For years, gray market services known as “bulletproof” hosts have been a key tool for cybercriminals looking to anonymously maintain web infrastructure with no questions asked. But as global law enforcement scrambles to crack down on digital threats, they have developed strategies for getting customer information from these hosts and have increasingly targeted the people behind the services with indictments. At the cybercrime-focused conference Sleuthcon in in Arlington, Virginia on Friday, researcher Thibault Seret outlined how this shift has pushed both bulletproof hosting companies and criminal customers toward an alternative approach.
Rather than relying on web hosts to find ways of operating outside law enforcement’s reach, some service providers have turned to offering purpose-built VPNs and other proxy services as a way of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn’t log traffic or mixes traffic from many sources together. And while the technology isn’t new, Seret and other researchers emphasized to WIRED that the transition to using proxies among cybercrminals over the last couple of years is significant.
“The issue is, you cannot technically distinguish which traffic in a node is bad and which traffic is good,” Seret, a researcher at the threat intelligence firm Team Cymru, told WIRED ahead of his talk. “That’s the magic of a proxy service—you cannot tell who’s who. It’s good in terms of internet freedom, but it’s super, super tough to analyze what’s happening and identify bad activity.”