CyberBunker

Last updated
The former NATO bunker in Zeeland that housed CyberBunker CyberBunker.jpg
The former NATO bunker in Zeeland that housed CyberBunker
Entrance to the CyberBunker bunker CyberBunker Entrance.jpg
Entrance to the CyberBunker bunker

CyberBunker was an Internet service provider located in the Netherlands and Germany that, according to its website, "hosted services to any website except child pornography and anything related to terrorism". The company first operated in a former NATO bunker in Zeeland, from which it got its name, [1] and later in another former NATO bunker in Traben-Trarbach, Germany. Sven Olaf Kamphuis referred to CyberBunker as the Republic of CyberBunker and referred to himself as the Minister of Telecommunications and Foreign Affairs. [2] [3]

Contents

CyberBunker served as a web host for The Pirate Bay and as one of the many WikiLeaks mirrors. [4] CyberBunker has also been accused of being a host for spammers, botnet command-and-control servers, malware, and online scams. [5] The company has also been involved in Border Gateway Protocol hijacks of IP addresses used by Spamhaus and the United States Department of Defense. [6] The Spamhaus hijack was part of an exceptionally large distributed denial of service attack launched against them in March 2013. Because of the size of this attack it received considerable mainstream media attention.

As of 2013, CyberBunker listed its address as the bunker, but the location of CyberBunker's servers was unclear. [7]

In September 2019, the German police stormed and shut down the company's operations in its bunker in Traben-Trarbach. Seven suspects were arrested. [8]

History

Dutch bunker (CB-1)

In 1995, Herman-Johan Xennt bought a 20,000-square-foot (1,900 m2) bunker just outside the small town of Kloetinge in the south of the Netherlands, which had been formerly used by NATO, [9] [10] and was built in 1955. The bunker, originally used as a wartime Provincial Military Command Center (Dutch : Provinciaal Militair Commando) of the Dutch military, was built to withstand a nuclear attack. [11] The bunker was de-assessed by the Dutch military in 1994. [12]

With collaborators, Xennt formed the CyberBunker company within the bunker, to offer "bulletproof hosting" of web sites. [9] [10] The company's customers during the 1990s consisted largely of pornography web sites. [9] [10] Its policy was to accept any web site except those related to child pornography and terrorism. [13]

In 2002, a fire broke out in the Dutch bunker. After the fire was put out, it was discovered that besides Internet hosting services, an MDMA laboratory was in operation. [14] [9] [10] Three of the four men charged with the operation of the lab were convicted to three-year prison sentences; the fourth was acquitted due to a lack of evidence. [15] Following the fire the local town denied the company a business license, resulting in the CyberBunker servers being moved to above-ground locations, including Amsterdam. [9] [16]

In its publicity, the company continued to claim that it operated from the bunker. [16] On 29 March 2013, the secure data storage company BunkerInfra issued a press release stating they had been the owners of the Kloetinge bunker since 2010, that any claims made by CyberBunker regarding their continued usage of the complex were false, and that they have not been operating from the bunker since the fire in 2002. [17] Businessweek reported them as stating that the bunker was "full of junk" when they acquired it, and quoted Guido Blaauw, their general manager, as stating that the CyberBunker publicity material was "all Photoshop". [18]

The Pirate Bay

In October 2009 BitTorrent tracker The Pirate Bay, which had been subjected to legal action by various anti-piracy groups including Dutch copyright organisation BREIN, moved away from Sweden to CyberBunker. In 2010 the Hamburg district court ruled that CyberBunker, operating in Germany as CB3Rob Ltd & Co KG, was no longer allowed to host The Pirate Bay, being subject to a 250,000 fine or up to two years' imprisonment for each infringement. [4]

Spamhaus

In October 2011, Spamhaus identified CyberBunker as providing hosting for spammers and contacted their upstream provider, A2B, asking that service be cancelled. A2B initially refused, blocking only a single IP address linked to spamming. Spamhaus responded by blacklisting all of A2B's address space. A2B capitulated, dropping CyberBunker, but then filed complaints with the Dutch police against Spamhaus for extortion. [19] [20]

