The Most Dangerous Towns on the Internet - eBook

The Most Dangerous Towns on the Internet - eBook

September 21, 2018 | 18 min read

Click Here to Download PDF version

Most Dangerous Towns on the Internet


To understand the significance of modern hacking, it may help to briefly examine how DDoS attacks have evolved. Not long ago, if one wanted to take down large Web site, one had to build and maintain a large robot network, or “botnet,” of hacked computers — which is a fairly time intensive, risky and technical endeavour.

These days, however, even the least sophisticated Internet user can launch relatively large DDoS attacks just by paying a few bucks for a subscription to one of dozens of booster or stressors services, some of which even accept credit cards and PayPal payments.

I will disclose the roots of hacking mediums through which hackers groups and sometimes governments are fighting the proxy wars in this modern age.

In the recent years, curious technical people have discovered the different ways hackers are using and how they are utilizing different territories / countries on the earth to accomplish their desired attacks.

I explored the internet to find out and came across different kinds of dangerous ways especially if you talk about the physical locations on the earth. There are several most dangerous towns on the internet which are operated from different countries to make such a solid intranet and networks to avoid any kind of legal restriction from one country vary from other.

We can name this as bullet proof hosting servers or services which are operated by hackers or different kinds of companies who are providing the tools and space to terrorist groups and hackers or anyone who wants to do unethical online activities while hiding their identities and always staying anonymous.

I will say this bulletproof hosting model is just a very small part of Dark Web or Deep Net or Deep Web.

What is Bulletproof Hosting?

Bulletproof hosting services are more liberal with the content they allow on their servers. These services are usually found in countries with more relaxed approaches to law enforcement, data and computing laws, bribery, and extradition, and making it easy to operate without interruption.

These hosts have “don’t ask, don’t tell” relationships with their clientele, reasoning that they are merely providing a service. What happens on their servers is the client’s business — and theirs alone.

It’s generally ascribed as a hosting provider that won’t take down the services of a customer who may be either A: hosting content others deem inappropriate or illegal, or B: Attacking other hosts on the internet.

Regular Hosting vs Bulletproof Hosting

To clearly understand what bulletproof hosting is, we should first take a step back and talk about regular hosting. A regular web hosting service is a company that operates a facility, usually what is referred to as a data centre, which contains massive amounts of servers. Everything on the Internet needs a place to live, and home is on these servers.

Regular web hosting services provide space on a server, either owned or leased for use by customers. It also provides Internet connectivity so people can reach the websites and data hosted on those servers. Most of these services have strict policies regarding what can and cannot be stored on these servers.

Bulletproof hosting operations are similar to regular web hosting, however these companies are a lot more lenient about what can be hosted on their servers. It has somewhat of a “don’t ask, don’t tell” philosophy.

Bulletproof hosting (sometimes known as bulk-friendly hosting) is a service provided by some domain hosting or web hosting firms that allows their customer considerable leniency in the kinds of material they may upload and distribute. This leniency has been taken advantage of by spammers and providers of online gambling or illegal pornography.

Bulletproof hosting services are often found in countries with more relaxed laws about what type content is hosted on these servers, and also have less strict extradition laws, therefore making it easier to evade law enforcement. Due to the different laws in different countries, this creates a huge grey area that allow the owners to claim immunity to what their customer’s host.

Bulletproof hosting is a type of hosting provider who gives its customers an exponential amount of freedom when compared to traditional web hosting services. A Bulletproof Hosting Service Provider (BHSP) is very lenient in regards to the content its users can share and the products it can offer through their websites.

As an example, the type of content hosted on bulletproof servers can potentially contain websites dedicated to: Spamming, carding, phishing, online gambling and much more. The server locations these providers use are normally based in China, parts of Asia, Russia, countries bordering Russia, and even some South American regions. Bulletproof hosting can also be a way to get a website setup on the deep web.

But don’t worry, bulletproof hosting isn’t all doom and gloom, and it doesn’t necessarily make an individual using it a criminal who’s taking advantage for nefarious purposes. In fact, there are several positive reasons why you should consider using a bulletproof hosting service provider.

