Posts Tagged: Santrex

Aug 16

The Reincarnation of a Bulletproof Hoster

In April 2016, security firm Trend Micro published a damning report about a Web hosting provider referred to only as a “cyber-attack facilitator in the Netherlands.” If the Trend analysis lacked any real punch that might have been because — shortly after the report was published — names were redacted so that it was no longer immediately clear who the bad hosting provider was. This post aims to shine a bit more light on the individuals apparently behind this mysterious rogue hosting firm — a company called HostSailor[dot]com.

The Trend report observes that the unnamed, Netherlands-based virtual private sever (VPS) hosting provider appears to have few legitimate customers, and that the amount of abuse emanating from it “is so staggering that this company will remain on our watchlist in the next few months.”


What exactly is the awfulness spewing from the company that Trend takes great pains not to name as For starters, according to Trend’s data (PDF) HostSailor has long been a home for attacks tied to a Russian cyber espionage campaign dubbed “Pawn Storm.” From the report:

“Pawn Storm seems to feel quite at home. They used the VPS hosting company for at least 80 attacks since May 2015. Their attacks utilized C&C servers, exploit sites, spear-phishing campaigns, free Webmail phishing sites targeting high profile users, and very specific credential phishing sites against Government agencies of countries like Bulgaria, Greece, Malaysia, Montenegro, Poland, Qatar, Romania, Saudi Arabia, Turkey, Ukraine, and United Arab Emirates. Pawn Storm also uses the VPS provider in the Netherlands for domestic espionage in Russia regularly.”

“Apart from Pawn Storm, a less sophisticated group of threat actors called DustySky (PDF link added) is using the VPS provider. These actors target Israel, companies who do business in Israel, Egypt and some other Middle Eastern governments.”


Trend’s report on HostSailor points to a LinkedIn profile for an Alexander Freeman at HostSailor who lists his location as Dubai. HostSailor’s Web site says the company has servers in The Netherlands and in Romania, and that it is based in Dubai. The company first came online in early 2013.

Ron Guilmette, an anti-spam researcher who tipped me off to the Trend report and whose research has been featured several times on this blog, reached out to Freeman via email. Guilmette later posted at the mailing list the vitriolic and threatening response he said he received in reply.

A snippet from the response that Guilmette said he received from a HostSailor employee named Alexander Freeman.

A snippet from the response that Guilmette said he received from a HostSailor employee named Alexander Freeman.

Perhaps Mr. Freeman’s ire was previously leveled at Trend Micro, which could explain their redaction of the name “HostSailor” from its report. A spokesperson for Trend Micro declined to explain why the company redacted its own report post-publication, saying only that “at the time of publication, we were following our standard disclosure protocol.”

In any case, I began to suspect that “Alexander Freeman” was just a pseudonym (Trend noted this suspicion in its report as well). In combing through the historic WHOIS registration records for the domain, I noticed that the domain name changed hands sometime in late 2012. Sure enough, a simple Google search popped up this thread at back in Dec. 2012, which was started by a Jordan Peterson who says he’s looking to sell

Contacted by KrebsOnSecurity, Mr. Peterson said the person who responded about purchasing the domain was named Ali Al-Attiyah, and that this individual used the following email addresses:

“I remember Ali telling me he didn’t have a paypal so a friend sent me the money for the domain, I looked up the paypal info for you and [Ali’s friend’s] name is Khalid Cook,,” Peterson told me. “The legal information for the domain transfer was given as:

152-160 City Road
London ec1v 2nx

That street address corresponds to a business named “,” which offers call answering services for companies that wish to list a prestigious London address without actually having a physical presence there.

Ali Al-Attiyah is listed as the official registrant of and several other very similar domains. More interesting, however, is that email address given for Mr. Khalid Cook: According to a “reverse WHOIS” search ordered from, that Yahoo email address was used in the original registration records for exactly one domain:

Santrex (better known on as “Scamtrex“) was an extremely dodgy “bulletproof hosting” company — essentially a mini-ISP that specializes in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies. At the time, Google’s Safebrowsing database warned that almost 90 percent of the sites on Santrex’s network were attempting to foist malicious software on visitors or were hosting malware used in online attacks.

Santrex was forced out of business in early 2013, after the company’s core servers were massively hacked and the PayPal and credit card accounts it used to accept payments from customers were reportedly seized by unknown parties. In its final days as a hosting provider, Santrex’s main voice on — a user named “khalouda” — posted many rants that eerily echo the invective leveled at Guilmette by HostSailor’s Mr. Freeman.

Google’s take on the world’s most densely malicious networks over the past 12 months.

Google’s take on the world’s most densely malicious networks over the past 12 months.


Continue reading →

Jul 15

Hacking Team Used Spammer Tricks to Resurrect Spy Network

Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. New analysis of the leaked Hacking Team emails suggests that in 2013 the company used techniques perfected by spammers to hijack Internet address space from a spammer-friendly Internet service provider in a bid to regain control over a spy network it apparently had set up for the Italian National Military Police.


