The anatomy of bulletproof hosting – past, present, future

Few cybercrime enablers are as crucial and notorious as bulletproof hosting. However, despite its importance, reporting on “DNS, web, mail or other services provided with either explicit or tacit actions not to disconnect customers who spam or engage in cybercrime” (Spamhaus’s definition of bulletproof hosting) is often domineered by sensationalism and tabloid-style “infotainment.” For those seeking more prosaic coverage on this topic, join a journey on the history, current state of affairs, and potential future developments in the threat landscape of bulletproof hosting.

Monolithic bulletproof hosters: Declining, but still relevant

Just like their legitimate counterparts, bulletproof hosting providers (BPHs) rely on core components such as robust internet connectivity, IP address space, servers, networking hardware and physical premises. Furthermore, systems for managing customers, billing, support tickets, and resource allocation (e.g., hypervisors) are necessary as well.

As we elaborate in a later section, these “ingredients” may be provided by different facilitators, but the most simple form of both legitimate and bulletproof hosting involves having all of them utilized by the same entity: The same company owns everything from the building to the virtual machines it provides to its customers.

Although resilience is an important aspect of running a legitimate hosting business as well (think of uninterruptible power supply, redundant network, and backups), BPHs have additional demands: They must shield their operations from interference by law enforcement, security researchers, and vindictive ex-customers or competitors. Reducing dependencies as much as possible at the first glance seems beneficial to improved business resilience. Some “monolithic” BPHs leverage this to the extent of maintaining direct presence at major internet exchange points and multiple uplinks to tier-1 carriers with lax customer vetting, creating a robust network connectivity setup.

While Spamhaus is aware of several monolithic BPHs still being active today, we assess owning physical datacenters (once a significant asset) has increasingly become a liability, as it makes relocations costly and time-consuming, reducing room for manoeuvre in case adversaries are zeroing in on a BPH’s premises.

How BPHs respond to pressure is a topic on its own. Spamhaus frequently observed monolithic BPHs to attempt to lie low after major incidents such as (soft) law enforcement action, presumably to remain in business and avoid full-blown takedowns. For example, following a raid in 2020, a long-running BPH based in the Netherlands largely cleaned its networks from technical threats (such as malware distribution, phishing and botnet controller hosting), and appears to constrain its customers’ abusive activities to hosting pirated content and similar non-threatening type of content (which commonly receives less scrutiny by security researchers) ever since, according to our assessment.

It is important to note that, contrary to what “monolithic” suggests, all types of BPHs frequently involve several corporate entities, particularly shell companies. In some cases, differentiating between those and third party facilitators is difficult, blurring the line between monolithic BPHs and the next archetype.

Separation of liabilities: Bulletproof hosting built atop disposable ingredients

The majority of active bulletproof hosting providers Spamhaus currently tracks follows a different modus operandi: By deliberately having key functionality provided, owned or controlled by different business entities, they strive to hamper efforts to identify parties responsible for abusive activity and increase resilience against terminations or takedown attempts.

As mentioned before, usage of shell corporations has always been a common sighting in the bulletproof hosting landscape. However, modern BPHs are taking the game further, compartmentalizing required technical and business components to maximize robustness of their operation. Rather than running their own, they source necessary “ingredients” through reseller schemes, abusing services offered by legitimate (and cybercrime-tolerating) companies, such as datacenters and IP address brokers. A comparison between aforementioned Dutch bulletproof hoster and a now-defunct, non-monolithic counterpart (also physically hosted in the Netherlands), illustrates the added complexity:

Such “layered” cybercrime business models have been observed by Spamhaus as early as 2008, however, shifting from a monolithic approach to this “separation of liabilities” model significantly gained momentum in particular among BPHs physically based in Western jurisdictions. Involved corporate entities are frequently (and presumably, deliberately, such as to delay ongoing law enforcement investigations) based in many different jurisdictions, effectively creating “firewalls” of plausible deniability between different layers of a BPH operation.

Investigators and members of the anti-abuse scene may recall rather unsatisfying conversations about abuse incidents akin to:

1. Datacenter operator: “This is a colocation customer of mine, go talk to them.”
2. Colocation customer: “Talk to the server owner, I just operate the hardware.”
3. Server owner: “I just rent out virtual machines, I have no idea what’s happening. Oh, and I don’t do customer vetting, so there’s only an e-mail address and a cryptowallet I have on the problematic customer.”
4. Upstream ISP: “We only route packets, we can’t police what content is being sent and received. Doing so smells like censorship!”

