The Shady Geeks Hiding in Bunkers Trying to Nuke the Internet

By Sam Clements


Sven Olaf Kamphius, spokesperson for Cyberbunker, outside the company's real-life server bunker. Image via.

A couple of weeks ago, hackers launched the biggest DDoS attack the internet has ever seen. In case you've never indulged in tech news before (and, I mean, why would you? It's not like your whole life relies on technology on a daily basis), a DDoS attack is basically overloading a website with traffic until its servers have a panic attack, temporarily or sometimes indefinitely blocking anyone from accessing the targeted site.

Obviously that doesn't sound particularly momentous next to people being blown up and systematically repressed all around the world, but – according to cyber experts – this attack was the equivalent of "a nuclear bomb" dropping on the internet. Which does make it worthy of attention from anyone with a vested interest in the world wide web (AKA, half of planet Earth), especially considering DDoS attacks can be used to wreak havoc on emails and internet banking, which are both pretty integral to the way every single business operates these days.

The attack in question came after a dispute between shady internet hosting company Cyberbunker and Spamhaus – an online spam policing service – reached fever pitch. Spamhaus blacklisted a handful of Cyberbunker's clients for being irritating spam menaces, then an "online collective" (thought to be made up of members of Cyberbunker and Stophaus, an anti-Spamhaus forum) retaliated with an attack that not only crippled Spamhaus' network, but got internet experts flapping their arms hysterically in fear of the whole net getting clogged with unpoliced spam and grinding to a halt.

Although it denies providing hosting for companies that vomit spam into your inboxes, Cyberbunker does claim on its website to host everything "except child pornography and anything related to terrorism" (noble). The company also offers complete anonymity to its customers, which has attracted the likes of torrenting sites, such as The Pirate Bay (RIP), in the past. Beyond that, it’s not totally clear if Cyberbunker is aware of or really give a shit about who its other customers are and what sort of content they host.

Having officially moved its operation away from the not-so-secret decommissioned nuclear bunker in Kloetinge, the Netherlands, Cyberbunker claims to run an underground operation encased in several other military facilities. And if a shady internet hosting company with links to the cyber underworld hiding away in a nuclear bunker doesn't already sound enough like a GCSE-level Tom Clancy rip-off, the bunkers are reportedly used to house an MDMA lab.


Cyberbunker servers. Image courtesy of Cyberbunker.com.

When I called up Dutchman Sven Olaf Kamphius, the public figurehead of Cyberbunker and self-proclaimed internet freedom fighter, he explained the company’s policy towards customer data:

“We, as a provider, are not supposed to determine if something is against the law – that’s up to courts and judges,” he told me. "If customers come to us and say, 'I have an illegal website and I do credit card fraud,' we go, 'Hmm, why don’t you adjust your business model a bit?' We can't help people who are already saying that they’re doing criminal stuff. That's completely impossible. Those people are never going to win any court cases."

So despite their apparent brazenness, Cyberbunker does like its customers to show at least a little discretion with their operations, but – until the company is told to remove content from its servers by a court order – that’s where it stays. And as for the MDMA lab, "That was a Chinese triad gang renting a room," Kamphius explained, debunking the idea that his company is involved in narcotics manufacturing as well as nefarious online activities. "They were pretending to be a 'painting company', and they were officially registered, but they registered with fake passports," he told me.

"Bulletproof hosting" – such as Cyberbunker – is a business model inextricably tied to hardened cyber-criminals. For instance, the world's most prolific online outlaws, the Russian Business Network (RBN), maintained a legitimate front as an ordinary internet service provider while also being linked to around 60 percent of the world's cyber-crime, cultivating botnets (robot armies) for DDoS attacks, committing mass identity theft and fraud and generally getting rich by using the internet to make people's lives hellish. 

Rik Ferguson of internet security firm Trend Micro spends his days investigating cyber-crime. When I called him he explained that bulletproof hosting companies attract so many clients involved in internet crime because they routinely ignore complaints made about the content on their servers. This makes it very tricky for the authorities to find any evidence of wrong-doing.

“Their business model – and their promise to you as a customer – is that they will not react to the requests that are sent to their abuse address," he told me. "In the event of law enforcement actually getting access to their hardware through a court order, they promise no logs will be maintained, so there'll be nothing extra there to incriminate their customers. Obviously, it’s a service designed for people operating outside of the law.”


The entrance to Cyberbunker's server bunker. Image via.

After coming under fire from bloggers and the media a few years back, the Russian Business Network slipped off the radar, with some reports suggesting they've moved their operation to China. Having stepped into the shadows, large criminal internet service providers of their ilk have dispersed into lots of much smaller groups, offering slightly more bespoke services to anyone who wants to get away with doing naughty stuff online.

“It’s a much more fragmented market now. So, for example, we see the bulletproof hosting companies; we see crypting services that are designed to test if malware is undetectable by standard software; we see companies offering exploit kits, which is like a web server that will allow you to automatically exploit people that land on your website, and then there are the groups actually creating the malware itself.”

Even though all this catered privacy exists, cyber criminals – shrouding themselves behind a Hadrian's Wall of encryption and disguised IP addresses – are mostly unfazed by legal investigation. Which is because they're aware that the compatibility of laws between various countries and the time it takes for authorities to cooperate can drag on for years. Currently, the authorities that are supposed to be preventing their operation are too inflexible to do it effectively, like a wooly mammoth trying to stamp on cockroaches.

"Trend Micro was tracking the DNS changer malware and providing intelligence to law enforcement for about six years," Ferguson continued. "And the FBI activity, in conjunction with other law enforcement agencies, lasted four years before they were confident enough to start making arrests."

Rik also told me that most of the new spam to hit the internet within the last year originated in Saudi Arabia and India, neither of which have been known for their spamming habits in the past. That's just one example of how the digital trail authorities have to follow is constantly bouncing around the world, while the physical servers hiding that trail are located over hundreds of different legal jurisdictions, from bunkers in the Netherlands to the Principality of Sealand, which is supposedly operating as an offshore data haven on its fort off the Suffolk coast. Essentially, cyber criminals are free to run amok in different directions simultaneously, across both the physical globe and the internet. When government agencies give chase, the inescapable red tape keeps on making them stop to tie their shoelaces.       

Follow Sam on Twitter: @sambobclements

More dodgy stuff going on online:

The Future Of Crime

The Future Of The Internet

The Reuters Journalist That Played With Anonymous And Got Burnt

Comments