In March 2013, Spamhaus added CyberBunker to its blacklist. Shortly afterwards a distributed denial of service (DDoS) attack of previously unreported scale (peaking at 300  Gbit/s; an average large-scale attack is often around 50 Gbit/s, while the largest known previously publicly reported attack was 100 Gbit/s) [21] was launched against Spamhaus email and web servers using a Domain Name System (DNS) amplification attack; [22] [23] as of 27 March 2013 the attack had lasted for over a week. Steve Linford, chief executive for Spamhaus, said that they had withstood the attack. Other companies, such as Google, had made their resources available to help absorb the traffic. [23] The attack was being investigated by five different national cyber-police-forces around the world. Spamhaus alleged that Cyberbunker, in cooperation with "criminal gangs" from Eastern Europe and Russia were behind the attack; Cyberbunker did not respond to the BBC's request for comment on the allegation. [23]

Cloudflare, an Internet security firm located in San Francisco, California, assisting Spamhaus in combating the DoS attack was also targeted. On 28 March 2013, CyberBunker's website went offline for a short period of time, possibly becoming a victim of a DDoS attack themselves. [24]

On 25 April 2013, Sven Olaf Kamphuis, a vocal spokesman for CyberBunker, was arrested at the request of Dutch authorities near Barcelona by Spanish Police after collaboration through Eurojust. [25] An anonymous press release uploaded on Pastebin.com the following day demanding the release of Kamphuis threatened more large-scale attacks should he remain in custody. [26] [27] The Spanish authorities reported that Kamphuis operated from a well-equipped bunker and used a van as a mobile computing office. No further information on this bunker was provided. [28] In September 2013, it was revealed that a second arrest had been made in April in relation to the Spamhaus attack, the suspect being a 16-year-old from London. [29] [30] Kamphuis was held for 55 days awaiting extradition to the Netherlands and was later found guilty and sentenced to 240 days in prison. His sentence was suspended, with credit for the 55 days served. [31]

Traben-Trarbach bunker (CB-3)

In 2013, the company purchased its second bunker in Traben-Trarbach, Germany. [9] As early as 2015, German cybercrime investigators received a warrant to investigate the company by tapping its Internet traffic in and out of the bunker. [9] During this time, the company's clients are claimed to have included the dark web marketplaces Wall Street Market, Cannabis Road and Flugsvamp, as well as Fraudsters, a forum for exchanging illegal drugs, counterfeit money and fake identification. [9] [32] The Irish criminal George Mitchell, who lived for a while in Traben-Trarbach, [33] approached Xennt about running an encrypted phone business. [9] The back end of the encrypted messenging app Exclu was run on CyberBunker's servers. [34]

In September 2019, 600 German police officers raided the bunker. [16] Seven people were arrested in the raid. [35] Police later said that the bunker was the location from which a late 2016 denial of service attack on Deutsche Telekom had been launched. [35]

In 2021, Xennt and six other defendants were convicted of having formed a criminal organization, but were acquitted of having aided and abetted the crimes committed on their servers. They received sentences between 28 and 59 months in prison. [36]

In December 2023, their site became active again under cyberbunker.pro and cyberbunker.world.[ citation needed ]

Documentary

The Netflix documentary Cyberbunker: The Criminal Underworld was released in 2023. It contains interviews with the investigating prosecutor and police officers, the mayor of Traben-Trarbach, journalists, Xennt, and other members of his organization. Police revealed that they had planted an undercover gardener and a cleaning lady in the bunker and that they lured Xennt and his crew out of the bunker before the raid. [33]

Related Research Articles

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

<span class="mw-page-title-main">Honeypot (computing)</span> Computer security mechanism

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as "baiting" a suspect.

Various anti-spam techniques are used to prevent email spam.

