C (13:02)

Yeah, thank you so much. Our team at Silent Push has been looking at different ways to classify the Internet since we were founded. We are essentially a company that scans the Internet and we are creating feeds of known bad infrastructure for our clients. So pretty much an early thing that we were looking at was malicious ASN ranges, bulletproof hosts. And how could we classify large groups of the infrastructure as bad?

B (13:31)

Well, define for us what exactly bulletproof hosting entails today.

C (13:38)

Yeah, that's a good question. Bulletproof posting is a practice that's been around for about two decades, and it really was a term created to describe the Russian business network, which was essentially a malicious hosting company based out of Moscow around 2006. And they were essentially hosting anything bad they could possibly find from malware, phishing, financial fraud, csam, and pretty much everything bad on the Internet that some criminal wanted to host. They were open to hosting it. And so when that sort of came about, a lot of folks were trying to figure out, what is this? How do we talk about this? And so we sort of came up with the idea of a bulletproof host, or rather the industry did. And it really is a hosting company that ignores legitimate abuse complaints. So when a cybersecurity company identifies a domain that's promoting malware or phishing infrastructure, they may send in abuse complaints to that hosting company or the registrar that registered the domain and try and get that infrastructure taken offline. And when you do that with a cloudflare or Google or Microsoft or any of the major hosting companies, they absolutely review those requests and they take action when something is malicious But a bulletproof hosting company, you may send that in to some email address they have, and really that complaint just kind of goes right into the dumpster. They explicitly say they're going to ignore entire categories of abuse and threat. Actors love that.

B (15:18)

And is it the fact that, as you mentioned, most of these folks are operating out of Russia? Does the government simply turn a blind eye?

C (15:27)

Yeah, that's. The geography of where these bphs are hosted is really interesting. They are typically and historically have been in jurisdictions which essentially ignore international laws, which they don't have within that country. So Russia has very specific legal frameworks. And so if there's a basically a hosting company that's violating the laws in the United States, that hosting company isn't technically under the same pressure in Russia, whereas many other countries, let's say Europe, Latin America, Africa, African countries, there's a lot of places where they play ball where it may not be their law, but let's say someone is violating a US Law, like the dmca, the Digital Millennium Copyright Act. That's sort of the classic law that was used to take down sport, illicit sports streaming, illicit movie and TV show streaming, and that's the. The basis of torrenting. And there's many bphs that love to have this type of illicit streaming because it's, quote, not illegal in their home country. And so they're essentially just ignoring certain U.S. laws. And that is sort of the modus operandi where a BPH is ignoring laws from other countries. And they're based in specific jurisdictions where they usually aren't worried about law enforcement raiding them or holding them accountable to foreign laws. And so for decades, it really, the first decade or so, it was primarily in Russia where we were seeing these. But now, two decades or so since the start of this problem, they're everywhere. We're tracking over a hundred ASNs that are operating as bulletproof hosts. And while many are located in Russia, they're located in Hong Kong, other places in Asia. Some of these are legally registered in the uk, Some are legally registered in Wyoming. There's a whole different ecosystem now.

B (17:41)

So looking at the research here, what are some of the things that you hope people take away from it that maybe they don't know about? Bulletproof hosts.

C (17:50)

Yeah. So we think it's really important for everyone to be not only trying to understand what is a bulletproof host, what are the crimes that they support, who are their criminal clients, but also how are they getting online. And so we have a lot of details in our report about peering. And without getting too in the weeds on the technical details. The Internet is a series of tubes. And a famous former senator from Alaska, Ted Stevens, said that many years ago and a lot of people were critical of that. But it is actually a really simple way to think about it. Where the Internet is broken up by ASNs and autonomous system numbers, they essentially are where IP addresses are associated. And so an organization like Cloudflare, Google, Microsoft, they have an ASN number or maybe even a couple ASN numbers, and they could have tens of thousands or hundreds of thousands of IPs they map to it. And then in order for people to be able to connect to their websites, they basically need to connect their ASN up to other ASNs. And so imagine I'm a Cox Communication ISP user and I want to connect to infrastructure on Cloudflare. That Cox ASN needs to have a peering relationship in some way that connects to cloudflare. And so someone like a Cloudflare or these other enterprise hosts typically have hundreds of peers, or thousands even. But the bulletproof hosting providers may only have one or two peers. And what this means in practice is that really suspicious hosting company that's operated out of the basement of someone's house, they maybe rented some infrastructure, they've been able to get an asn, but no one can connect to their infrastructure. They're just sitting off alone. The Internet doesn't connect to them because they have no peers. They can start reaching out to other bulletproof hosting companies, other low quality hosting companies and say, hey, will you peer your ASN to my ASN so that everyone in the world can connect to us? And so when you start to investigate a bph, you can see who they're basically working with, how those data flows between their malicious host and the rest of the Internet work. And we can start to hold these peering partners accountable. And there was a really interesting law enforcement action just last month against Media Land and hypercorp. And these are basically BPH operators that were financially sanctioned in the us, the UK and Australia. But what's really important about it is these are basically Russian bulletproof hosts. We are not going to be able to raid their facilities, we're not going to be able to seize the servers. But they took this opportunity to issue the financial sanctions because the primary peer for those, those bulletproof hosts is an ISP located in the uk. And so by having those financial sanctions, they could then go to that peer in the UK and say, hey, one of your partners actually is completely doing illegal stuff and there's now financial sanctions so that if you continue to do business with them, you're going to be held accountable for all of these sanctions frameworks and potentially face fines or other ramifications. And so it was a really savvy way to try and disconnect that BPH from the Internet.