Hacking Team is in the business of selling exploits that allow clients to secretly deploy spyware on targeted systems. In just the past week since the Hacking Team data was leaked, for example, Adobe has fixed two previously undocumented zero-day vulnerabilities in its Flash Player software that Hacking Team had sold to clients as spyware delivery mechanisms.

The spyware deployed by Hacking Team’s exploits are essentially remote-access Trojan horse programs designed to hoover up stored data, recorded communications, keystrokes, etc. from infected devices, giving the malware’s operator full control over victim machines.

Systems infested with Hacking Team’s malware are configured to periodically check for new instructions or updates at a server controlled by Hacking Team and/or its clients. This type of setup is very similar to the way spammers and cybercriminals design “botnets,” huge collections of hacked PCs that are harvested for valuable data and used for a variety of nefarious purposes.

No surprise, then, that Hacking Team placed its control servers in this case at an ISP that was heavily favored by spammers. Leaked Hacking Team emails show that in 2013, the company set up a malware control server for the Special Operations Group of the Italian National Military Police — also known as the “Carabinieri” — an entity focused on investigating organized crime and terrorism. One or both of these organizations chose to position that control at Santrex, a notorious Web hosting provider that at the time served as a virtual haven for spammers and malicious software downloads.

But that decision backfired. As I documented in October 2013, Santrex unexpectedly shut down all of its servers, following a series of internal network issues and extensive downtime. Santrex made that decision after several months of incessant attacks, hacks and equipment failures at its facilities caused massive and costly problems for the ISP and its customers. The company’s connectivity problems essentially made it impossible for either Hacking Team or the Carabinieri to maintain control over the machines infected with the spyware.

According to research published Sunday by OpenDNS Security Labs, around that same time the Carabinieri and Hacking Team cooked up a plan to regain control over the Internet addresses abandoned by Santrex. The plan centered around a traffic redirection technique known as “BGP hijacking,” which involves one ISP fraudulently “announcing” to the rest of the world’s ISPs that it is in fact the rightful custodian of a dormant range of Internet addresses that it doesn’t actually have the right to control.

IP address hijacking is hardly a new phenomenon. Spammers sometimes hijack Internet address ranges that go unused for periods of time (see this story from 2014 and this piece I wrote in 2008 for The Washington Post for examples of spammers hijacking Internet space). Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker. Continue reading →

Oct 13

‘Bulletproof’ Hoster Santrex Calls It Quits

Santrex, a Web hosting provider that has courted cybercrime forums and created a haven for a nest of malicious Web sites, announced last week that it is shutting its doors for good, citing “internal network issues and recent downtime.”

Google’s take on the world’s most densely malicious networks over the past 12 months.

Google’s take on the world’s most densely malicious networks over the past 12 months.

Couldn’t have happened to a nicer company. Rarely has a Web hosting firm so doggedly cornered the market on so-called “bulletproof hosting” services. These are essentially mini-ISPs that specialize in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies.

If there were a Hall of Infamy for hosting providers, Santrex would be near the top. That’s hardly an exaggeration: According to Google — which tracks top malicious hosts via its safebrowsing program — Santrex was among the Internet’s top three most malicious hosts over the past year. Google’s data indicates that nearly 90 percent of the sites on Santrex’s network tried to foist malicious software on visitors, or hosted malware that was used in attacks against other Web sites.

I first read about the news of Santrex’s demise in a thread at titled “Ding! Dong! Santrex is Dead!” I followed up with Santrex via its Web site, and asked for confirmation that the closure was for real. I received a reply from Mikkel Thomsen, a sales rep at Santrex, who stated simply that, “Yes we are no longer offering any services.”

My guess is that after years of turning a blind eye to abuse complaints about malware and dodgy customers on its network, Santrex found that most — if not all — of its assigned Internet address space was listed on one blacklist or another. A search for “Santrex” on the forum, for example, shows that more users know this ISP by different name: “Scamtrex.”

Prior to its demise, it appears that Santrex played one last scam on its customers and the rest of the world. Santrex was founded in the United Kingdom in 2009. According to documents obtained from Companies House, the entity which maintains records on U.K. firms, Santrex was declared insolvent by a U.K. court as far back as April 22 of this year.

Apparently, the hosting provider neglected to pay its bills to Bellcom UK Ltd., a London-based data center infrastructure provider. The court ordered Santrex’s assets to be liquidated. Perhaps that explains Santrex’s problems with the “internal network issues and recent downtime,” they cited in their emails to customers.

Santrex was declared insolvent on Apr. 22, 2013. Source: Companies House.

Santrex was declared insolvent on Apr. 22, 2013. Source: Companies House.

Rest in pieces, Santrex. You will not be missed.

