beebright - stock.adobe.com

Bulletproof host raided in former NATO bunker

German authorities arrested seven in raid of bulletproof hosting company CyberBunker -- which was housed in a former NATO bunker -- for allegedly hosting dark web marketplaces.

Law enforcement officials in Germany shut down a bulletproof host operating out of a former NATO bunker and which was allegedly supporting various illegal websites.

The host taken down by German authorities late last week was known as CyberBunker. It was originally located in a former military bunker in the Netherlands but moved to another NATO bunker in Traben-Trarbach, Germany, around 2013. CyberBunker had only two exceptions in its rules for customers: no content related to terrorism and no child pornography.

However, according to authorities, those were not hard rules because CyberBunker was accused of hosting child pornography sites in addition to a number of dark web marketplaces offering illegal drugs, stolen data and malware. In the raid, seven people were arrested and six other suspects connected to the bulletproof host are still at large.

A bulletproof host is a service provider that sells itself on promising customers freedom to conduct any activities they wish and protection from law enforcement. The CyberBunker case demonstrates how difficult it can be to shut down bulletproof hosts even when they are located in U.S.-friendly nations that cooperate on law enforcement.

Leo Taddeo, former special agent in charge of the cyber division of the FBI's New York office and current CISO at colocation provider Cyxtera, said enterprises should be wary of bulletproof hosts because they are the launching pad for "many criminal and even nation-state cyberattacks."

"Cybercriminals and spies prefer bulletproof hosts to launch their attacks because a bulletproof host can add a layer of anonymity," Taddeo told SearchSecurity. "A BPH [bulletproof host] that is located in a jurisdiction that has lax enforcement will also be more resilient against law enforcers."

Robert McArdle, senior threat researcher at Trend Micro, said that beyond enabling the distribution of drugs or child porn, bulletproof hosts can be used for command-and-control infrastructure.

"Where it makes a big difference is on any regulatory body or law enforcement that is attempting to take down long-term criminal infrastructure that is hosted somewhere that is nonresponsive, or is actively ignoring them," McArdle said. "Simply put, they are either run by organizations that have actively decided to ignore or resist any law enforcement requests, or are in a country with weak cybercrime laws that mean they are under little or no obligation to comply."

Taddeo added that because bulletproof hosts don't care what is hosted on their infrastructure, it is "hard for enterprises to use legal channels to shut down the sources of attacks."

German authorities said in a press conference that CyberBunker hosted the Wall Street Market, which was the second largest dark web marketplace before it was shut down in April, as well as the Cannabis Road marketplace and more. It's unclear how long German law enforcement was investigating CyberBunker or why authorities finally raided the company's data center after operating for so many years.

In the past, CyberBunker was known to host The Pirate Bay and WikiLeaks, but one of the more infamous connections was with a huge DDoS attack against antispam website Spamhaus. Following an argument, CyberBunker was blacklisted by Spamhaus and alleged protesters hit Spamhaus with what was possibly the largest DDoS attack recorded at the time, and large enough that it even knocked Cloudflare offline.

Sven Kamphuis, who ran CyberBunker via his company CB3ROB, was arrested in 2013 in connection with the attack and convicted in the Netherlands, but did not serve jail time.

It is currently unclear if Kamphuis was one of the seven arrested in this raid of CyberBunker.

Guido Blaauw, director of Disaster-Proof Solutions, a company that renovates and resells old military bunkers, including the original CyberBunker location in the Netherlands, told SearchSecurity the German investigation may have been slowed down because "there was not much known about what was going on inside."

"I think [law enforcement] needed this long to obtain evidence in other ways (like collecting traffic, chats, banking information, etc.)," Blaauw wrote via message. "The abuse mails from law enforcement and others are simply ignored [by Kamphuis.] This is their modus operandi since 1997 and it never changed."

Dig Deeper on Security operations and management