28
Sep 19

German Cops Raid “Cyberbunker 2.0,” Arrest 7 in Child Porn, Dark Web Market Sting

German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two of the men accused in the scheme, this was their second bunker-based hosting business that was raided by cops and shut down for courting and supporting illegal activity online.

The latest busted cybercrime bunker is in Traben-Trarbach, a town on the Mosel River in western Germany. The Associated Press says investigators believe the 13-acre former military facility — dubbed the “CyberBunker” by its owners and occupants — served a number of dark web sites, including: the “Wall Street Market,” a sprawling, online bazaar for drugs, hacking tools and financial-theft wares before it was taken down earlier this year; the drug portal “Cannabis Road;” and the synthetic drug market “Orange Chemicals.”

German police reportedly seized $41 million worth of funds allegedly tied to these markets, and more than 200 servers that were operating throughout the underground temperature-controlled, ventilated and closely guarded facility.

The former military bunker in Germany that housed CyberBunker 2.0 and, according to authorities, plenty of very bad web sites.

The authorities in Germany haven’t named any of the people arrested or under investigation in connection with CyberBunker’s alleged activities, but said those arrested were apprehended outside of the bunker. Still, there are clues in the details released so far, and those clues have been corroborated by sources who know two of the key men allegedly involved.

We know the owner of the bunker hosting business has been described in media reports as a 59-year-old Dutchman who allegedly set it up as a “bulletproof” hosting provider that would provide Web site hosting to any business, no matter how illegal or unsavory.

We also know the German authorities seized at least two Web site domains in the raid, including the domain for ZYZTM Research in The Netherlands (zyztm[.]com), and cb3rob[.]org.

A “seizure” placeholder page left behind by German law enforcement agents after they seized cb3rob.org, an affiliate of the the CyberBunker bulletproof hosting facility owned by convicted Dutch cybercriminal Sven Kamphuis.

According to historic whois records maintained by Domaintools.com, Zyztm[.]com was originally registered to a Herman Johan Xennt in the Netherlands. Cb3rob[.]org was an organization hosted at CyberBunker registered to Sven Kamphuis, a self-described anarchist who was convicted several years ago for participating in a large-scale attack that briefly impaired the global Internet in some places.

Both 59-year-old Xennt and Mr. Kamphuis worked together on a previous bunker-based project — a bulletproof hosting business they sold as CyberBunker and ran out of a five-story military bunker in The Netherlands.

That’s according to Guido Blaauw, director of Disaster-Proof Solutions, a company that renovates and resells old military bunkers and underground shelters. Blaauw’s company bought the 1,800 square-meter Netherlands bunker from Mr. Xennt in 2011 for $700,000.

Guido Blaauw, in front of the original CyberBunker facility in the Netherlands, which he bought from Mr. Xennt in 2011. Image: Blaauw.

Media reports indicate that in 2002 a fire inside the CyberBunker 1.0 facility in The Netherlands summoned emergency responders, who discovered a lab hidden inside the bunker that was being used to produce the drug ecstasy/XTC.

Blaauw said nobody was ever charged for the drug lab, which was blamed on another tenant in the building. Blauuw said Xennt and others in 2003 were then denied a business license to continue operating in the bunker, and they were forced to resell servers from a different location — even though they bragged to clients for years to come about hosting their operations from an ultra-secure underground bunker.

“After the fire in 2002, there was never any data or servers stored in the bunker,” in The Netherlands, Blaauw recalled. “For 11 years they told everyone [the hosting servers where] in this ultra-secure bunker, but it was all in Amsterdam, and for 11 years they scammed all their clients.”

Firefighters investigating the source of a 2002 fire at the CyberBunker’s first military bunker in The Netherlands discovered a drug lab amid the Web servers. Image: Blaauw.

Blaauw said sometime between 2012 and 2013, Xennt purchased the bunker in Traben-Trarbach, Germany — a much more modern structure that was built in 1997. CyberBunker was reborn, and it began offering many of the same amenities and courted the same customers as CyberBunker 1.0 in The Netherlands.

“They’re known for hosting scammers, fraudsters, pedophiles, phishers, everyone,” Blaauw said. “That’s something they’ve done for ages and they’re known for it.”

