Given the seemingly ethereal nature of the internet, it can be easy to forget that behind every hack or cyberheist there’s a real wires-circuits-and-boards infrastructure.
To break into your computer, or that of a financial company, cybercriminals often use hacking tools hosted on a server in a data center somewhere. They also use servers to eventually store the files they steal, or to maintain the infrastructure behind more mundane threats such as spam emails.
In the 2000s, the so-called bulletproof hosters, who were the Swiss banks of the internet, offered storage with no questions asked, and, more importantly, refusing to answer questions or takedown requests from authorities. That’s how bulletproof hosters became the favorite hideouts for cybercriminals. Some have become part of internet folklore, such as the Cold War-era nuclear bunker that hosted the notorious spam haven CyberBunker, The Pirate Bay, or the self-proclaimed principality of Sealand and its data haven on an offshore platform.
But many of the early ones were taken down or forced out of business, and cybercriminals have since moved elsewhere.
The antivirus and consumer security company Norton, which is part of Symantec, took a look at the evolution of these hacker hideouts in its new documentary The Most Dangerous Town: Where Cybercrime Goes to Hide. Motherboard got an exclusive first look at the film, which is a fascinating—if a little melodramatic—attempt to track down these “hacker hideouts” and show us what they actually look like in the real world.
In 2016 hackers don’t use bunkers or offshore platforms anymore. They prefer to “hide in plain sight.”
The big question behind the whole documentary, of course, is whether the people and companies offering data storage should be held responsible for what happens within their walls of stacked servers. That’s a hard question to answer, according to Liam O’Murchu, a security researcher at Norton. In many cases, hosters need to juggle their business needs with those of the police or other authorities, and sometimes don’t even realize hackers are operating within their confines.
The documentary shows that in 2016 hackers don’t use bunkers or offshore platforms anymore. They prefer to “hide in plain sight,” as O'Murchu puts it. “So they’ll use legitimate hosting companies but they’ll try to disguise their purpose as being legitimate rather than nefarious.”
Essentially, cybercriminals now prefer to use regular hosting providers, perhaps even legitimate websites that they hacked, and hide their activities and malware by setting up various hops. So when authorities or security researchers are tracking down a cyberattack, they have to go through multiple proxies and locations.
Another tactic highlighted in the film is for corrupt hosters to use empty apartments as their business address, and move it around as soon as authorities come knocking at the door. This way, “attackers can move more quickly than the law-enforcement can create the paperwork,” O’Murchu said.
From bunkers to the cloud, it seems cybercriminals are still a step ahead of their hunters.
Clarification: This story has been updated to reflect that the documentary was produced by Norton, which is part of Symantec.