B (21:27)

Are law enforcement efforts like that effective? I mean, you know, we always. It was that old chestnut about this being a game of whack a mole.

C (21:35)

Yeah, that's absolutely the case. And, and with BPH operators, it is absolutely true that whack a mole would be the simplest way to describe them where when there is a takedown, their clients may all run to another BPH. The IPs that were rented at that BPH may suddenly show up somewhere else. And we see that basically every month there's law enforcement actions happening that are quite public and others somewhat more behind the scenes. But in just the last couple of years, there's been a dramatic increase in law enforcement actions against BPH providers, and we should all be really encouraged by that. Where in November, Dutch authorities literally raided one bulletproof hosting provider named Crazy RDP and seized the servers. And that's really the gold standard where when law enforcement is able to physically locate the bulletproof hosting operator and has jurisdiction to go into that location, then that shuts down the operation. All of those clients immediately lose their infrastructure and it really creates chaos for them. But the second best option really is still that those financial sanctions. And we've seen quite a few financial sanctions being issued, not only Medialand and Hypercore. The Funnel CDN out of China was sanctioned in May 2025 by US authorities. And the Funnel CDN is a very interesting threat actor hosting company because they've been hosting investment scam websites that have resulted in more losses than any other network that exists with US victims losing over $200 million through just this one bulletproof hosting provider. And so we're at a place where the losses are significant with some of the infrastructure that can be hosted on a bulletproof host. And they're clearly those threat actors that host on them. Target a lot of those malicious sites to us.

B (23:44)

Folks, for the defenders who are in our audience here, what, what, where should bulletproof hosting be on their spectrum of awareness? How important a thing is this to. To keep an eye on?

C (23:59)

Yeah, I would say it's, it's easily in the top five for all priorities. And the way we sort of advise our clients, there's over a hundred BPHS and 99.99% of the stuff on those is malicious. It could be malware, could be C2 hosting, could be phishing infrastructure, financial fraud, CSAM, all types of horrible things. And the reality of that is that if we aren't approaching it as though it's a threat, that every threat actor loves to use, a tool set that every threat actor loves to use, then you're going to be attacked by a lot of stuff that you don't have defenses for. And so we urge people to know what the bphs are, to have a defense strategy, and at the very least be alerting on connections from those BPH hosts. And we know many of our clients and many folks in the industry actually block outright block connections from bphs. And that's absolutely also a good strategy. But at the bare minimum, folks need to have knowledge of what these ASNs are and have a process that allows them to alert when any domains that are mapped to an IP on one of those bphs somehow either connects to their infrastructure or one of their users reaches out and has their device reaching out to one of those hosts.

B (25:29)

That's Zach Edwards from Silent Push. We have a link to his team's research in the show. Notes.

C (25:45)

The world moves fast. Your workday even faster Pitching products, drafting reports, analyzing data Microsoft 3365 Copilot is your AI assistant for work built into Word, Excel, PowerPoint, and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365Copilot this episode is brought.

A (26:16)

To you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed Indeed sponsored jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate C According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

B (26:46)

And finally, for some Police Service of Northern Ireland officers, a 2023 data breach is starting to look less like a one off disaster and more like an unwanted subscription service. After their names were mistakenly exposed last year, dozens of those same officers briefly reappeared this week on the NI Court's website. Their Department of Justice says the listings were promptly removed and emphasized that court information is usually public unless lawyers ask otherwise, a policy that works best when nobody is already living through a privacy nightmare. Police Federation Chair Liam Kelly called the episode avoidable and embarrassing, while politicians warned of renewed anxiety for officers and families. The timing, however, has not gone unnoticed. These same officers are still pursuing compensation over the original breach, and some are now openly wondering whether this latest slip up might qualify as a sequel. That possibility lands just as the Police Federation for Northern Ireland welcomed a 7,500 pounds compensation offer for the thousands affected in 2023. In Northern Ireland's data handling saga, even mistakes appear to be compounding and possibly accruing interest. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapid way changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco.

A (30:17)

Wanna see your brand on tv? Roku Ads Manager makes it easy to launch targeted ad campaigns in minutes, track results in real time, and drive on screen purchases with just a click of the Roku remote. Get a $500 match on your first $500 spent with code ROKU500@ads.roku.com that's code ROKU500@ads roku.com Terms apply.