Full Report
Police in the Netherlands say they seized 127 servers this week that were used by Zservers, a bulletproof hosting service that was the subject of international sanctions issued Tuesday.
Analysis Summary
# Incident Report: Takedown of Bulletproof Hosting Provider ZServers
## Executive Summary
Law enforcement in the Netherlands executed a digital investigation culminating in the seizure of 127 servers belonging to ZServers/XHost, an alleged bulletproof hosting service. This action came immediately following international sanctions levied against the entity due to its known facilitation of criminal activities, specifically linking it to the LockBit ransomware operation and the Conti cybercrime gang. The incident resulted in the disruption of infrastructure used for various cybercrimes, including ransomware and botnet distribution.
## Incident Details
- Discovery Date: Over the course of a year-long digital investigation, culminating in seizures in February 2025.
- Incident Date: Servers seized Wednesday, February 12th, 2025 (report published Feb 13th, 2025).
- Affected Organization: ZServers/XHost (hosting provider).
- Sector: IT/Hosting Infrastructure.
- Geography: Amsterdam, Netherlands (Data center location).
## Timeline of Events
### Initial Access
- Date/Time: Investigation began approximately one year prior to February 2025.
- Vector: The service was explicitly advertised to criminals, offering anonymity and protection from law enforcement inquiries.
- Details: Customers could utilize ZServers/XHost for criminal activities, paying anonymously via cryptocurrency, knowing server owners would remain anonymous to authorities.
### Lateral Movement
Not explicitly detailed, but the infrastructure was confirmed to host malware related to ransomware, botnets, and other cybercrimes.
### Data Exfiltration/Impact
- What was stolen or damaged: The infrastructure facilitated operations for major cybercriminal groups, including LockBit and Conti. The impact was the disruption of their command and control and hosting infrastructure.
### Detection & Response
- How it was discovered: A long-term digital investigation by the Cybercrime Team Amsterdam, coinciding with U.S., U.K., and Australian sanctions announcements.
- Response actions taken: Dutch police seized 127 servers hosted at the Paul van Vlissingenstraat data center in Amsterdam on Wednesday.
## Attack Methodology
*Note: This section describes the *methods used by the criminals exploiting the infrastructure*, not the methods used by law enforcement.*
- Initial Access (by ZServers clients): Utilizing the hosting service for malicious operations.
- Persistence (by ZServers clients): Using the bulletproof nature of the host to maintain command and control.
- Privilege Escalation: Not detailed.
- Defense Evasion: The core business model of ZServers/XHost was advertising evasion of law enforcement inquiries.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed (Implied scope includes networks hosting LockBit/Conti activity).
- Collection: Data gathering related to ransomware and botnet command structures.
- Exfiltration: Not detailed.
- Impact: Hosting infrastructure for ransomware (LockBit) and sophisticated cybercrime gangs (Conti), as well as botnets.
## Impact Assessment
- Financial: Not disclosed, but significant disruption to criminal enterprises linked to LockBit/Conti.
- Data Breach: No specific victim data breach detailed, the action targeted the criminal enablement platform.
- Operational: Disruption of 127 servers used by criminal actors.
- Reputational: Negative impact on the alleged administrators (Alexander Igorevich Mishin, Aleksandr Sergeyevich Bolshakov) and associated entities (Xhost Internet Solutions LP).
## Indicators of Compromise
- Network indicators: *Defanged IOCs cannot be provided without specific data, but would typically include associated domains or network infrastructure IPs used by ZServers/XHost.*
- File indicators: Malware signatures related to LockBit or Conti affiliates operating from those servers.
- Behavioral indicators: Advertising services explicitly guaranteeing anonymity and immunity from law enforcement.
## Response Actions
- Containment measures: Seizure of 127 servers at the Amsterdam data center.
- Eradication steps: Taking the offensive infrastructure offline.
- Recovery actions: The investigation is ongoing, with police consulting the Public Prosecution Service to analyze data found on the seized servers. No arrests were announced at the time of reporting.
## Lessons Learned
- Key takeaways: International cooperation (evident through simultaneous sanctions) can effectively target the infrastructure supporting sophisticated cybercriminal operations like LockBit.
- What could have been done better: The service operated for a considerable time, necessitating a "long-term digital investigation" over the course of a year, indicating high levels of obfuscation by the targets.
## Recommendations
- Prevention measures for similar incidents: Intensify international scrutiny of hosting providers that explicitly market features designed to shield criminal operators from law enforcement action. Continue leveraging financial sanctions in conjunction with physical/digital law enforcement actions to dismantle cybercrime ecosystems.