The former Facebook profile picture of Sven Olaf Kamphuis, shown here standing in front of Cyberbunker 1.0 in The Netherlands.

About the time Xennt and company were settling into their new bunker in Germany, he and Kamphuis were engaged in a fairly lengthy and large series of distributed denial-of-service (DDoS) attacks aimed at sidelining a number of Web sites — particularly anti-spam organization Spamhaus. A chat record of that assault, detailed in my 2016 piece, Inside the Attack that Almost Broke the Internet, includes references to and quotes from both Xennt and Kamphuis.

Kamphuis was later arrested in Spain on the DDoS attack charges. He was convicted in The Netherlands and sentenced to time served, which was approximately 55 days of detention prior to his extradition to the United States.

Some of the 200 servers seized from CyberBunker 2.0, a “bulletproof” web hosting facility buried inside a German military bunker. Image: swr.de.

The AP story mentioned above quoted German prosecutor Juergen Bauer saying the 59-year-old main suspect in the case was believed to have links to organized crime.

A 2015 expose’ (PDF) by the Irish newspaper The Sunday World compared Mr. Xennt (pictured below) to a villain from a James Bond movie, and said he has been seen frequently associating with another man: an Irish mobster named George “the Penguin” Mitchell, listed by Europol as one of the top-20 drug traffickers in Europe and thought to be involved in smuggling heroin, cocaine and ecstasy.

Cyberbunkers 1.0 and 2.0 owner and operator Mr. Xennt, top left, has been compared to a “Bond villain.” Image: The Sunday World, July 26, 2015.

Blaauw said he doesn’t know whether Kamphuis was arrested or named in the investigation, but added that people who know him and can usually reach him have not heard from Kamphuis over several days.

Here’s what the CyberBunker in The Netherlands looked like back in the early aughts when Xennt still ran it:

Here’s what it looks like now after being renovated by Blaauw’s company and designed as a security operations center (SOC):

The former CyberBunker in the Netherlands, since redesigned as a security operations center by its current owner. Image: Blaauw.

I’m glad when truly bad guys doing bad stuff like facilitating child porn are taken down. The truth is, almost anyone trafficking in the kinds of commerce these guys courted also is building networks of money laundering business that become very tempting to use or lease out for other nefarious purposes, including human trafficking, and drug trafficking.

Tags: , , , , , , , ,

53 comments

  1. I want a Bond villain bunker! Nice read, thanks Brian.

    • Good, aren’t they? There’s plenty to choose from, in pleasant rural surroundings. And all for the price of a modest luxury city apartment. I’ll have one as soon as I’ve got myself a white Persian cat and a monocle.

      • For the aspiring frugal villain, the Czech military is selling smaller infantry bunkers (about the size of a cottage) for less than $4000 in some cases. They are all in great outdoors locations (hilly and forested border areas), in a safe European country with 4G coverage.

  2. Brian Fiori (AKA The Dean)

    Great stuff. I’ll have to re-read a bit more carefully to fully connect some of the dots. But well done. I love it when scumbags like this get taken down. Hopefully they’ll manage to keep some of these guys off the grid for awhile.

  3. Have to say, I prefer the relaxed black-leather-and-riotous greenery of the bad-old-days CyberBunker 1.0 to the way it is now. It looks like the set for some dystopian sci-fi movie, or a cheesy nightclub – so that must have been a very expensive refurbishment. It probably got some fashionable interior designer an award.

    • But, “Perception Sells” — as you pointed out, the original decor said “relaxed and comfortable” whereas the second generation says “22nd Century, no relaxing here — we take security seriously.”

      I’d much prefer a “college hacker” look — Empty Pepsi & Coke cans strewn around, along side partially eaten bags of Doritos & Lays Potato Chips. That says “We take your security seriously!”

      YMMV

  4. People seem to forget that CyberBunker[.]com hasn’t been ran or owned by Xennt and CB3ROB in along while.

    Domain was sold to BlazingFast[.]io who curiously enough haven’t been taken down… yet.

    They offered services through CB3ROB’s personal homepage and through word-of-mouth.

  5. Tumblr, MySpace, and GeoCities also hosted questionable content. Did you write pieces delighting in their demise? No. Your glee is selective.