Separating liabilities through seemingly unrelated companies also allows criminals to potentially learn about ongoing law enforcement investigations at an earlier stage, permitting them to tip off the involved customers, tamper with evidence and jeopardize forthcoming operations. Spamhaus is aware of incidents where law enforcement requests sent to one BPH facilitator were disclosed to entities directly operating the bulletproof hosting operation.

Such layered operations also allow bulletproof hosters to issue legal threats against their facilitators: One particular, now-defunct BPH was leveraging decoy ISPs incorporated as US-based shell companies to procure connectivity from legitimate datacenters (a decade-old tactic in this realm). Facing imminent suspension by the latter, legal threats were being issued against the datacenter, as the ISP cannot be held liable for the abuse emanating from its “customers.”

While the availability of reseller schemes (and poor customer vetting thereof) is central to enabling non-monolithic bulletproof hosting, one particular facilitator class has been key in fueling this development:

The rise of IP(v4) address brokers

Similar to its legitimate counterpart, the availability of IPv4 address space is crucial to bulletproof hosting operations; related internet abuse remains a largely IPv4-centred phenomenon (although botnet spam recently saw an uptick in IPv6 emissions, and Spamhaus is aware of several professional spammers operating out of IPv6 address space only).

Fueled by an ongoing demand in IPv4 address space, a number of IP brokers have emerged, offering networks for rent or sale, as well as adjacent services, such as assistance in setting up Autonomous Systems. Customer vetting and abuse handling practices vary greatly between different IP brokers.

The result is hardly surprising: IPv4 address space increasingly becomes a disposable asset to miscreants – spammers and bulletproof hosters alike. One IP broker pulls the plug and retracts the network they have rented out? Law enforcement seizes control during a takedown operation? Nevermind, move on to the next one, reassign new IP addresses, and resume activity.

Occasionally, Spamhaus also observes bulletproof hosting on hijacked IP networks, effectively “digital no man’s land” whose legitimate owner has vanished, merged, or simply abandoned a network. This unclear ownership greatly impedes determining the entity responsible for abusive activity; it often takes years to resolve IP hijacking incidents. However, (semi-)legitimate IP broker schemes can offer IP address space at a greater disposability factor, while hijacked networks tend to be static and included in common blocklists. Most BPHs, therefore, currently seem to prefer abusing IP brokers over networks sourced via IP hijacking.

As if aforementioned separation of liabilities wasn’t enough, some IP brokers greatly aggravate this situation: By not maintaining accurate Regional Internet Registry (RIR) data, customer identities are obfuscated - in some cases, even the involvement of an IP address broker remains invisible by examining publicly available information. When in contact with Spamhaus (usually after Spamhaus Blocklist listings were issued), back-and-forth discussion about a customers’ merits and why they appeared repeatedly on a brokers’ services are a common occurrence. Over the recent years, the abuse situation at several IP brokers had deteriorated so much that Spamhaus had to list entire IP allocations to protect its users.

Several bulletproof hosting operations have been observed by Spamhaus to practice “IP broker hopping,” responding quickly to terminations by procuring services from a different IP broker. As a bonus, the involvement of IP brokers adds yet another layer to the aforementioned “separation of liabilities” model, and renders efforts to freeze or retract IP address space, a potential countermeasure currently discussed among anti-abuse and law enforcement circles, ineffective.

(It is not all doom and gloom, however: Some BPHs appear to be significantly attached to their IP address space, even going so far as to buy once-rented prefixes from the IP broker involved, as Spamhaus observed in the case of a US-based bulletproof hoster in August 2025.)

Living off trusted services: LOTS of headache for defenders

Finally, the greater phenomenon of abusing trusted services, where widely used yet heavily abused services (e.g., certain Content Delivery Networks (CDNs)) become key enablers to malicious internet activity, encompasses bulletproof hosting as well. Spamhaus observes domains moving from BPH infrastructure behind CDNs on a regular basis.

Unsurprisingly, miscreants are learning from this: A Malaysia-based ISP catering to both legitimate, questionable and openly rogue customer clienteles routinely advises the latter two to leverage Cloudflare’s CDN services for hosting websites, rather than pointing the domain’s DNS records directly to the ISP’s networks. (It is Spamhaus’s assessment that this ISP utilises different IP networks for different customer clientele, rather than attempting to thoroughly mix legitimate and illicit infrastructure. A website dedicated by this ISP to a Chinese-speaking cybercrime clientele was shut down in 2023, following pressure by anti-abuse circles.)