Where Cybercrime Goes to Hide

Secretive world of bulletproof hosting also known as uncensored hosting. Bulletproof hosts are no stranger to security they will often place there data centres in isolated areas such as at sea or inside underground nuclear bunkers. Using bulletproof hosting hackers can create a virus, botnets, C&C servers, malware, ransom ware, piracy, black market trading and other menacing activities with very little risk this is because bulletproof hosts ignore any abuse complains or are often hosted in a country or region where laws can differ.

Cybercriminal Hideouts for Lease

There are many facets to a cybercriminal operation, and one of them that is often overlooked — but is no less significant — is the hosting servers from which they launch their attacks. Commonly known in the industry as Bulletproof Hosting Servers (BPHS), these are hardware, software or application-based hosting facilities that can store any type of content and executable code, just like any regular hosting service.

What makes them different? These types of servers can be used to host malicious content, such as phishing sites, pornography, fake shopping and carding sites, and even command-and-control (C&C) infrastructure. In short, it’s the foundation by which major cybercriminal operations are built upon.

This latest research aims to bring these hosting services to the public eye, offering a look into the more obscure details of cybercrime. Specifically, it seeks to answer the following questions:

1. What malicious content is most commonly hosted with these services?

2. What are the business models being used by BPHS providers?

3. How BPHS providers stay in business?

4. How much do BPHS services cost for the common cybercriminal?

Through extensive research, we are able to provide the following answers:

The most common malicious content hosted on BPHS consist of fake shopping sites, torrent file download sites, Black hat SEO pseudo-sites, brute force tools, C&C components and more.

Bulletproof Hosting Models

BPHS providers’ business models consist of three models

1) The dedicated bulletproof server model, in which the provider knowingly hosts malicious content;

2) The compromised dedicated server, where the provider compromises dedicated legitimate servers and rents them out to malicious parties, and

3) Abused cloud-hosting services, where legitimate service providers are being used illegally.

Besides hosting malicious content, BPHS providers also earn revenue from other services, such as technical support, infrastructure migration, protection against DoS attacks and more. Just like a legitimate server hosting practice, they provide supplementary services for their clients.

The price of a hosting server depends on which business model the provider is using as well as the duration of usage. A dedicated server may cost around US$70 a month, while another can cost as much as US$5 for only one attack.

3 Reasons to Choose Bulletproof Hosting

1. Data Safety The primary reason those using suspicious or downright illegal content seek out bulletproof hosting services is because no one, in theory, is allowed to look into those servers to see its contents. All bulletproof hosting companies are located overseas, though this wasn’t always the case, and if a government entity or someone else from another country demanded access to those servers, it would become a matter of jurisdiction and following international laws. With this said, if you need bulletproof hosting to work out a prototype or have access to sensitive data that you need to keep under the radar, this is the way to go.

2. Secure Servers The fact of the matter is certain individual, corporate and government entities have a special interest in the data that is kept under bulletproof hosting services. This forces the providers to stay on their toes in terms of intrusion prevention, forcing them to become adept at ensuring the security of the data on their servers remains anonymous.

3. Ultimate freedom of speech and expression We live in an age where every word we speak is micro-analysed, from the internet to print and major broadcasting media. Everyone has an opinion, and there are bound to be topics you support and care deeply about that are not necessarily popular in your community or country.

Important to remember that there are some mild risks to using a bulletproof service

1. BHPS are utilized by spammers, hackers, and dealers in illegal activities. Using a bulletproof provider alongside these individuals might hinder your company’s reputation if this fact ever came to surface. Is the risk worth it?

2. If your bulletproof host happens to randomly shut down, you would naturally want your data back, but this would prove to be incredibly difficult since the servers are harboured in foreign countries. It would take time and significant resources to track down the servers retrieve your data.

Where Are Bulletproof Hosting Services Located?

Bulletproof hosting services are found all over the world. There is no single ledger listing every bulletproof hosting nation of residence.

The common consensus is, however, that the majority of services reside in China, Russia, the former-Soviet states (such as Belarus, Ukraine, and Moldova), and a handful of other European, Asian, South American, and North African countries (so, almost everywhere).

Moreover, many bulletproof hosting services register in locations with equally relaxed tax laws, such as the Seychelles and the Cayman Islands.

Many if not most ‘bulletproof hosts’ are in China, other parts of Asia, and Russia/Russia’s surrounding countries, though this is not always the case. For example, McColo, responsible for 2/3rds of the world’s spam when taken down, was US based.

