The Dark Underbelly of the Internet: Bulletproof Hosting and Phishing Epidemic


What is Bullet Proof Hosting [BPH]?

Within the digital community, bulletproof hosts are businesses that offer web hosting services with extremely loose regulations. ‘Bulletproof’ hosts can withstand takedown efforts and complaints without losing their service. This makes them appealing to anyone who wants to host dubious or unlawful content, such as websites that sell stolen or counterfeit items or phishing scams, which aim to fool users into disclosing personal information.

To put it plainly, bulletproof hosting is the darker side of web hosting, frequently linked to actions that are illegal and unethical.

Differences between conventional and bulletproof hosting

Let’s breakdown the main differences between bulletproof hosting and conventional methods.

Why is bulletproof hosting used?

One of the fundamental components of the cybercrime ecosystem is the Bullet Proof Hosting infrastructure. Attackers employ BPH as a reliable foundation for where to carry out their illegal activities such as:

  • Hosting botnets, malware C2 servers
  • Launching DDoS
  • Operate Phishing Pages
  • Hosting pirated/adult content
  • Dodging law enforcement

Breaking Down the Bullet Proof Hosting Structure

Dedicated BPH

Cybercriminals frequently use these services to host phishing, spam, and evil twin sites for as little as $15 so that they can keep them up as long as possible.

  • Often suitable for short-term campaigns and phishing where short-term lease is needed.
  • Provides basic hosting and anonymity.
  • Can meet Geolocation related asks.
Hosting Service offering anonymous offshore hosting

BPH with abused servers or compromised assets

BPH providers exploit dedicated legitimate servers and rent them to threat actors/groups. Often legitimate service providers are also being used illegally.

  • Suitable for reverse proxies, scanning, spam or brute force
  • Machines are created by abusing cloud service providers or compromised credentials
  • HVNC and other similar infrastructure

BPH with dedicated servers or data centers

BPH providers often have insiders in legitimate hosting companies and have a strong grasp on how to operate and comply with laws.

  • Often provide strategic geolocation according to the need
  • Virtually migrate virtual machines/data centers thus causing less downtime
  • Often suitable for backends and critical systems that could build infrastructure
Hosting service with VPS/VDS/Dedicated server

The above 3 structures/models are utilized by threat actors/groups based on their budget and requirements. BPHs with abused/compromised assets/credentials are the cheapest ones while BPHs with dedicated VPS/VDS/Data centers are the most reliable ones with less downtime and enhanced anonymity and features.

Business model

Case Study: Bullet Proof Hosting in the Real World

Bolster researchers have found some high-profile hosting providers in the cyber world which was detected while analyzing multiple phishing and scam URLs. Some of them are listed below:

  1. Private Alps
  2. Alex Hosting
  3. EliteTeam
  4. FlyHosting
  5. FiberGrid
  6. Warez-Host
  7. Ultahost

Countries where most of these hosting servers are located:

  1. Seychelles (Country in East Africa)
  2. Panama
  3. China

One of the above hosting providers [privatealps] was popular on underground forums offering secured hosting with VPS/RDP/VPN Dedicated Servers Webhost.

Advertisement on cybercrime forum

The advertisement and the threat actor claims to provide:

  • Windows/Linux Virtual Server
  • Web hosting
  • Tor hidden hosting
  • No log policy
  • Dedicated servers
  • 40/100 GBPs servers
  • Storage VPS
  • DMCA ignored
  • Anonymous Domain Registration



Jabber: [email protected]

Onion Link: 4wfsdhkbrdt6jwlozcmw2lzthoghgdrt3pty2vfre2ysdguvpazwfjad[.]onion

BPH Through the Eyes of Bolster’s Team

Bolster’s team was previously able to trace back one of the bullet hosting providers (Fly-Hosting) that were utilized to host multiple malicious sites, the majority of which focused on the online gaming industry. We were attempting to suspend the domain’s services through the registrar, but after more investigation, we discovered that the threat actor organization responsible for the fraudulent sites also owns Fly-Hosting Infra.

The Bolster SOC team began researching this malicious hosting provider and started compiling the domains hosted on the IP range owned by Fly-Hosting. After further investigation, we were able to identify the actual infrastructure provider where the server was located and kicked off the process of taking down their entire server.

We discovered the servers were in Germany (DE), and we could take down the entire server since it had been involved in malicious conduct that violated the TOS (Terms of Service) and German laws and regulations.

Geolocation: Germany

Tactics used by threat actors

  • Domain Registration Patterns: Threat actors frequently purchase domains in similar patterns, such as utilizing the same registrar or changing the Top-Level Domain (TLD).
  • Monitoring Period Evasion: To escape discovery, these malicious domains often remain inactive for 10-30 days which is the monitoring period set by most registrars once any domain is purchased from them.
  • Preference for CC TLDs: There is a tendency to register domains under country code TLDs (CC TLDs) from smaller nations, taking advantage of their smaller support teams and lower compliance with complaints.
  • Strategic Activation: These domains go live and target users once the monitoring period ends.
  • Selective Victim Targeting: Threat actors use geolocation blocking, user-agent filtering, and IP range limits to avoid discovery.


The rapid transition to digital platforms offers advantages, but it also creates new opportunities for cybercriminals, particularly those who use Bulletproof Hosting (BPH) to carry out their fraudulent activities.

Continuous monitoring and proactive research are critical in phishing site detection and prevention, particularly against bulletproof hosting solutions. With recent advancements and stealthy methods used by threat actors to carry out phishing attacks, host malicious C2 servers and set up markets for legitimate businesses, it is becoming difficult for legitimate businesses to take down the activities and presence of the digital world on a large scale.

Our findings also highlight the need for continuous monitoring and research in the realm of phishing sites and bulletproof hosting providers hunting to identify and combat such threats preemptively.

Bolster’s anti-phishing and domain monitoring AI-technology protects your business from evolving phishing threats. With continuous scanning technology that quickly identifies threats and misuse of your branded assets, you can trust Bolster will protect your business.

See Bolster in action when you request a demo.