May 13

Conversations with a Bulletproof Hoster

Criminal commerce on the Internet would mostly grind to a halt were it not for the protection offered by so-called “bulletproof hosting” providers — the online equivalent of offshore havens where shady dealings go ignored. Last month I had an opportunity to interview a provider of bulletproof services for one of the Web’s most notorious cybercrime forums, and who appears to have been at least partly responsible for launching what’s been called the largest cyber attack the Internet has ever seen.'s intro to Darkode’s intro post to Darkode

Earlier this year, the closely-guarded English-language crime forum was compromised and came under a series of heavy distributed denial-of-service (DDoS) attacks aimed at keeping it offline. Around that same time, welcomed a new member — a bulletproof hosting broker aptly named “” — who promised to defend the site from future DDoS attacks. also said he could offer more robust and crime-friendly hosting services than darkode’s previous provider — Santrex, literally an offshore hosting facility located in the Seychelles, a 115-island country that spans an archipelago in the Indian Ocean.’s timing was perfect: Darkode desperately needed both, and seemed to know his stuff, so he was admitted to the forum and given stewardship of the site’s defense and hosting. recruits Stophaus members on darkode. recruits Stophaus members on darkode.


Of course, to successfully defend a network against DDoS attacks one must know a great deal about how to launch such assaults. Indeed, was an integral member of Stophaus, an upstart group of bulletproof hosters that banded together in March to launch a massive Internet attack against anti-spam group

Hundreds of ISPs route or deny traffic based in part on Spamhaus’s blacklists of known, cybercrime-friendly ISPs, and Stophaus formed in response to Spamhaus’s listing of bulletproof hosting provider in particular: A network known alternatively as CB3ROB, a.k.a. “Cyberbunker” because it operated from a heavily fortified NATO bunker in The Netherlands. is moderator of the Stophaus forum, and not long after joining, he was recruiting fellow darkode members for the Stophaus cause. Stophaus’s records show that another core member was “0ptik,” a competing bulletproof hosting provider. Spamhaus had listed dozens of Optik’s domains, as well as virtually all of the IP address ranges had rented at abuse-friendly Romanian hosting provider Voxility. It was payback time.

In late March, Spamhaus became the target of what experts called one of the largest computer attacks on the Internet. The method of attack — a DNS amplification attack — was similar to that first seen used in attacks more than a decade ago that targeted the heart of the Internet’s routing system, except that it was by most accounts much larger. calls Spamhaus assault "our prank." calls Spamhaus assault “our prank.”

“DNS amplification attacks can bring up to 140 Gbps to a single resource from a single controller,” wrote in a posting less than 24 hours after the attack on Spamhaus began. “The beauty of it [is] that the ‘bots’ are just open DNS resolvers in the world.” Linking to a writeup from about the attack, stated that “Some BP hosters were lately united, check out our latest prank.”

Last month, authorities in Spain arrested Sven Kamphuis, a 35-year-old Dutch man, thought to be responsible for coordinating the unprecedented attack on Spamhaus. According to Spamhaus, Kamphuis made claims about being his own independent country in the Republic of Cyberbunker. But according to, Kamphuis was just the public face of the movement. “Sven didn’t attack anyone,” wrote in an online chat with KrebsOnSecurity.

If Kamphuis was just a mouthpiece, who was responsible for the attack? What is interesting about the Stophaus movement is that very well may have prompted Spamhaus to finally place CB3ROB/Cyberbunker at the top of its World’s Worst Spam-Support ISPs list, a move that helped to precipitate this conflict.

According to Spamhaus, while Cyberbunker and Spamhaus certainly have a bit of a history together, Cyberbunker wasn’t really a focus of Spamhaus’s blocking efforts until the fall of 2012. That’s when Spamhaus began noticing a large number of malware and botnet control servers being stood up inside of Cyberbunker’s Internet address ranges.

“We didn’t really notice these guys at CB3ROB much until last fall, when they started hosting botnet controllers, malware droppers and a lot of pharma spam stuff,” said a Spamhaus member who would only give his name as “Barry.” “Before that, it was mainly routing for some Chinese guys — Vincent Chan — fake Chinese products.” sells BP hosting out of Cyberbunker selling BP hosting out of Cyberbunker

Oddly enough, this coincides with’s entrance on the bulletproof hosting scene (at least as advertised on crime forums). In his introduction post to Darkode,  referenced his bulletproof hosting sales threads at two Russian-language forums — and In these threads, which began in Sept. 2012, advertised the ability to host ZeuS and SpyEye botnet command and control networks for between $99 and $199 per month, and bulletproof domain registration from $30 per month. More importantly, proudly announced that he was offering a premiere BP hosting service for $400 a month that was housed in an old NATO bunker in Holland and that used IP addresses assigned to CB3ROB (see screenshot to left).

Continue reading →