's basically, like, easier to understand. But the main idea here is that system names aren't simply necessary to create routing policies because there's simply too too many too much IP addresses to to do it just individually. Is it clear? Yes. It's a very good point. It's a very it's a very good point. But for the moment, like, it's basically the same story as with who is an. Like, is a replacement of who is, but who is still, like, massively used. Same story with I p v four and I p v six. So theoretically, I p v six, like, there is, like, an infinite number of I p v six. I don't even know how how big how big it is. I don't remember it. But, like, a lot of companies and a lot of services will prefer to use another system that is know they are accustomed with and that is easier for them to to use, and that is, like, basically more compatible with their infrastructure. So let's see how how things go, but, like, this is the main issue. Yeah. So on this screen, what I want to understand is that BGP basically has, like, several, like, several layers. Let's let's start with what what's going on on the top layer. So what's going on on the top layer is that b BGP enables networks to exchange routing information. Each autonomous system announces its IP prefixes and learns path to others. So this layer builds the global routing map for for the, like, for for the Internet, basically. So as we can see, the kind of relationship that can exist between an IS, it can be, like, peering customer and client. So in the case of, like, peering, it means that there is a like, there are some agreements. There is an agreement between two IS that they are going to share connectivity together. So it's a horizon horizontal relationship if you want. If an IS is, like, above the above another one in a in a in the tweak of of the AI systems. In this case, it will be, like, basically above it, so it will sell the service of, like, connecting to the rest of Internet. So you the system, the AIs that is under it will have to pay transit rights to access the, like, the rest of the Internet, basically. So what you see in the middle, like, in the middle of the screen is the Internet connectivity, like, the fact that it's structured by relationship. So transit creates dependency. Downstream networks rely on upstream providers. Peering connects equal networks directly often through an Internet exchange point. So I'm not going to get into what is an Internet exchange point. Basically, it's a hardware system that is located very often in big cities in big data centers, but it's it's it's the things that allow, you know, big streams of Internet to connect between different countries and between different systems. And eventually, what you see on the bottom side of the screen is, like, the traffic flow itself, calls the data flow. So the traffic flows from the route defined by BGP policies. So it's going to be from the, like, top the the top IS, and it will go go down to the one that is at the bottom. And, of course, like, if your service is at the bottom is on a IP on the bottom of the IS three, like, it will have to go through several layers before, you know, reaching the top of it. Well, I hope it was clear. I really encourage you to to have a look by yourself about, like, about this system, about how it works. It it seems complicated. In fact, it is, and it's not at the same time. Just like another site to basically, like, conclude this. So what you what you see basically is, like, on the left side of the of the screen that an AI system can, like, provide transit rights, or it can be peering rights. So why is it interesting in the case of bulletproof hosting investigation? As I mentioned previously, you had some cases of, like, as wholesome bulletproof hosting services at are really at the bottom of the AI system. And therefore, it's very easy to unplug them. On the other side, some, very talented, like, Bluetooth hosting, owners, managed to, create a lot of interconnectivity between their own infrastructure and between, like, the global Internet and not place place it at the bottom of the global traffic, but really in the middle of it. So they are really a core part of this, of this, of this system. So it's much harder to, to to disable these kind of services. So this is, like, the main idea that I wanted you to to keep in mind. Very quick word on on, like, what is also, like, what we will you will see. When you will basically investigate an IP address, you will see what is the IP range to which it belongs. And you will see which organization is owning it or which organization is sub allocating it. So this is basically the idea. And, like, in this case, it's a real example where you can see that that in this case, this IP range is superlocated, and the real owner is not, like, is not super hub. It's a entity that is above it, and I'm going to show you later on how to how to find it. Let me make a small break, see. Do we have any question? How does the landscape vary for I p v six? If it does, And is OSPF also used in a instead of it instead of instead of BGP? Okay. So for BGP, I know that it's still, like, the the main the main thing. And, like, really, it's it's the most easily and retro compatible thing. When we come back to a p v six, it's mostly not used by cybercriminals yet. I know that some cybercriminals