<span class="mw-page-title-main">Steve Linford</span> CEO of The Spamhaus Project

Stephen John "Steve" Linford is a British entrepreneur and anti-spam campaigner best known for founding The Spamhaus Project.

<span class="mw-page-title-main">Zombie (computing)</span> Compromised computer used for malicious tasks on a network

In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hacker. Zombie computers often coordinate together in a botnet controlled by the hacker, and are used for activities such as spreading e-mail spam and launching distributed denial-of-service attacks against web servers. Most victims are unaware that their computers have become zombies. The concept is similar to the zombie of Haitian Voodoo folklore, which refers to a corpse resurrected by a sorcerer via magic and enslaved to the sorcerer's commands, having no free will of its own. A coordinated DDoS attack by multiple botnet machines also resembles a "zombie horde attack", as depicted in fictional zombie films.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">The Spamhaus Project</span> Organization targetting email spammers

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers.

Leonid Aleksandrovitch Kuvayev, who usually goes by the name of Leo, is a Russian/American spammer believed to be the ringleader of one of the world's biggest spam gangs. In 2005, he and six business partners were fined $37 million as a result of a lawsuit brought by the Massachusetts attorney general. It was found that they were responsible for millions of unsolicited e-mails per day. According to Spamhaus he could be the "Pharmamaster" spammer who performed a denial-of-service attack (DDoS) against the BlueSecurity company. Kuvayev is also behind countless phishing and money mule recruiting sites hosted on botnets. He has been called a "spam czar", and a "virtual criminal".

<span class="mw-page-title-main">Bulletproof hosting</span> Internet service for use by cyber-criminals

Bulletproof hosting (BPH) is technical infrastructure service provided by an Internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cyberattacks. BPH providers allow online gambling, illegal pornography, botnet command and control servers, spam, copyrighted materials, hate speech and misinformation, despite takedown court orders and law enforcement subpoenas, allowing such material in their acceptable use policies.

<span class="mw-page-title-main">Blue Frog</span>

Blue Frog was a freely-licensed anti-spam tool produced by Blue Security Inc. and operated as part of a community-based system which tried to persuade spammers to remove community members' addresses from their mailing lists by automating the complaint process for each user as spam is received. Blue Security maintained these addresses in a hashed form in a Do Not Intrude Registry, and spammers could use free tools to clean their lists. The tool was discontinued in 2006.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

The July 2009 cyberattacks were a series of coordinated cyberattacks against major government, news media, and financial websites in South Korea and the United States. The attacks involved the activation of a botnet—a large number of hijacked computers—that maliciously accessed targeted websites with the intention of causing their servers to overload due to the influx of traffic, known as a DDoS attack. Most of the hijacked computers were located in South Korea. The estimated number of the hijacked computers varies widely; around 20,000 according to the South Korean National Intelligence Service, around 50,000 according to Symantec's Security Technology Response group, and more than 166,000 according to a Vietnamese computer security researcher who analyzed the log files of the two servers the attackers controlled. An investigation revealed that at least 39 websites were targets in the attacks based on files stored on compromised systems.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

<span class="mw-page-title-main">Cloudflare</span> American technology company

Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California. According to W3Techs, Cloudflare is used by more than 19% of the Internet for its web security services, as of 2024.

In 2013, there were two major sets of cyberattacks on South Korean targets attributed to elements within North Korea.

Festi is a rootkit and a botnet also known by its alias of Spamnost, and is mostly involved in email spam and denial of service attacks. It works under operating systems of the Windows family. Autumn of 2009 was the first time Festi came into the view of the companies engaged in the development and sale of antivirus software. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day. Festi showed the greatest activity in 2011-2012. More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails. The main functionality of botnet Festi is spam sending and implementation of cyberattacks like "distributed denial of service".

Lizard Squad Hacker group

Lizard Squad was a black hat hacking group, mainly known for their claims of distributed denial-of-service (DDoS) attacks primarily to disrupt gaming-related services.