Bulletproof hosting providers have a high rate of turnover, as many hosting providers choose to shut down, whether forcibly or voluntarily, if their alternative would be to compromise client freedom (as this is their main selling point).

It’s a war and cyberspace is the theatre. Do Internet hosting services have a moral responsibility when it comes to what’s available on the Internet? Norton sends out his investigators to explore the secret world of what has become known as bulletproof hosting. They are called this because they are the most secure, impenetrable and inaccessible servers in the world. These are kingdoms and companies that are the Switzerland of the Internet because they host information in servers that only they have access to and some of them offer cybercriminals the privacy to conduct illegal exchange of information, malware attacks and ransom ware breaches, among others. They operate beyond the reach of law enforcement and between international legislation.

The first stop is Sealand, an abandoned World War II gun platform. This fort that was built in international waters and has since then been declared a principality. A young man named Ryan Lackey founded the worlds’ first sovereign online state by creating a bulletproof data hosting facility there. His idea was to have a physical location where people could host servers for Internet sites with users all over the world. The attraction would be that people would be able to pick which laws applied to them.

Then they head over to Cyber Bunker, located in Holland at a NATO Cold War bunker. This was a notorious host for illegal material, particularly spam. Allegedly its home to numerous hackers. When they finally got in, to their surprise, it was no longer CyberBunker, but a new company with a different name that claimed high degrees of trust. They had evolved into a place where governments and corporations keep their classified data secure.

Next they head to a bunker located about 30 meters below the hills of Stockholm. This facility hosted WikiLeaks during the heights of its popularity. The place is physically impenetrable.

However, it seems like nowadays a bunker is no longer necessary for bulletproof hosting. Some experts believe it’s much better to hide in plain sight by pretending to not be doing anything illegal and signing up for regular hosting. A victim would then take different hops in different countries before arriving at the final destination. This would make it really difficult for law enforcement to get cooperation from all these countries in order to find out where the host is.

And this brings us to CloudFlare, which is now the edge of the Internet — the future of how Internet content can be hosted reliably without censorship.

US and Europe Datacentres

That’s not to say the US and Europe do not play host to bulletproof hosting services. Before its timely destruction, McColo was one of the largest bulletproof hosting services on the planet and based in San Jose, California (we’ll look at McColo in a little more detail in a moment).

San Jose was also host to the similarly insidious 3FN, hosting a “witches brew” of child pornography, malware, and spam email servers. On the other hand, WikiLeaks regularly moves its servers between a number of secure services situated in Europe and Russia (this due to both security and DDoS protection).

High Speed Resource

It isn’t all that simple, though. These are highly organized cybercrime services. As such, some places are better suited to hosting certain content.

Let’s say you contact a bulletproof hosting service asking to host your newly written malware. You say you want to host your malware in the Netherlands (due to high connectivity and location services). The service provider might respond that you’d be better off in Ukraine (due to local laws and the difficulty of physically taking servers down).

Clearly, bulletproof hosting service providers have a vested interest in securing new business and will work to ensure the most secure, the fastest, and the best connectivity for their customers.

Taking Down Bulletproof Hosting

The main goal of a bulletproof hosting service is remaining online and remaining secure. Keeping their clientele’s credentials and data intact if law enforcement comes calling. Dhia Mahjoub, a principal engineer at OpenDNS Research, explains more about the processes in his talk at USENIX Enigma 2017.

“Cross-jurisdictional issues are a big challenge. Hosts have very little incentive to change anything. If they take content down, that affects their business,” Mahjoub said. “The vicious thing about these guys is that they spread all across the web and stay under certain thresholds so we won’t notice them. Having friends at a certain ISP or hosting company is very useful.”

Bulletproof Hosting Takedowns Aren’t Easy

Formulating the takedown of a bulletproof hosting service isn’t easy. McColo only met its demise after a long investigation by Brian Krebs in conjunction with other security researchers and law enforcement agencies. If it were easy, the government would simply pop a takedown notice in the fax machine and send it to the host nation.

It requires a concerted effort between numerous parties to stick. And even then, if the host nation turns a blind eye, it is all for nothing. Dhia Mahjoub’s USENIX talk also details the complexity of attempting to shut down bulletproof hosting services on foreign soil.

Bulletproof hosting services take their name from the idea of being indestructible. Only a concerted effort will truly takedown a service. And as we have seen, it is a relatively simple process to switch host when the authorities come calling.

