Update Feb. 14, 2025: The Amsterdam police cybercrime team has seized 127 XHost servers. The bulletproof service required two years of preparation to be taken down.
A bulletproof hoster protects cybercriminals by hiding their identity. The Dutch police (Politie) indicate (in Dutch) that hosters like these pose a great danger as “safe havens” for malicious actors. In addition, the servers in question contain all kinds of tooling, from ransomware to botnets and malware. A server belonging to Conti and LockBit was also found, indicating that the server owner had contact with the biggest cyber dangers worldwide.
Original post, Feb. 12, 2025:
The United States, the United Kingdom, and Australia are imposing sanctions on Russian bulletproof hosting services provider (BPH) ZServers because of possible ties to the LockBit ransomware gang.
According to a statement from the Australian Federal Police (AFP), Russia-based hosting provider ZServers provides services to certain cybercriminals behind a major hacking attack in late 2022 on Australian health insurer Medibank Private Health. In this attack, the sensitive data of millions of policyholders was stolen.
The ransomware gang LockBit allegedly sold this data to other criminals through ZServers’ servers. They also reportedly extorted many Australian individuals and businesses with the stolen sensitive data through these environments.
Bulletproof hosting
ZServers is a provider of so-called “bulletproof hosting” services. These web hosting services are very difficult to take offline and are therefore favored for questionable or malicious activities. These include hosting malware, phishing sites or botnets.
These BPH services often ignore requests from judicial authorities and DMCA requests or fail to respond to complaints of abuse.
The sanctions now imposed on ZServers by the US, UK and Australia apply to the company and individual employees. These are presumed owner Aleksandr Bolshakov, senior employees Aleksandr Mishin and Ilya Sidorov, and other employees Dimitriy Bolshakov and Igor Odintsov.
The sanctions themselves consist of travel restrictions and financial penalties. ZServers’ assets in the three countries will also be frozen.
Also read: European police forces deal blow to ransomware group LockBit