who are doing spamming attacks and these kind of stuff are starting to use in I p v six, but it's really marginal if you come if you compare it with, like, with the majority of cybercriminal activity. This is one thing. Thing is that also the majority of CTI services and majority of, like, the com companies that are investigating bulletproof hostings are very, very much focused on I p v four. So maybe we have a gap here, and maybe we don't see maybe we don't see, like, everything that is going on on I p v six. But for the moment, the reality is that I p v four remains really the, like, the main the main layer, the main the main tool for for and for. So, like, at AWS, if I wanna know who owns the AWS subnet, will that subnet will that be sub allocated or something else? Can I get names when checking fish IOCs? Well, for I AWS, I think you will not get any information. If it's like if you go to AWS and create your own server, like, purchase your own server, it will not really, like, tell you who is like, it will be basically, like, assigned. It will not, it will be assigned to AWS. So we'll not be seeing the real, entity that is behind it. So, like, what what can happen is that if AWS is reselling to someone entire, IP ranges, IP blocks, yes, in this case, it's possible, but, not in the case of, like, a normal, AWS hosting. Yeah. Why is the preference for before base basics? Well, basically, because it's, like, legacy service and that it's, like, legacy. It means it's they are more used to to to work with it. It's also easier to purchase and then more common in terms of in terms of infrastructure. So I would tell that maybe some illicit activity is going to be easier to detect on IPv six. But once again, like, we see that they are, like, more and more, like, criminal activity on IPv six, but we might have a gap on that to is known to which extent it happens now. Yeah. I agree with you, Andre. Okay. Let's let's accelerate because it's not we are not finishing it, and I don't want to keep you here for the whole day. So this is just some very, like, common example of how we could we could start an investigation. Let's say that, you know, one of the easiest way to find malicious activity on different IPs is to go to open sources like and, you know, just have a look at, like, IP addresses and the type of malicious activity you are interested in. Then once you select an IP address, you can try to investigate it. And more interestingly, like, you can try to look what type of activity was detected on it. I think, like, the the easiest way to do that is either, like, by looking for malicious an IP where you had a malicious activity detected, but also then to look at the organization and the IS itself. Because the fact that one IP in an entire range or an entire s was used for malicious purpose doesn't tell you anything about the infrastructure itself. It can be very well an exception and nothing really nothing really crazy, nothing really interesting. So in this case, like, we can see that this IP address is linked to Cloud. So I already spoke about them, but they are are very well known reseller of IP addresses and to offer, like, these kind of activities. So we can directly pivot on the organization itself. And we can see that, you know, they are entire, like a lot of IP ranges that are associated with malicious activity. But we can also pivot on the IS linked to this IP because we know that this IS also belongs to the same entity, which is a Pave Cloud. And one of good one of the good way to basically investigate it is to when you start with an IP is to look at where it is, where it is, where it is. Let's look at the who is info. Yeah. You basically need to find that. This is the organization number organization name linked to Pave Cloud. And once we have this this organization name, you can do query either through, like, a website, like, IP info or through your terminal directly as I was, like, kind of showing here with this type of commands. So for example, here, I asked Ripe to give me information about, like, this organization, which is Cloud. I ask it to give me all the autonomous system names that are linked to Cloud. And this is the best way to, like, see what they have what else they have because in in gray like, in gray noise, we we've seen ZCS. We know that they control it directly, but we didn't see ZCS that is, you know, under a different name. So probably, Cloud is reselling this, like, to to another entity. And this is, like, a very good good example of reselling of behavior. Another interesting thing that I also suggest you to have a look at is Spam House. So they list, like, all of the malicious ISN and malicious organizations that they can find. For example, if you look for AISA, you have, like, several ISNs that are, like, linked to them. You have also Shangwei, which is like we're going to talk about them a little bit later on, which is beer host. Well, so it's very like, if you want to train, honestly, it's a very good point to to start and to investigate and to see, like, how things are linked to each other, who is above them, who is their upstream, do they have any downstreams, who they work with. So it's really, really super useful for that. So once again, like, if we just look at as this is belonging to p f cloud, you can see that, you know, all of those, like, IP