    As for the server hosting, they all lie to some degree about physical security of their locations, environmental ‘green’ tech, carbon footprint, staffing levels, etc. to appear to be better than competition. These people lying about being in a bunker for 11 years, when they weren’t, doesn’t strike me as a particularly egregious lie. They all lie.

    They also all host bad things and they all know it. Some do more explicitly than others, but they all do it. It’s really an unavoidable consequence of having clients store encrypted files.

    Humans suck and there’s not much a hosting provider can do, other than prohibit it, pray the clients will obey, and remove known violators. But it’s still going to happen.

    The question in court will center on whether they were aware and did nothing, or tolerated it, or encouraged it. Since nothing much has been publicly released with details, any celebration of their arrest is very premature.

    • Those first sites didn’t advertise bulletproof hosting.

      • That’s true, somguy.

        But tumblr built up its user base on animated-style porn, salacious fan fiction of celebrities and even scantily dressed human photos. Some of the animě porn was of teenage characters. It got to be such a problem, they banned it all… 5 minutes after selling the company to yahoo. Of course, users abandoned ship, then it got sold to verizon, and today it’s literally worth pennies.

        MySpace got a reputation as the go-to site for a while where it managed to attract a ton of kids and perverts. The board did nothing to rid itself of child predation, until…. 5 minutes after it was sold to News Corp. Users rapidly abandoned the platform because it was considered skeevy and it was soon rendered worthless. Not even JT could revive it.

        And GeoCities had a file share and malware problem that they did nothing to stop. They also hosted a ton of “warez” back in the day. It, too, was sold to Yahoo, which cleaned it up, lost most of its most active users, and today doesn’t exist.

        All three are example of worst Internet acquisitions of all time, studied in business schools. All hosted files for criminals.

        They didn’t advertise themselves that way, but they tolerated it, allowed it to fester while building a user base, before eventually being forced to address their problems.

    • “Tumblr, MySpace, and GeoCities also hosted questionable content.”

      We eagerly await your hard-hitting counter piece where you substantiate this comparison by showing these sites actively seekout, encourage, and protect nefarious and brazenly illegal activity such as child pornography while wantonly disregarding law enforcement efforts.

      I have no doubt that, with all of the free time you seem to have being an edgelord on the internet, that you can return some wonderful results.

      • Brian Fiori (AKA The Dean)

        One also might ask Readership, were Tumblr, MySpace, and GeoCities closed by law enforcement? I do not recall that. Closing due to business concerns really isn’t Krebs’ bailiwick.

        I’d also ask him if Tumblr, MySpace, and GeoCities harbored, and protected, child porn.

        • You and jba, see above

          • Brian Fiori (AKA The Dean)

            Read again. There demises weren’t the results of legal takedowns. Completely different situation. You might ask, WHY weren’t they taken down? But that’s another question entirely.

            And I think even you understand the major differences between those sites and what is going on the CyberBunker—designed, promoted and run as a haven for ne’er-do-wells. And it was taken down by law enforcement.

    • Tumblr, MySpace, and GeoCities also hosted questionable content. Did you write pieces delighting in their demise? No. Your glee is selective.

      Wow, only 3 sentences in, and you’ve already committed the Fallacy of False Equivalence, AND used that as the basis for blatantly obvious “whataboutism.”

      Your argument is akin to claiming that there’s no difference between a soldier & mob hitman, because they both kill people. Or that there’s no difference between a mob hitman and a person who jaywalked one time, because they both broke the law.

      As for the server hosting, they all lie to some degree about physical security of their locations, environmental ‘green’ tech, carbon footprint, staffing levels, etc. to appear to be better than competition. These people lying about being in a bunker for 11 years, when they weren’t, doesn’t strike me as a particularly egregious lie. They all lie.

      Given that the physical security of their facilities was one of their key selling points, and that said security was based on it being ostensibly located in a former military, I’d that is pretty egregious – bordering on fraud at best.

      That said, I honestly can’t summon a SINGLE shred of sympathy for their clientele – the only part I find regrettable is that they weren’t ripped-off more.

      They also all host bad things and they all know it. Some do more explicitly than others, but they all do it. It’s really an unavoidable consequence of having clients store encrypted files.

