In November, 2025 Russia-based web host Media Land was sanctioned by several countries as a bulletproof service — the one hackers relied on to launch DDoS attacks and attack businesses in the United States and in allied countries. “Bulletproof” may refer to a VPN as well, as it usually means abuse resistant and private. Xeovo explains how genuinely reliable anonymous VPNs and hostings differ from bulletproof services — and why the real bulletproof operators are often not those who call themselves that.
What it is, and why VPN and Tor alone are not enough
Strictly speaking, VPNs don’t grant anonymity. What they can do is enhance privacy, and only if they don’t store activity data – or logs. No-logs VPNs and no-logs hosting providers don’t store records of your online activity once you connect, nor do they share data with third parties. They don’t log your IP address, browsing history, or traffic volume. That’s not great for marketing analytics, which is why some providers say they don’t keep logs — and then quietly do it anyway.
Nevertheless, even genuine no-logs providers retain minimal data, necessary for correct functioning. This may include connection timestamps, diagnostic reports, or basic account information. They can also obtain lists of IP addresses of infected devices from organizations that track malicious activity (such as ShadowServer.org) and block those IPs at the firewall or routing level — meaning, for example, that botnets simply won’t be able to connect to the VPN. They may also block ports based on abuse reports and restrict or rate-limit certain protocols.
This is what sets them apart from bulletproof VPNs and hosting providers. The latter don’t necessarily skip logging or use quantum-grade encryption — their key selling point is refusing to cooperate with authorities, skipping KYC checks, and quickly rotating blocked IPs. As a result, they mainly attract:
cybercriminals, such as ransomware groups and malware distributors,
state-sponsored operations,
Illegal markets, including drug sales.
Law enforcement agencies hunt these services down, but the process is slow. Seizure of the infrastructure of VPNLab.net and Safe-Inet required joint efforts by several countries and years of international coordination. The Dutch hosting provider Ecatel has been providing servers for hosting criminal content since 2005. The host ignores numerous complaints and refuses to cooperate with the police — and legally, under local law, it is not responsible for its clients’ actions.
Besides bulletproof, there are abuseproof services. They, too, ignore complaints, but within certain limits. For example, a hosting provider from the screenshot allows everything except child pornography, drugs, terrorism, mass scanning of websites for vulnerabilities and any cyberattacks targeting CIS countries. Bulletproofs’ Terms of Service are usually broader, and they formally stick to “no-terrorism” and “no child abuse materials” rules — at least on paper.
Shady VPNs and Hosting companies
Classic bulletproof VPNs are becoming rare. With modern cyber forensics, it’s often easier for attackers to run their own infrastructure than to trust third parties and create a single point of failure. Many clients now use bulletproof hosting to build their own VPNs or hijack servers instead. Still, the word “bulletproof” keeps popping up as a marketing gimmick — some services use it purely for marketing, to sound edgy and “ultra-secure.”
You won’t come across a rogue VPN in a “Top 10 anonymous VPNs 2025” roundup or a “Best VPN for privacy” list. Real bulletproofs don’t necessarily call themselves that. But they often explicitly state they ignore abuse reports, government requests and DMCA takedowns. Other hints include:
Tolerance for shady traffic. Regular VPNs try to prevent illegal use even if they don’t log users. Bulletproof providers simply don’t care.
No legal entity, or one registered offshore — Seychelles or the Cayman Islands. First, data regulation laws in such places are quite vague, but privacy laws might be strong. Second, the weaker the legislature, the easier it is to ignore international requests: if a service receives a takedown request, it responds that in their jurisdiction this is not considered a crime — or it simply doesn’t respond at all.
However, these services can be rather casually established if they do not expect to face consequences from a domestic court. For instance, Russian, North Korean, or other state-sponsored hackers whose attacks have a political nature may — in fact, must — rely on services based in their own jurisdictions. This summer, the United States imposed sanctions on Aeza Group, a Saint Petersburg–based hosting provider, and several affiliated companies in Russia and the UK. Aeza was accused of supporting cybercriminal activity: hosting ransomware infrastructure, a Russian darknet marketplace, and providing hosting to the operators of the Meduza and Lumma infostealers, who targeted the U.S. defense industrial base.
