For years, gray-market services, commonly referred to as “bulletproof” hosts, have been pivotal for cybercriminals aiming to operate web infrastructure with minimal oversight. However, as global law enforcement agencies intensify their initiatives to combat digital threats, they have implemented strategies to extract customer information from these hosts, increasingly targeting those facilitating these services with legal actions. At the cybercrime-focused conference Sleuthcon, held in Arlington, Virginia, researcher Thibault Seret discussed the implications of this escalation and how it has prompted both bulletproof hosting providers and their criminal clientele to explore alternative methods of operation.
Instead of depending on hosting services that evade law enforcement scrutiny, some service providers have shifted towards offering specialized VPNs and other proxy solutions that help obscure and rotate customer IP addresses. These alternative infrastructures often either intentionally avoid logging traffic or amalgamate data from multiple sources. While the technology itself is not new, Seret and fellow researchers underscored the significant trend of cybercriminals transitioning towards these proxy services over recent years.
According to Seret, a researcher at Team Cymru, a key complication is that distinguishing between legitimate and malicious traffic on a proxy network is not technically feasible. He emphasized that the essence of a proxy service lies in its ability to obfuscate user identities, which enhances internet freedom but poses substantial challenges in identifying and analyzing harmful activities. This complexity highlights a dual-edge scenario: while proxies provide greater anonymity, they simultaneously hinder detection efforts by organizations utilizing threat detection tools.
The predominance of proxies among cybercriminals is particularly noteworthy, as these services often engage in facilitating legitimate traffic, thereby complicating law enforcement efforts. This is notably observed with “residential proxies,” which utilize a decentralized network running on consumer devices—ranging from outdated smartphones to budget laptops—to provide real, rotating IP addresses linked to homes and offices. While such services uphold users’ privacy, they inadvertently shield malicious activities by masking their origins.
By routing their malicious actions through residential IP addresses, attackers can obscure their activities from detection systems that monitor for unusual traffic patterns. Furthermore, the nature of decentralized proxy services diminishes the control and oversight that service providers have, making it increasingly challenging for law enforcement to derive actionable intelligence from these networks.
Experts have noted a substantial increase in the exploitation of residential networks by cybercriminals, with the last two to three years seeing a noticeable rise in attacks emanating from these sources. Ronnie Tokazowski, a researcher focused on digital scams, pointed out the difficulty in tracing attacks originating from residential IP ranges, especially when those ranges may overlap with legitimate users, such as employees of targeted organizations.
The utilization of proxies in cybercrime is not a new development. For instance, the US Department of Justice highlighted in 2016 that the use of a “fast-flux” hosting technique by the notorious “Avalanche” cybercriminal network complicated a sustained investigation into its activities. However, the evolution of proxies into widely accessible gray-market services marks a significant shift, diverging from the necessity for attackers to create proprietary solutions in-house.
Experts like Seret contemplate the implications this shift brings for law enforcement. While targeting known malicious proxy providers may draw parallels to prior efforts against bulletproof hosts, the broader challenge remains. Proxies encompass a wide range of internet services utilized by many, thus dismantling a single malicious entity does not resolve the overarching complexities associated with cybercriminal use of these technologies.
