Group pleads guilty to running bulletproof hosting service for criminal gangs, malware payloads

Zeus, SpyEye, Citadel, and the Blackhole exploit kit were among the strains stored through the host.

Four individuals have pleaded guilty to running a bulletproof hosting service used by criminals to launch cyberattacks. 

The US Department of Justice (DoJ) said that Russian nationals Aleksandr Grichishkin and Andrei Skvortsov, alongside Lithuanian Aleksandr Skorodumov and Pavel Stassi, from Estonia, operated a bulletproof host between 2009 and 2015. 

Bulletproof hosting is a service in which a private online infrastructure is offered, and operators will generally turn a blind eye to what customers use their rented domains for. 

Copyright infringement notices are ignored, privacy is marketed as a feature of such services, and bulletproof offerings are the go-to for criminal groups seeking the infrastructure to host malware, establish command-and-control (C2) servers, and host illegal content including malicious software and child pornography. 

However, being willing to ignore the transgressions of clients does not mean that law enforcement will take the same stance, and in this case, the group has been charged with conspiring to engage in a Racketeer Influenced Corrupt Organization (RICO).

According to the DoJ, the group rented out servers and domains that were used in criminal campaigns including attacks against US companies and financial organizations. 

Malware including the Zeus and SpyEye Trojans, Citadel Trojan and credential stealer, and the Blackhole exploit kit -- used in drive-by downloads to serve payloads to victims -- were among those hosted by the bulletproof hosting provider. 

"A key service provided by the defendants was helping their clients to evade detection by law enforcement and continue their crimes uninterrupted; the defendants did so by monitoring sites used to blocklist technical infrastructure used for crime, moving "flagged" content to new infrastructure, and registering all such infrastructure under false or stolen identities," prosecutors say. 

All four have pleaded guilty to one count of the RICO charge in the US District Court in the Eastern District of Michigan and they may each face up to 20 years in prison. Sentencing has been set individually between June and September. 

The FBI investigated the case with help from law enforcement agencies in Germany, Estonia, and the UK. 

In December 2020 under "Operation Nova," police from the US and multiple countries seized three virtual private network (VPN) services used by cybercriminals. The VPNs were advertised on underground forums as a means to mask the location and identities of ransomware operators, Magecart attackers, and phishing fraudsters. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0