Cybersecurity agencies across the globe collaborated to share new guidance on (and sanction more) Bulletproof Hosting (BPH) providers.
On November 19, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), the US National Security Agency (NSA) and Federal Bureau of Investigation (FBI) released a guide, Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers (“BPH”) in partnership with other cybersecurity agencies across the globe, including Australia, Canada, the Netherlands, New Zealand, and the United Kingdom. The publication was developed by the Joint Ransomware Task Force, which was created as part of the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
BPH is a crucial tool for cybercriminals. A January publication by Australia’s Cyber Security Centre (ACSC) defined BPH providers as “a specific class of internet infrastructure service that enables malicious actors (including cybercriminals) to host illicit content and run operations on the internet.” The providers may lease IP addresses for criminal use and change networks to hide the sensitive information (like location, identity, and activities) behind the threat actors behind the cyber incident. BPH providers may also take advantage of the infrastructure of countries with more permissive policies around malicious cyber activity. Even legitimate sources of infrastructure, like data centers, Internet Service Providers (ISPs), and cloud service providers.
The hosting infrastructure is not infallible, but still marketed as ‘bulletproof’ because they do not cooperate with legal authorities and also largely ignore the complaints of criminal activity on the networks. BPH providers give cybercriminals the foundation for a wide variety of crimes, including “obfuscation via fast flux techniques, command and control, malware delivery, phishing,” and frequently host “illicit content in support of a variety of malicious cyber activities, such as ransomware, data extortion, and denial of service (DoS) attacks.” According to the document, there has been an uptick in the use of BPH providers globally against critical infrastructure networks, financial institutions, and other high-value targets.
Mitigating BPH infrastructure is complicated because it is typically integrated into genuine, legal networks, called an Autonomous System (AS). Each AS has a unique identifier called an Autonomous System Number (ASN) that could be used to stop malicious activity from BPH providers. However, blocking all traffic connected to one ASN would likely stop legitimate traffic, and BPH providers can still get a new, unflagged ASN from an internet registry in under a business week and simply shift their IP addresses to the new ASN.
Fortunately, the guide offers several recommendations for Internet Service Providers and Network Defenders:
- Use commercial and open source threat intelligence to make a list of likely malicious internet resources;
- Continuously analyze traffic analysis to keep your organization’s malicious internet resources list up to date
- Set up regular, automated reviews of the malicious internet resources list
- Share your threat intelligence findings over public and private information channels.
- Keep track of ASNs and IP addresses in log entries and issues alerts in your organization’s centralized event logging system to support maintenance of the malicious internet resources list
- Develop filters after a risk analysis on how much legitimate traffic is limited and set up a streamlined feedback process to respond to incorrectly filtered traffic
- Ensure that upstream providers follow Secure by Design principles and internally limit the risks from BPH providers
The guide also encourages ISPs to keep customers informed about the resource list and the filtering process, construct customer-operated filters, work with other ISPs to make a code of conduct around BPH abuse prevention, increase security around leasing ISP infrastructure, and use internet routing security best practices. The document concludes with links to resources from some of our partners (Australia, Canada, the UK) and free threat feeds before sharing country-specific contact options for help with cybercrime.
On the same day as the Bulletproof Defense publication, the US, Australia, and the UK announced coordinated sanctions on Media Land, a BPH provider based in Petersburg, Russia, along with part of their leadership team and three sister companies. The press release describes Media Land as “a key launching pad for ransomware”, as their services were used by Lockbit, BlackSuit, and Play, and was also behind a number of distributed denial-of-service (DDOS) attacks in the US, even targeting critical infrastructure.
Media Land was not the only sanctioned target; the US’s Office of Foreign Assets Control (OFAC) and the United Kingdom designated Hypercore Ltd. for acting as a front for Aeza Group. Aeza Group is another BPH service provider based in St. Petersberg, Russia, that was first sanctioned in July for working with Meduza and Lumma infostealer operators targeting US defense industrial bases and technology companies. The group “has also hosted BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian darknet marketplace for illicit drugs.” Two companies (Smart Digital and Datavice), used by Aeza group to establish the technical infrastructure separate from Aeza group, have also been sanctioned alongside two leaders of Aeza who worked on the rebranding.
John K. Hurley, Under Secretary of the Treasury for Terrorism and Financial Intelligence, praised the recent sanctions: “These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries. Today’s trilateral action with Australia and the United Kingdom, in coordination with law enforcement partners, demonstrates our collective commitment to combatting cybercrime and protecting our citizens.”
This level of collaboration, a goal in CISA’s 2025-2026 International Strategic Plan, does in fact underscore a “commitment to combatting cybercrime” that has maybe been less obvious in what has been a tumultuous year for the US’s top cybersecurity agency. Hopefully, these sanctions and guidance on BPH providers will be effective in stopping these malicious networks.