Abusing high-profile internet infrastructure - effectively “too big to block” - also reduces the necessity of maintaining criminal disposable front-end/reverse proxy infrastructure such as the one we outlined in 2019.

Defenders and investigators are left with bulletproof hosting operations consisting of complex webs of moving parts, with facilitators being disposable or exchangeable, in some cases obfuscated entirely from publicly available information sources.

Outlook and implications

Given its relevance to cybercrime as a whole, a lasting decline of bulletproof hosting activity is considered unlikely by Spamhaus. Instead, seeing their non-monolithic competitors thriving by leveraging aforementioned “separation of liabilities” schemes may incentivize miscreants to adopt this modus operandi, potentially joining the BPH market. While some facilitators, especially IP brokers, have significantly improved their customer vetting and abuse handling procedures following onslaughts of fraudulent sign-ups, obtaining IP(v4) address space remains feasible and affordable.

Spamhaus therefore expects non-monolithic BPHs to continue thriving in jurisdictions with elevated pressure from law enforcement, while their monolithic counterparts seem to remain active in jurisdictions where law enforcement action is less effective, most notably, Russia. Efforts by miscreants to abuse trusted legitimate services (and the service owners’ ongoing failure of thwarting abuse of their platforms) will likely continue at a high operational tempo.

For investigators, this threat landscape may carry the following implications:

• Different “layers” of a bulletproof hosting operation may be operated by the same entity, jeopardizing ongoing investigations if law enforcement requests are issued to companies involved. Data returned from such entities cannot be trusted.
• Publicly available information, such as RIR databases, may not reliably reflect the current user of a network, particularly if an IP address broker is involved. In some cases, the presence of a broker might only be determined reliably via other sources, such as historical RIR data or routing history.
• Spamhaus is observing a rise of shell corporations in unobtrusive jurisdictions, predominantly the UK and USA, in conjunction with BPH activity. In contrast to other territories, such as prominent offshore countries, such shell corporations are more likely to fly under the radar during superficial customer vettings and investigations.
• Threat actors appear to deliberately leverage different jurisdictions for increasing resilience of bulletproof hosting operations, raising the bar for successful and sustainable takedowns.
• Seizure or retraction of single components is unlikely to permanently disrupt a bulletproof hosting operation, as illustrated by phenomena such as “IP broker hopping” above.
• If good network reputation is not crucial, BPHs also leverage hijacked IP networks for facilitating their operations. Public documentation of such networks is often outdated, incomplete or has been forged, requiring additional scrutiny (and potentially collaboration with the responsible RIR) to accurately identify entities responsible for abuse.

Defenders tasked with protecting their infrastructure from security threats may wish to resort to the following countermeasures to tackle abuse emanating from non-monolithic BPHs:

• In addition to IP-based blocklists, deploy Autonomous System (AS)-based ones such as ASN-DROP to preemptively block traffic to or from criminal operations quickly cycling through IP address space.
• Anticipate characteristics such as living off trusted services, which commonly renders IP-based filtering insufficient for achieving robust protection. Deploy domain-based blocklists such as Spamhaus's Domain Blocklist (DBL) on mail and perimeter infrastructure, and evaluate whether heavily abused services can be blocked entirely across your organization. For example, depending on corporate policies, blocking external file sharing or object storage services may be feasible for all (or some) users, preventively neutering security threats relying on their abuse.
• Don’t look at incoming traffic only! Imminent security threats can often be spotted (and prevented) by robust filtering of outgoing network traffic. Restrict such traffic as tightly as possible - why should a server be granted with unrestricted internet access? - and ensure attempts of internal infrastructure to communicate with blocked destinations are logged and investigated for indicators of compromise.
• Miscreants commonly strive for a clean reputation of abused IP addresses and domains, to reduce the likelihood of interference by blocklists and similar network security schemes. Thus, it is important not to focus exclusively on known BPHs when filtering malicious network traffic, but to prepare for the possibility of botnet controllers and the like being deliberately placed at abused, (semi-)legitimate hosting providers, especially those known for sloppy abuse prevention procedures.

Finally, ISPs and hosting providers are strongly encouraged to thwart abuse attempts of their platforms by performing robust customer vetting (this includes screening other ISPs seeking connectivity) and to secure their network assets against IP hijacking attempts. In addition to preventive anti-abuse measures, responding quickly to abuse reports, and leveraging threat intelligence feeds for detecting ongoing abuse not (yet) reported by third parties is crucial to curb miscreants who made it past customer vetting and onboarding security checks.