ranges, some of them belong to p f cloud directly. Some do not. Because this is an important point. Inside the same ISN, you can have IP blocks, IP prefixes that do not belong to the same organization. It's not it's not because the ISN belongs to p f clouds that all the IP ranges inside belong to to IP to p f cloud. But in this case, what is very interesting is that cloud is a known enabler. So they are they are known for, you know, helping other bulletproof hosting services to and other hosting services to be connected to the Internet. And we can see that among among the the IP ranges inside the ISN, there is one that is linked to an entity that is called v m heaven dot I o. So just by, like, opening some of their IPs, we can go on their website. And, like, what we will do, we see that privacy first hosting without limits. So, yeah, no KYC. You know? All the usual stuff. So it doesn't mean that this is a bulletproof hosting, but it's very clearly offshore hosting. And then something that I did, like, which is, you know, very common, you just make a search for this domain or just for this brand name on forums. In this case, we can see that they are very, very active on Telegram with over, like, 30,000 posts, but they also mentioned on cracked, on patched, on hacked. So, yeah, like, basically, there are a lot of people talking about them, and you you understand that the type of activities that is ongoing there is probably something not not really really legal. But, yeah, you get the idea. So, yeah, I'll I'll share that with you all of the all the tools in these tabs. You have it also in the document. We don't really have time to go through all of them. It will take it would it take really a lot of a lot of time, and we are already almost at the end of this presentation. So I really encourage you to to explore all of it. Like, I could not cover it in the times that we have, but, like, only a basic knowledge could already help you a lot. Honestly, if you use IP info, it could be already enough for you to to do basic investigation and to understand who is connected to to what. You don't necessarily need to, you know, to go very deep into BGP. I don't think it's really, really useful. Yeah. In terms of CTI, I really encourage you to have a look at stuff like SpamHouse, IPDB, GrayNoise. All of the services are super useful, and you run, yeah, both to find, like, find information, but also to pivot on information. Yeah. So asset discovery engine engines, yeah, the usual stuff. I'm not going to waste your time on that. Who is well, this is like some of them are, like, paid tools. If you have an access to domain tools, I will I will investigate. You can really do crazy stuff because they have, like, a very, very extensive passive DNS database, and it it really helps you to to pivot our our own different things. Yeah. Well, when then you have, like, all in tools. I'm okay. I'm going not going to to to dive into that. Very quickly, I'm going to show you an investigation that I made, like, several years ago. Everything that I'm going to present here, basically, you can now find it. It's public source. I still anonymize some of the things because I don't want to docs the the people who are behind the repurposing that I'm going to talk to you about. But just by searching for beer host on the Internet, you are going to find very easily very easily what I'm talking about and who the people are. I just don't want to do any DOCSIS because, you know, like, if if I'm wrong in my assessment, it can be really, really bad. So this is what you are seeing right now. It's like an example of misconfiguration of a ransomware website that I was talking to you earlier on. So in this case, they kind of exposed if I don't if you can see it on the left side of the screen. When you were hovering over, like, any FTP URL, they were kind of exposing the entire IP address of of, like, of the FTP server. So they were basically telling you where exactly they were storing all the stolen data. So just by having a look at this IP, at that time, this IP was linked to an organization that was called Shangway Technologies Co Limited. And just by doing a search on Ripe or any other sources that I gave you, you can find a lot of information about this this local Internet registries. It still exists to this day. It was mostly disconnected from Internet. It was most it's mostly inactive right now, but it's it's like the shell itself still exists. And what is interesting is that we have, like, a domain. And here we can start by doing some investigation about the domain with tools such as domain tools, with security trails for passive DNS. And just by having a look at domain tools, you were able to find an email address, like, linked to the abuse of this domain. So Bernard.webmail@Gmail.com. And by searching for this, web mail, in domain tools, if you have, like, premium investigation account, you can find all of the domains that were also registered with this email. And there are a lot of them. One of them is, 31337 HK, which mean elite in a hacker language. So, like, same by going on, like, sources such as the or security trails, you could find all of the subdomains. And one of the subdomains was .31337hk. So it's already, like, a link to a real brand name. Of course, it doesn't prove anything, but it's it's a