Unfortunately, shutting down bulletproof hosting services doesn’t usually spell the end of the operators or the customers unless the servers are physically seized or compromised.

The infamous Russian Business Network (RBN) was thought to have long ceased operations but is operating the same scams, botnets, and other malicious content along the borders of eastern Ukraine and Moldova.

There is some legitimate hosting taking place too. Some customers with extremely sensitive data use bulletproof hosting services to ensure government agencies and business adversaries cannot compromise them.

However, while their data has protection, it could also easily disappear; they could come under investigation just for using a bulletproof hosting service filled with other malicious data.

Using a bulletproof hosting service isn’t inherently illegal.

Bulletproof Hosting Services taken down in Last 11 years

The following are some notable examples of bulletproof hosts, with their takedown time:

· Russian Business Network (or RBN), taken down in November 2007.

· Atrivo/Intercage, taken down in September 2008.

· McColo, taken down in November 2008.

· 3FN, taken down by FTC in June 2009.

· Real Host, taken down in August 2009.

· Ural Industrial Company, taken down in Sep 2009.

· Group Vertical, taken down in Oct 2009.

· Riccom, taken down in December 2009.

· Troyak, taken down in March 2010.

· Proxiez, taken down in May 2010.

· Voze Networks, taken down in February 2011.

· Santrex, closed in October 2013 after failing to pay its datacentre provider.

· MaxiDed, taken down in May 2018.

Law Enforcement Agencies

Sometimes law enforcement agencies cannot even shut down local bulletproof hosting services because of complicated registration structures and mirroring services in other nations.

The protectionist nature of the bulletproof hosting services usually prolongs the process too. Services have mitigation strategies. Service owners know how long they can hold out before acquiescing to formal takedown requests.

And even then, they can give customers a few days to move their operations to another bulletproof service provider.

Bulletproof Hosting Providers offers affordable bulletproof shared hosting with a starting price of €4.99 ($5.47)/month. You can pay monthly, and request a refund within a 30-day time frame. For this price you get 35GB Bandwidth, 5GB Disk Space, 1 MySQL Database, 1 sub-domain, and 1 email. Their bulletproof VPS’s start at €24.95 ($27.35)/month. With this, you get 1GB RAM, Xeon 1 core 2.60 GHz, and 15GB SSD (RAID 10). Their fully bulletproof dedicated servers start from €150 ($164.45)/month and come with full root access and IPMI.

OneHost Cloud

It is a world class provider of private, reliable and secure cloud hosting. The number one provider of Pentesting Cloud Virtual Private Servers for security professionals and budding pentesters.

OneHost Cloud is always happy to work with customers to provide reliable and secure hosting and further encourage customers to contact them so they can decide what it is you require so they can provide the best possible solution for you and while privacy is a top priority. They always respect customers wish to remain anonymous — all staff are governed by NDA where they cannot divulge any information regarding current or former customers of OneHost Cloud.

In addition to Bulletproof Hosting OneHost Cloud also offers Tor Hidden Service Hosting via their Tor Control Panel and Tor Clusters. This is just another product they offer to provide customers the tools to retain private and anonymous cloud hosting for all.


Bulletproof hosting takedowns aren’t that common, but it does happen. McColo is one of the most well-known service takedowns in recent times (although nearly 10 years ago now). McColo Corp. was a focal point for scammers, malware purveyors, carders, botnet command and control servers, and much worse.

“At a time when law-enforcement agencies worldwide were just waking up to the financial and organizational threats from organized cybercrime, McColo Corp. had earned a reputation as a ground zero for it: a place where cybercrooks could reliably set up shop with little worry that their online investments and schemes would be discovered or jeopardized by foreign law-enforcement investigators.”

In his book, Spam Nation, Brian Krebs details the horrific demise of Nikolai McColo in a street race in central Moscow. McColo, then 23, had built his burgeoning bulletproof hosting service from the ground up from the age of 19.

But despite McColo’s leader and namesake passing it wasn’t until a year later, in 2008, when Krebs’ Washington Post exposé on the astonishing level of malicious activity at McColo finally forced the wider internet’s hand, pulling the plug on all connections to McColo IP ranges.

