The U.S., UK, and Australia Just Sanctioned Another Russian Bulletproof Host

What seems like a subplot from “Mr. Robot” actually happened out of St. Petersburg when the U.S., Australia, and the U.K. sanctioned Media Land LLC, a bulletproof hosting provider based in Russia, on Nov. 19.

Authorities also targeted Hypercore Ltd., which they believe is a shell company for Aeza Group. Aeza Group is a well-known bulletproof hosting provider that the U.S. already sanctioned earlier this year.

“Bulletproof hosting is a key component of the cybercrime ecosystem, providing a digital ‘safe haven’ for cyber-criminals that can appear resistant to law enforcement takedown activity,” explained the U.K.’s National Crime Agency Deputy Director Paul Foster.

Sanctions aren’t arrests, but more like banishments. Any Media Land-related companies or individuals now have their assets frozen and citizens or businesses in the U.S., U.K., and Australia are legally barred from fraternizing with them.

If a U.S. citizen does associate with a sanctioned company, they’d likely face civil fines that can reach six figures. But if officials determine that the contact was intentional, it moves into criminal charges. Treasury can also revoke licenses or issue cease-and-desist orders. The U.K. and Australia have similar penalties.

“These so-called bulletproof hosting service providers like Media Land LLC provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” said John K. Hurley, who oversees terrorism and financial-intelligence policy at the U.S. Treasury.

Bulletproof hosts, web hosting services that ignore or evade law enforcement requests, are much more prevalent than many people imagine.

In February, the U.S., U.K., and Australia. sanctioned Zservers for providing infrastructure to Lockbit, a ransomware group. Then in July, the U.S. sanctioned Aeza for facilitating ransomware attacks and the sale of black-market drugs.

These sanctions are a reminder that every attack — ransomware, DDoS, extortion — has to live on somebody’s infrastructure, whether they’re in data centers or unusual locations, like CyberBunker, which operated out of a former Cold War bunker.

A blog analyzing Russian-language forums noted there were about 40 active BPH services on major cybercrime forums in 2024, with 17 new ones born between 2022 and 2023.

European hosts have to be extra wary: There’s a reason so many of these bulletproof hosts are based in places like Russia, Moldova, and the Baltics, and it’s because those jurisdictions are slower to respond to abuse reports.

But for the people providing this infrastructure, the financial incentive is tempting.

One Russian host, BulletProof Web, has quoted around $35,000 per year for bulletproof hosting. It’s unclear if they’re still active — they also refer to themselves as CyberBunker, which was shut down in 2019 — but the number gives a sense of the going rate.

The plan includes:

• Server hardware and basic setup: $10,000-12,000
• Add-ons and software: a few hundred to $1,000
• The “Stealth” package: $8,970 (activation + install)

That “stealth package” likely covers things like masking customer identities, using offshore or forged paperwork, rerouting traffic, and setting up servers that are specifically designed to evade law enforcement via tools like VPSes, proxies, and VPN nodes.

The idea, obviously, is that the cash made from cybercrimes will heavily outweigh these operating costs. According to WIRED, the operator behind the Bredolab botnet — which infected more than 30 million machines — pulled in $125,000/month by renting out access to his network to spread malware, run spam campaigns, and launch DDoS attacks.

The malware known as infostealers helped criminals steal around 2.1 billion credentials. A sample of just 161 profiles can sell for between $540,000 and $715,000. One report estimated that stealer-as-a-service operators can pull in profit margins above 90%.

The Phorpiex botnet was also estimated to generate about $500,000 per year, while the ad-fraud botnet Methbot was making between $3 million to $5 million per day at its peak.

Not a bad profit margin for someone working in hosting’s underbelly.

But your average hosting provider wants nothing to do with this. The problem is how easy it is to get entangled anyway; you can be far removed and still end up peering at a bulletproof hosting provider without realizing it. Always triple-check where your traffic is going and who it’s going to on the way.