hint. So just by looking at, like, at the both at the emails that were shared and at the the, like, the name of the actor, You could already just so by searching by searching this email, Bernard.webmail@Gmail.com, if you have stored some leaked databases from, like, forums because, you know, CyberGram forms, they also have data breaches. Well, in some of the data breaches that I I found, but that you can also find without too much difficulties, you could find that this email was also linked to accounts on various subcriminal forums with the username beer host. So by searching in Flare, yeah, you could you could find, like, that beer host is a like, is an actor that has several accounts. It doesn't mean that they are all linked between each other, but what we have created recently that we have created this l l a l m AI assisted summary of the factor activity. So just by looking at each of this forum, the summary, What you could learn just by reading the summary that was produced by the AI is that BeHost is a bulletproof hosting service operating operator that has been active on XSS forum since December 2019, blah blah blah blah blah, operating under various aliases, including underground and voodoo service. So you see just by reading the post of this own this guy, we could already learn that he claims himself that he has other usernames, which are underground and service. So you can pivot on them later on. You remember I spoke to you about, like, beer host here. So, like, just by pivoting on on contacts and on things that he came to himself, you can understand that beer host, underground, and voodoo service are, in fact, the same entity. So if you go to the forum itself, you can collect its the contacts of of of of this guy. And this is super useful because it can help you to basically do some, like, some pirating. So by doing some pirating, you can understand that the host and underground are the same entities. They share the same contact addresses and basically the same offering. Eventually, this is a summary of what I could find. So you have, like, all of their contacts. It was a dead end, so we I could not really go anywhere after that. But just by looking on Google at that time at b host underground, I found another email, another domain that I didn't form previously, which is 31337 dot. So not dot h k, but dot. And by going there, you could understand that it's basically the panel for the hosting service. It has, like, the same logos. Then by doing, like, an investigation on, like, with who is with passive DNS on this domain, I could see that mostly most of the time, it was hidden behind a CDN. So if it's hidden behind a CDN, it's basically a dead end. But thanks to passive DNS, we could see that at some points, probably there was a misconfiguration, and the domain was, like, indicating the real IP where it was stored. So in this case, it was Changwei Technologies and Cook. Also, like, by looking for other things that I did find for these factors, I could find that, you know, the domain shangwei.hkr was registered by a professor. But by this email address, I mean, same for for this one. So, like, basically, then everything is kind of linked. And you can go back to real world entities to companies. And this is where it starts to be really interesting is because it's when you start to reach reaching companies, especially in countries such as Russia, that you can start to you can start to pivot on real people. So what I also found, I also found that one of the abuse contacts for this IP address was a domain name, like, com that is, like, belonging to a shell company in in Cyprus. And just by looking for the stock question limited on the internet, on Yandex, I was able to find this page that belongs to host. And basically, this page, what does it tell you? It tells you that RedBite LCC is a legal company for Shangway and StarCresium in Russia. StarCresium is a is a legal company for this hosting company in Europe. Shangwei is a legal company for this, company in Hong Kong, China. So just by that, you could already understand that all of these entities are in fact linked. So these three companies are in fact held by the same person. And because in Russia are open, you could find the real name of the person. Once again, I hid it here because I don't want to anyone, but, like, it's super easy to find right now because I I've done this investigation three years ago. And since then, they attracted a lot of information. So a lot of other people investigated it. But, like, it was super easy to find this guy. And what was very interesting is that he was opening and closing hosting companies every two to three years. And what does it indicate to us? It indicates that it's someone who is rotating shell companies every two to three years. Why bulletproof hostings are doing that? They are doing it, yes, to complicate investigations for sure, but also because the majority of their income is, like, from, like, an illegal source. And they don't really want to pay taxes. They don't want to, like they don't want to to to declare, like, all of their income that is mostly made in cryptocurrencies very often. So that's why all of their companies periodically are basically going bankrupt. And after bankruptcy, they recreate a new company, and it's basically, like, all over from the the