On February 23, 2010, members of DC Inside, Humoruniversity, Ruliweb, Daum Truepicture, todayhumor, and various other Korean online communities formed the Terror Action Association (TAA) (Korean: 테러대응연합). On March 1, 2010, TAA attacked the Japanese website 2channel, coinciding with the 91st anniversary of the March 1st Movement. Since 2004, DC Inside and 2chan have had numerous conflicts, both large and small.

Killnet is a pro-Russia hacker group known for its DoS and DDoS attacks towards government institutions and private companies in several countries during the 2022 Russian invasion of Ukraine. The group is thought to have been formed sometime around March 2022.

References

  1. "CyberBunker datacentrum in Goes · DatacentrumGids.nl". Archived from the original on 23 January 2010.
  2. Brown, Stuart S.; Hermann, Margaret G. (29 October 2019). Transnational Crime and Black Spots: Rethinking Sovereignty and the Global Economy. Springer. ISBN   978-1-137-49670-6. Archived from the original on 17 April 2024. Retrieved 17 April 2024.
  3. Pfanner, Eric; O'Brien, Kevin (30 March 2013). "Provocateur Comes Into View After Cyberattack". The New York Times. Archived from the original on 30 March 2013. Retrieved 26 February 2017.
  4. 1 2 "CyberBunker prohibited from providing internet access to The Pirate Bay" (PDF). Motion Picture Association of America . 13 May 2010. Archived from the original (PDF) on 1 June 2010. Retrieved 29 April 2014.
  5. Spamhaus.org - listings for IPs under the responsibility of cb3rob.net Archived 30 August 2019 at the Wayback Machine , records retrieved 28 April 2013.
  6. BGPMon.net Looking at the spamhaus DDOS from a BGP perspective Archived 5 August 2019 at the Wayback Machine , article retrieved 29 April 2013.
  7. Pfanner, Eric; O'Brien, Kevin J. (29 March 2013). "Provocateur Comes Into View After Cyberattack". The New York Times. Archived from the original on 30 March 2013. Retrieved 30 March 2013.
  8. "Mit 650 Einsatzkräften Cyberbunker in Traben-Trarbach gestürmt". rheinpfalz.de (in German). Archived from the original on 27 September 2019. Retrieved 27 September 2019.
  9. 1 2 3 4 5 6 7 8 9 Caesar, Ed. "The Cold War Bunker That Became Home to a Dark-Web Empire". The New Yorker. Archived from the original on 29 September 2021. Retrieved 30 July 2020.
  10. 1 2 3 4 "Brein bulletproofhoster Duitsland zat ook achter Cyberbunker". Emerce (in Dutch). Archived from the original on 19 September 2020. Retrieved 30 July 2020.
  11. PMC-bunkerbezetting in Kloetinge: het verslag Archived 7 August 2011 at the Wayback Machine (Dutch), article retrieved 28 March 2013.
  12. Forten.info - Provinciaal Militair Commando Archived 10 September 2018 at the Wayback Machine (Dutch), article retrieved 28 March 2013.
  13. Wolff, Josephine (2018). You'll see this message when it is too late: The Legal and Economic Aftermath of Cybersecurity Breaches. MIT Press. p. 146. ISBN   978-0-262-03885-0. Archived from the original on 17 April 2024. Retrieved 14 June 2021.
  14. Security.nl - Uitgebrande 'Cyberbunker' herbergde XTC-lab Archived 17 April 2024 at the Wayback Machine (Dutch), article retrieved 29 March 2013.
  15. OmroepZeeland.nl - Cel wegens runnen XTC-laboratorium Archived 4 March 2016 at the Wayback Machine (Dutch), article retrieved 29 March 2013.
  16. 1 2 3 Gallagher, Sean (30 September 2019). "German police seize "bulletproof" hosting data center in former NATO bunker". Ars Technica. Archived from the original on 10 June 2020. Retrieved 30 July 2020.