Shadow domain registrars. Bulletproof services choose murky domain registrars to avoid domain seizure. Regtime ltd, a Russian domain name registrar and hosting provider, was a registrar for safe-inet.com and safe-inet.net. Lolekhosted.net used Soluciones Corporativas IP, VPNLab.net used 1API GmbH. It’s not a 100% proof, insorg.org domain belonged to GoDaddy, but it’s a yellow light.
ASN (Autonomous System Number) registered to shell companies. An ASN is assigned to an ISP or large organisation to manage IP addresses. When admins see suspicious traffic from those IP ranges, they block the ASN. Bulletproof VPNs typically rotate and redirect traffic to other ASNs. For example, Ecatel’s network includes IP Volume Inc, Novogara and Quasi Networks, so when one hoster is blocked, clients are rerouted between hosts.
aurologic GmbH is one of such transit providers. When UK-based hosting provider DataCamp terminated its contract with Aeza Group, the Group partnered with aurologic to continue operations. Apart from Aeza, aurologic provides services including data centers to other high-risk networks associated with cybercrime and disinformation, enabling them to persist.
No presence outside the site except for Darknet forums — no social media, no collabs, no apps in the App Store or Google Play. Bulletproofs avoid marketing and unwanted attention.
Employment of mules — third parties who rent out their bank credentials and ID data to open hosting or financial accounts, sometimes using forged or stolen identities.
Payments mostly in cryptocurrency or peer-to-peer bank transfers.
Minimalist or outdated websites. Aesthetics are the last thing these guys care about.
Heavy use of professional terminology and technical jargon. Not a crime in itself, but it signals a very specific target audience.
Buying such a VPN or hosting to bypass blocks or watch series for free is like chasing a rabbit with a Minuteman III missile given to you by strangers in balaclavas. You won’t go to jail for it, you likely won’t face fines or criminal charges for casual use, but you might wake up to find the service, where you hosted your website, suddenly seized — and your website and privacy gone with it. Not to mention these services are usually far pricier than legitimate ones.
Exploitation
Bulletproof providers offer an all-in-one setup: hosting for C&C servers (command-and-control centers for managing infected devices) and VPNs for anonymous administration.
LolekHosted, a UK-based bulletproof hosting, was used to distribute the NetWalker ransomware, which infected around 400 organizations worldwide — including law enforcement and emergency services. The total ransom reached approximately 5,000 BTC. Attackers stored tools and stolen data on LolekHosted’s servers. In August 2023, U.S. authorities finally seized the domain LolekHosted.net after nearly a decade of use.
PQ.Hosting, a hosting provider registered in Moldova, ran servers in European countries, the U.S., and Russia. On 10 February 2022 the founders of PQ.Hosting registered a company, STARK INDUSTRIES SOLUTIONS LTD, in the UK. That firm began to provide free VPN and proxy services.
Soon after the full scale war began, Ukrainian resources experienced massive DDoS attacks. One of the most active hacker groups, NoName057, used Stark Industries’ infrastructure. The company’s addresses also hosted a domain connected to the Doppelganger network (fake websites of well-known media, including the Wall Street Journal and CNN). In May 2025 Stark Industries was blocked.
To be fair, hacker attacks are not always conducted via super-bulletproof services — sometimes attackers use legitimate servers, even AWS. Still, malwares such as Zeus, SpyEye, Citadel and the Blackhole Exploit Kit were distributed through black hosting. That company rented IP addresses, servers and domains to clients who used this technical infrastructure for criminal purposes. Using it, cybercriminals gained access to victims’ computers, built botnets and stole banking credentials.
So, if you’re looking for a VPN or hosting to set up your own (or for any other lawful purpose), choose a no-logs provider that:
has a subscription model. It’s important the service doesn’t profit from selling data;
is registered in a country that has strong privacy laws and no data-retention laws;
has passed security audits;
states in its Privacy Policy that it does not keep logs of online traffic or content.
When a product depends on reputation, it won’t risk customers or violate its stated policy, nor will it protect criminal clients. “Semi-legal” doesn’t mean super-protected and private.
Silence censorship. Protect your privacy and bypass restrictions with Xeovo VPN. Use code HBR-10 to get 10% off.
