The Dutch National Police (Politie) has executed a major operation resulting in the seizure of 127 servers belonging to the notorious bulletproof hosting provider Zservers. The operation, conducted at Amsterdam’s Paul van Vlissingenstraat data center, follows recent sanctions imposed by the United States, United Kingdom, and Australia against the company.
Bulletproof Hosting: A Critical Link in Cybercrime Operations
Zservers, along with its British affiliate XHOST Internet Solutions LP, operated as a bulletproof hosting service — a term describing hosting providers that offer exceptional tolerance for malicious content and criminal activities. The company’s business model centered on providing anonymous infrastructure services to cybercriminals, facilitating the deployment of malware and operation of botnets while accepting cryptocurrency payments to obscure financial trails.
Connection to Major Ransomware Operations Uncovered
Preliminary forensic analysis of the seized infrastructure has revealed direct links to prominent ransomware groups including LockBit and Conti. These findings substantiate law enforcement’s assertions that Zservers was knowingly providing critical infrastructure support to some of the most destructive ransomware operations globally. The discovery highlights the crucial role that bulletproof hosting services play in enabling large-scale cybercrime campaigns. The Conti group’s tactics are documented in MITRE ATT&CK, illustrating how such hosting services underpin sophisticated threat actors.
Impact and Investigation Developments
The seizure has resulted in the immediate disruption of numerous malicious operations, with all websites previously hosted on the compromised infrastructure now offline. Digital forensics experts in Amsterdam are conducting comprehensive analyses of the seized servers, which are expected to yield valuable intelligence about cybercriminal networks and potentially lead to further enforcement actions.
Criminal Infrastructure Clients of Zservers and Bulletproof Hosting Users
Organizations and individuals whose data was handled by services relying on Zservers infrastructure are at heightened risk. This includes victims of LockBit and Conti ransomware campaigns as well as companies whose stolen credentials or exfiltrated data may have been stored on the seized servers. Any organization that received a ransom demand or detected Zservers-linked IP ranges in network logs should treat the incident as an active forensic matter.
Actions for Organizations Whose Infrastructure Was Hosted by Zservers
- Search network and firewall logs for connections to known Zservers and XHOST IP ranges and document findings for law enforcement
- If your organization was previously targeted by LockBit or Conti, contact the relevant national CERT for guidance on accessing seized evidence
- Review endpoint telemetry for indicators of compromise associated with LockBit and Conti toolsets using threat intelligence feeds and cloud-native detection services
- Ensure ransomware incident response plans include steps for engaging law enforcement early, as seized infrastructure can yield decryption keys
- Rotate credentials and API keys for any systems that may have communicated with Zservers-hosted infrastructure