      On its own, that’s a valid point. I spend a significant amount of time reporting spam (at least an hour each day) and I’ve noticed that there are certain hosting providers who, while at least having official policies against spamming & other malicious use of their services, are not so great at actually enforcing those policies. Sadly, those include some of the biggest hosting providers – Amazon AWS, Bluehost, and especially OVH are prime examples, but not alone. To the point where I consider them & many large providers to be “bulletproof hosts” in practice, if not in official policy – yeah, they do “no spamming” prohibitions in their AUP/TOS, but in more of a “wink-wink, nudge-nudge” sort of way. As in, they might eventually get around to nuking a spammer’s account… weeks AFTER it’s reported to them, the damage has been done, and the spammer has long since moved to another provider. Not to mention providers who will pull BS like intentionally misunderstanding the nature of spam complaints – E.g. send a report to a host that there is a spamvertised website on their network, and 9 times out of 10 the response will be “the EMail didn’t originate from our network.” And don’t even get me started on CloudFlare or Google…

      All of that said, NONE of those details make Cyberbunker any better. Yeah, as bad as those providers are at dealing with malicious activities that they enable, CyberBunker is an order of magnitude worse.

      Humans suck and there’s not much a hosting provider can do, other than prohibit it, pray the clients will obey, and remove known violators. But it’s still going to happen.

      Sure… unless you’re a bulletproof hosting provider who takes an “anything goes” approach & has a consistent policy of not terminating offenders, even when they are known. Ya know, providers like Cyberbunker, the subject of the article you’re commenting on…?

      The question in court will center on whether they were aware and did nothing, or tolerated it, or encouraged it. Since nothing much has been publicly released with details, any celebration of their arrest is very premature.

      If that’s the only question that prosecution of the Cyberbunker admins will hinge on, than that will be an EXCEEDINGLY short court proceeding – since those details are not actually question, barring whatever desperate arguments their legal counsel come up with.

      FFS, did you even bother to READ the article before commenting? This is hardly an innocent provider that’s being persecuted because of abuse of their system by third-parties, and that’s exactly a secret. Their business was deliberately geared toward the type of customers who would be quickly booted from above-board hosting providers, and they made no attempt whatsoever to hide that – hell, they openly advertised that.

      • Dean and Nick,

        You two make pretty convincing arguments and I’m feeling too lazy to rebut them. I’m not entirely sure I could, to be honest.

        But it is fun to play with you, so I’ll leave you with a bone to chew on: if the activity being done at this bunker was such a threat to a free society and its citizens, why was it allowed to continue operating for years?

        It wasn’t because of camouflage. Barbed wire fencing, exterior cameras, data transmission cables, the tremendous heat output, energy use.

        Underground doesn’t mean impossible to find or stop.

        Hell, all you really need to do is cut the cables to stop the threat to the public. Weld the bunker doors shut. Flood it. Drop explosives into their oxygen intake tubes.

        So why did authorities wait years?

        Hint: because it wasn’t a threat at all.

        The entry operation wasn’t about stopping a threat. It was about preserving evidence to enable punishment for making it possible for dark web businesses to conduct tax free transactions.

        The arrests and hoopla are not about protecting anyone other than the coffers of government. It’s about setting examples of what happens to those who hide from the tax man.

        Chew on it.

        • Brian Fiori (AKA The Dean)

          I can answer one quick question for you. “Why did they wait years…?”

          Well, at least for the FBI, the Feds wait until they have a case they KNOW they can win. They collect evidence and wait, and collect more evidence. The Feds rarely lose a case. PATIENCE is a virtue when it comes to these big cases.

          • You’re mixing up DOJ career pencil pushers and US attorney prosecutors with the DOJ’s FBI investigators. FBI won’t wait if there’s harm or potential harm to the public.

            Anyway, this isn’t a US case, and it’s not about anyone being harmed. That’s the flaw in KOS’ reporting and in the sources he quotes.

            They say this place was raided because it did bad things and promoted bad things. If that was true, it would’ve been a matter of urgency to shut it down.

            Who waits years before stopping perverts from harming children? Who waits years to protect drug addicts from those who facilitate their deaths?

            Instead, this was clearly an evidence gathering raid YEARS after it had first appeared on the radar of European law enforcement.