beginning. And, like, another hint that I found is that by visiting, like, hostway.two, they also had the same login system as BeerHost at that time. So you see, like, it's the same pattern, same logic. So, like, it's another hint that, basically, these two entities is in fact the same the same thing. Then what I've done is that I started to investigate the legal owner of of those shell companies. I did find some exposed information like phone numbers, email addresses. And what was super funny is that one of the phone numbers was actually linked to a Telegram account that is called tuna stock. And tuna stock is another bulletproof hosting service that is also active up to this day. So we can see that the personal phone number of this, like, of this guy is linked to tuna stock and also to other domains that were advertised by Voodoo. And if you remember, Voodoo is another username of of beer host. So you can see that, in fact, the same entity has several brands. Like, it's it's like a it's like a Matryoshka, you know, Russian Matryoshka. The more you open, the more you find. So I decided also to have a look at the, like, former companies that were closed. And ITLCC, like, one of the former companies of this guy, had a domain that was called erahost.pro. So just by a look on a, like, web web archive for Erahost host pro, I could find, you know, this logo, and I don't don't know. Does it remind you something? So, basically, they they just reuse exactly the same logo as, like, for their underground service. They they were kind of very lazy. Yeah. Yeah. So designers. And the fun story, actually, it's it's super fun. I phoned the discussion on WWH club, which is a forum, Russian speaking forum, where they basically explained that they were too lazy to to find a real graphist, and they hired a graphist on a forum from a forum. So I basically know which account created this super logo for them. So, yeah, they were not very inspired with that one. Then by having a look at at the offering of of this breed proof hosting, I could compare what was offering by the legal, the front company, hosted by the two, and the offer made on the forums. And guess what? It was exactly the same configuration and exactly the same prices. So, basically, everything was identical. So, yeah, another hint that it's basically just them. Eventually, like, another interesting point is that I collected all of the leaked emails, all all of the things that I could find both from forums and from domains. And I don't know if you see it, but there is there is really, like, an identical pattern here. So you can see that it's always the same pattern. It's username.webmail@tld. And, well, you can basically see they were also lazy. It's kind of very well organized, but it's not very good because, like, it's a pattern that can be seen full times full time and that stays for years. So it's very easy. It's very easy to to to find to find them later on, to follow them. It's very easy to follow the path. If it if it were those were, like, some random emails that had nothing connected in between them, it could be much more harder to tell that, okay. Voodoo is actually the same guy as tuna stock and actually the same entity that we just read those domains. So to to kind of conclude out of it, I also did some, like, some investigation about about the company itself. So I could find the LinkedIn account of the managing director. I also could find an HR website where they were hiring people, and they were basically giving you away the internal, like, the internal hierarchy and the internal structure, telling you how many people were were working for them. They even have a graphic designer, which is awesome. I don't know if you say that they created this super logo, but it give you it gives you an idea. So the main story is that a bulletproof hosting here, an advanced bulletproof hosting like this one, is working in the same way as a normal company. And as you can see from the social media, like, they even look like, the the location of their server are, like, at normal data centers. You know? It's not something crazy as we have seen in Ukraine. It's, like, a real data center. And so their offices could be also formed kind of easily in Moscow. So just by like, to conclude, what is also interesting is that by having by identifying all the IP ranges that will belong into Changway Technologies Co, RedBite, LCCAT technologies, and, like, other entities linked to to be host. You could also, like, run, like, a mass study about what was hosted there. And an interesting part is that, yes, you can you can have, like, any type of malware, but you also had, at some point, an APT group, LowRec fifty three, who used their service and apparently who hosted hosted their activity there. So it was revealed by NF Focus Security Labs. And how I did I found it? Just because I searched for the range of an IP address that were belonging to. And I found that at some point, it was associated with an activity. So, yeah, thank you a lot. I know that was a little bit long. I hope you enjoyed it, and I hope that, yeah, it's it was useful for you. If you have any questions, do not hesitate to to send it into Discord or somewhere else. I will try to answer them. And, yes, thank you again for your attention. I hope it was interesting. It was a a little bit long. But yeah.