Dutch Police Seize 250 Servers in Bulletproof Hosting Crackdown

A major bulletproof hosting service used exclusively by cybercriminals has been dismantled by Dutch law enforcement, resulting in the seizure of approximately 250 physical servers. This infrastructure, located in data centers in The Hague and Zoetermeer, supported thousands of virtual servers that have now been taken offline. The unnamed service has been linked to more than 80 cybercrime investigations since 2022, both within the Netherlands and internationally.

Bulletproof hosting providers deliberately ignore abuse reports and refuse to comply with law enforcement requests for content removal. They protect their clients by not enforcing Know Your Customer policies, allowing users to operate with complete anonymity. These services are popular among ransomware operators, malware distributors, phishing groups, spammers, and money laundering operations, many of whom pay using difficult-to-trace cryptocurrencies.

The investigation revealed that the seized infrastructure facilitated a range of serious criminal activities. These included ransomware attacks, botnet operations, phishing campaigns, and the distribution of child abuse material. The hosting company openly advertised that it would not cooperate with authorities, making it an attractive option for those seeking to evade detection.

During the operation on November 12, authorities confiscated the entire network of physical and virtual servers. Forensic analysts will now examine the seized equipment to gather intelligence about the service’s operators and their clients. No arrests have been announced in connection with this specific action at this time.

This crackdown occurred during the same week that Dutch police participated in Operation Endgame’s latest phase, which targeted malware families including Rhadamanthys, VenomRAT, and Elysium. In that separate investigation, authorities conducted nine searches at Dutch data centers, seizing 83 servers and 20 domain names. Police have confirmed these are distinct investigations despite their overlapping timing.

Although officials have not publicly identified the targeted hosting provider, sources indicate the servers seized belonged to CrazyRDP, a service that has since gone offline. CrazyRDP offered virtual private servers and remote desktop services while promoting client anonymity through no-KYC and no-logs policies. Customers could create accounts with just a username and password, requiring minimal identification.

The service had gained notoriety within cybercriminal circles, appearing in threat actor discussions as a recommended bulletproof hosting option. Multiple cybersecurity reports had previously identified CrazyRDP as supporting various malicious operations. Following the police action, the service’s official Telegram channel deleted all posts and redirected to a different channel discussing the sudden shutdown.

On the new channel, users expressed concern about the disruption, with some reporting they had more than 30 servers hosted on CrazyRDP’s infrastructure. Initial fears of an exit scam circulated among customers after support staff first blamed technical issues at the data center before ceasing communication entirely. One customer documented receiving assurances that their login problems would be resolved, followed hours later by an admission that there was no estimated time for a fix.

While Dutch authorities have not confirmed CrazyRDP as the targeted service, the timing of its disappearance aligns with the police operation, and the service has remained offline since the raid occurred.

(Source: Bleeping Computer)