            That points to the obvious conclusion that the goal is to inflict retribution on those who avoid taxes, not stop harm.

  6. Good job on the take down! I don’t get the whole idea of a ‘cyberbunker’ for hosting, except as ‘ad copy’. The likelihood of discovery and take down is identical between a secure building in a city VS out in the country. If it’s a matter of avoiding municipal inspections, it could still be an old factory outside of town and refurbished to hosting standards.

    The game of follow-the-pipes-to-the-criminals still applies to either location.

    • I think at least part of the “bunker” idea for these kind of servers is selling the location as something like:

      The authorities will not be able to access it physically, we can just shut the massive bunker doors. The server room can’t be raided.

      • Yup. Sven at one point even declared that Cyberbunker was its own sovereign country.

      • “the authorities will not be able to access it physically, we can just shut the massive bunker doors. The server room can’t be raided.”

        Those same doors and bunker may be used as a barrier of exit. During law enforcement extraction a “supposedly” secure building may be used to wait out the perpetrator(s), gas them out, or get the perpetrators while outside. “…those arrested were apprehended outside of the bunker”.

        • The line I gave is the type of marketing these kind of “physically secure” sites would likely be using to get customers.

          Like almost all marketing it has little to do with how reality works.

      • Bunkers like castles are obsolete – they just attract attention from the enemy and can be bypassed and then starved out piecemeal. It would be like trying to block the Russians out of the Reich Chancellery and bunker in WW2. The number one means of survival for a criminal enterprise, would be several hidden escape routes; by then, you might have just wasted your time and money on a bunker.

        They would make a good doom’s day place to back up corporate and/or historic data records; but then the use there of, after disaster, may be pointless.

  7. First mistake: When you build a large, lavish bunker dedicated to illicit activities do not put the name “Cyber Bunker” in large letters on the outside.

    • It’s almost as good as a really large, illuminated and blinking red hand with index finger pointed at the front door, but not quite…

      • They are exploiting innocent men, women and children. Wisdom is not their forte. It would be better for them in the long run if they were sunk in the sea with a mill stone around their neck than where they will endup.

        Matthew 18:5-9 says it well.
        “Whoever receives one such child in my name receives me, but whoever causes one of these little ones who believe in me to sin, it would be better for him to have a great millstone fastened around his neck and to be drowned in the depth of the sea.
        “Woe to the world for temptations to sin! For it is necessary that temptations come, but woe to the one by whom the temptation comes! And if your hand or your foot causes you to sin, cut it off and throw it away. It is better for you to enter life crippled or lame than with two hands or two feet to be thrown into the eternal fire. And if your eye causes you to sin, tear it out and throw it away. It is better for you to enter life with one eye than with two eyes to be thrown into the hell of fire.

        I hope for their sake they repent.

  8. There aren’t enough swear words that apply to these MF’s. I hope they rot in hell. The sad thing is that the prison systems are probably cushy over in Deutschland. I hope they all get what they were doing to children in jail.

  9. “…German authorities seized at least two Web site domains in the raid, including the domain for ZYZTM Research in The Netherlands (zyztm[.]com)…”

    It is also a network of routable Internet addresses (IPs):
    https://bgp.he.net/AS62454#_whois Netherlands, 2012

  10. “the 59-year-old main suspect in the case was believed to have links to organized crime.

    A 2015 expose’ (PDF) by the Irish newspaper The Sunday World compared Mr. Xennt (pictured below) …, and said he has been seen frequently associating with another man: an Irish mobster named George “the Penguin” Mitchell, listed by Europol as one of the top-20 drug traffickers in Europe”…

    OK, three years ongoing, as the investigation and crime continue by the same orgainzed crime organization, year after year. How many years does it take to arrest a mobster, known by name and address, rhetorical?

  11. Over here in the states you can purchase a decommissioned nuclear rocket silo. This thing will take a direct hit from a 100 megaton nuclear warhead and still will or would be able to fire the rocket. You can buy one of these for about 250 thousand American dollars and it has security all around it. All you see is a road going to an old farmhouse and thats it. Its completely surrounded by razor wire. It goes 17 stories into the ground and had its own air and waste transfer and removal system. A lot of “preppers” are buying these and remaking them into luxury apartments per level (usually about 6000 square feet). Wont need to heat it or cool it much as below ground it stays at a constant temp of 58 degrees. They make very nice apartment buildings….lolol

    • But you can still cut off the electricity (and the Internet connection) from the outside.