  17. BunkerInfra.com - Cyberbunker not located in a bunker in Goes, the Netherlands Archived 11 August 2013 at the Wayback Machine , article retrieved 29 March 2013.
  18. Riley, Michael; Matlack, Carol; Levine, Robert (4 April 2013). "CyberBunker: Hacking as Performance Art". Businessweek. Archived from the original on 6 April 2013. Retrieved 27 April 2013.
  19. "Dutch ISP Hits Spamhaus With Police Complaints | TechWeekEurope UK". Archived from the original on 9 December 2011. Retrieved 13 October 2011.
  20. Kovacs, Eduard (13 October 2011). "TPB Causes Argument Between Dutch ISP and Anti-Spam Organization". softpedia. Archived from the original on 10 October 2019. Retrieved 10 November 2019.
  21. Rob Williams for Hot Hardware (2013), DDoS Attack Against Spamhaus Exposes Huge Security Threat On DNS Servers Archived 29 September 2019 at the Wayback Machine , article retrieved 28 September 2013.
  22. Gallagher, Sean (28 March 2013). "How Spamhaus' attackers turned DNS into a weapon of mass destruction". Ars Technica. Archived from the original on 10 October 2019. Retrieved 14 June 2017.
  23. 1 2 3 Lee, Dave (27 March 2013). "Global internet slows after 'biggest attack in history'". BBC News. Archived from the original on 1 October 2019. Retrieved 10 November 2019.
  24. Informationweek Security - DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted Archived 1 October 2013 at the Wayback Machine , article retrieved 30 March 2013.
  25. Perlroth, Nicole (26 April 2013). "Dutch Man Said to Be Held in Powerful Internet Attack". The New York Times. Archived from the original on 27 April 2013. Retrieved 26 April 2013.
  26. Pastebin.com - Official press release #freecb3rob Archived 7 August 2019 at the Wayback Machine , retrieved 26 April 2013.
  27. Brenno de Winter - Nu.nl - Groep dreigt met 'grootste aanval ooit' om arrestatie hacker Archived 12 June 2018 at the Wayback Machine (Dutch), article retrieved 26 April 2013.
  28. The Washington Post / Associated Press - Dutch suspect arrested in Spain over major cyberattack used well-equipped 'bunker' and van [ dead link ] - article retrieved 28 April 2013.
  29. Ernesto for TorrentFreak (2013), The Pirate Bay relocates to a nuclear bunker Archived 30 April 2014 at the Wayback Machine , article retrieved 21 January 2015.
  30. James Legge for The Independent (2013), London teenager arrested over huge cyberattack Archived 12 June 2018 at the Wayback Machine , article retrieved 28 September 2013.
  31. Paganini, Pierluigi (16 November 2016). "Hacker behind Spamhaus attack will not spend any time in the jail". Security Affairs. Archived from the original on 17 April 2024. Retrieved 17 April 2024.
  32. "Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute". theregister.com. Archived from the original on 12 August 2020. Retrieved 30 July 2020.
  33. 1 2 "Cyberbunker: The Criminal Underworld". netflix.com. Archived from the original on 10 November 2023. Retrieved 12 November 2023.
  34. Vigliarolo, Brandon (7 February 2023). "Eurocops shut down Exclu encrypted messaging app". theregister.com. Archived from the original on 3 October 2023. Retrieved 11 November 2023.
  35. 1 2 "Germany shuts down illegal data center in former NATO bunker". AP News. 27 September 2019. Archived from the original on 19 August 2020. Retrieved 30 July 2020.
  36. "Cyberbunker-Betreiber zu Haftstrafen verurteilt". golem.de (in German). 13 December 2021. Archived from the original on 11 November 2023. Retrieved 11 November 2023.

51°30′08″N3°54′26″E / 51.50216°N 3.90718°E / 51.50216; 3.90718

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.