Overnight, global spam traffic saw a 50 to 75 percent reduction. Millions of zombie computers were instantly cut off from their control servers. The Mega-D, Pushdo, Rustock, Warezov, and Srizbi botnets took hard hits (Srizbi was capable of sending an estimated 60 billion spam emails a day, over half the global total of 100 billion).

And spam purveyors, along with other nefarious individuals and organizations, lost huge portions of their infrastructure. Some prolific spammers actually lost their entire spam email lists, hosting them on McColo’s servers.

Started in 2014 from the Netherlands. It currently sells dedicated servers from 2 datacentres: Dronten and Amsterdam. has several qualities that distinguish them greatly from other bulletproof hosts. They are affordable, offer customer support via Livechat, and have a 30-day money back guarantee. In addition, they prioritize in offering full data privacy, and maximum security. They are also very lenient in what they allow on their servers.

Because of Elkupi is located in the centre of Europe, and is using Dutch datacentres, their connection speed is very fast, whether you’re from Europe or United States.

HavenCo (Sealand)

Bulletproof hosts such as HavenCo in Sealand , Sealand is its own Sovereign State Located in international waters, on the military fortress of Roughs Tower, Sealand is the smallest country in the world. The country‘s national motto is E Mare, Libertas (From the Sea, Freedom), reflecting its enduring struggle for liberty through the years. Sealand has been an independent sovereign State since 1967 and is subject to its own laws Sealand also has very little to none tax laws.

HavenCo was founded in Sealand and follows Sealand law read the Constitution of the principality of Sealand.


Cyber bunker is a bulletproof host that is hosted in a nuclear bunker deep underground it is impenetrable even against nuclear weapons.

Ramnicu Valcea It is a beautiful, modestly populated town in the centre of Romania. Entirely pleasant and agreeable, the surroundings betray nothing remotely conspicuous to an outsider’s eye. But this deceiving facade cloaks an underground society known as ‘Hackerville’, a home to some of the most prolific cyber terrorists in the world. The Most Dangerous Town on the Internet investigates their criminal activities, and the threats they pose to our increasingly cyber-connected planet.

The age of communism kept Romania on the side-lines of technological advancement for much of the twentieth century. The Romanian Revolution of 1989 changed all of that. The youth in the region were hungry for inter-connectivity with the rest of the world, and proved enormously adept in the innovative use of new technologies. Perhaps inevitably, this also birthed a new breed of hackers who set their sights on wrecking chaos amongst the world’s most powerful figures and institutions.

Legitimate Companies Host Bad Things Too

It would be naive of us to look at only bulletproof hosting services as the sole source of the dark underbelly of the internet.

According to Webroot’s Quarterly Threat Trends for September 2017 [PDF], “an average of 1.385 million unique phishing sites are created each month, with an astonishing high of 2.3 million in May of 2017.”

Not all of these sites use bulletproof hosting services. Major regular hosting services like GoDaddy, 1and1 Web Hosting, HostGator, and Digital Ocean regularly host phishing sites before they go offline. Given GoDaddy has tens of millions of registered domains, it is entirely feasible that some slip through the net.

However, there are some slightly worrying signs. The InfoSec Guy blog illustrates several malicious phishing sites left online even after alerting GoDaddy. Similarly, there are tutorials available online detailing how to set up automated phishing emails using a Digital Ocean VPS (among others).


We rely upon the wonders of cyberspace for so many of our essential daily activities. We purchase merchandise, indulge in sensitive and deeply personal communications, and even conduct our banking activities from the comfort our computers and smart phones. Little do many of us realize that a new generation of online criminals may lie in waiting, and any one of us could be their next victim? The Most Dangerous Town on the Internet is a valuable portrait of this frightening reality.

Many service providers have terms of service that do not allow certain materials to be uploaded or distributed, or the service to be used in a particular way, and may suspend a hosting account, after a few complaints, to minimize the risk of their IP subnet being blocked by anti-spam filters using Internet Protocol (IP) address-based filtering. Additionally, some service providers may have ethical concerns that underpin their service terms and conditions.

Often, a bulletproof host allows a content provider to bypass the laws or contractual terms of service regulating Internet content and service use in its own country of operation, as many of these ‘bulletproof hosts’ are based ‘overseas’ (relative to the geographical location of the content provider).

Is it right for a company to host ISIS websites where images of people being decapitated are a regular attraction?

Does silence really mean consent?

Why should you worry about?