      • Nothing is a safe hide out for criminals, but as a survival bunker – the expectation is there won’t be external power or an internet.
        These places have their own power and filter (life support) systems.

  12. Sven Olaf von Kamphuis

    Post from cyberbunker guy
    https://imgur.com/SeQgBCA

    • With your Cyberbunker drugs and child p0rn are totally ok, but God forbid you get a single sbl listing on their ips.

  13. How it was possible for the german police to come into the bunker and are the servers not encrypted?

    • Nick
      it was an operation which took 5 years in the making until the German elite forces GSG9 stormed the bunker.
      You won’t have time once the GSG9 shows up.

      • But not the GSG9 have planed 5 years how they come into the shelter rather the police needed 5 years to find out where the hoster is located and how they can blame the operator. I suppose the operator have chose a military deep level shelter as location to protect the server farm against the access by other people. So the question is why they purchase a military shelter to protect the farm when at the end all employees go outside with the key for the main entrance in their pocket? I think without the key the police needed days to come into the server rooms. Precious time to delete all datas or other things…
        Another question is why the police was so confident in the press conference that they can find illegal data on the servers? Are the hard drives not encrypted?

  14. Fun article….by the middle I was half expecting to read about swastikas, lugers, jackboots and lord knows what else found in this (cough, cough) “bunker”. Maybe even Himmler was found still alive?!

    The word “Bunker”, though, lol, really, Brian?

    You surely had to stop yourself for a minute when writing this article and decide whether Hogan’s Heroes had actually decided to stay in Rheinland?

    Ahhh, possibly you’re too much a youngin’ to get the gist of what I’m writing here.

    Get up the good work, though. Again, fun read.

    • If you take a look at the Imgur link above you’ll see this dude use the phrase “Zionist-NWO (new world order)” so it’s not far from swastikas and lugers, really.

  15. OK you can have a highly secure location, hundreds of servers, power, etc. You still need to connect to a major Internet service provider or providers probably on fiber cable or cables. To shut down a highly secure server farm why can’t authorities disconnect them so they have no significant Internet access?

    • The server farm was seized, “Some of the 200 servers seized”. Posssibly, I suspect for further analysis, investigation, evidence…

  16. The Sunsine State

    Why would a tier 1 internet providers do business such as peer/transit with such a location if for years they knew the Cyber-Bunker was doing illegal activity

  17. That old devil, money. Lucked. But, good article. Nice write-up. Europe needs something like the old devil’s island again.

  18. Mr. Blaauw is tweeting about Kamphuis this morning:
    https://twitter.com/envirosec/status/1178624683484340237

  19. RIPE NCC internal reports show they knew about the criminal activities on the “bullet proof” servers. Got to wonder if the other companies like Private Layer will be next.

    https://ripe77.ripe.net/presentations/134-RIPE77_Anti_Abuse_WG.pdf

    • Ridiculous presentation… he mentions legit networks (Webzilla, for example, owns multiple datacenters and is far from blackhat), and doesn’t even understand how IP addressing works.

  20. that was perhaps the largest ddos to date, Sven got blamed for that… nobody expects the Spanish Inquisition, not even him I suppose. There’s still some some footage of the Spain arrest, looks a bit like this report. (stamps)

    73s sven

  21. Windpowered bunker?

    Just wanted to comment that for Guido B. to completely blow the back flap of his suit out, (observe picture), might be an indicator of how the off-grid-bunker was powered, and thus why it was more difficult to find.

  22. Crazy: The confiscated domains are back. Visit the URLs, there is this text: “SEIZED BACK BY THE GOVERNMENT OF CYBERBUNKER”
    How is that possible? Weird.

    They delete the entries at archive.org and thus evidence! Better make a backup fast.

  23. http://www.cb3rob.org/ is in the hands of the bad guys with a message “site seized back by the government of cyberbunker”

    The site used to announce that it had been seized by federal cybercrime investigators from Germany. But it has been seized back.