The Bulletproof Hosts That Went Quiet: Thirteen Days After Operation Riptide, Half Our Regular Offenders Vanished From the Edge

We just brought our edge block telemetry back online after a two-week instrumentation gap, and the first thing worth doing with a restored sensor is to ask what changed while it was dark. The answer, when we lined up the providers our infrastructure has been rejecting over the last thirteen days against the bulletproof hosts that used to be regulars in our block data, is that a whole cohort of them has simply gone quiet. This is an observation, not a victory lap, and the distinction matters — so let me define the thing first, show you exactly what we saw, and then be honest about what it does and does not prove.

What a Bulletproof Host Actually Is

A bulletproof hosting provider is a company that rents servers and deliberately ignores abuse complaints. That is the entire product. A normal hosting company, when it receives a credible report that one of its customers is running a phishing page, a malware command-and-control server, or a ransomware leak site, will investigate and pull the plug, because its reputation and its upstream network connections depend on not being a cesspool. A bulletproof host inverts that incentive: it markets itself, quietly, on the promise that it will not pull the plug no matter who complains. It often operates from jurisdictions where the abuse reports have no legal teeth, advertises on Russian-language criminal forums, accepts cryptocurrency, and structures itself so that the people renting the servers and the people fielding the complaints never meaningfully interact.

The reason bulletproof hosting matters more than any individual piece of malware is that it is shared, finite infrastructure. Ransomware payloads are infinite and disposable — every crew forks and rebrands constantly. But the abuse-tolerant servers those crews stage their reconnaissance, their phishing, and their command-and-control from are a comparatively small and reused set. The same provider shows up behind dozens of unrelated campaigns. That is exactly why law enforcement has spent the last few years going after the infrastructure layer rather than the payloads, and it is why a hosting provider going dark is a more interesting signal than a single malware family going dark.

What We Observed

When autoblocking moved to our Cloudflare edge in late May, the index that recorded which providers we were rejecting went stale for about two weeks. We restored that feed this week by pulling the edge's own firewall block stream back into our searchable history, and we now have a clean thirteen-day window — May 27 through June 8, roughly ninety-seven hundred blocked events across a hundred and fifteen distinct networks.

Against that window we checked the bulletproof providers that had been steady, named offenders in our block data through the spring. A large group of them registered exactly zero blocked events over the entire thirteen days: DMZHOST, FlokiNET, Aeza, Stark, PQ Hosting, Chang Way, GTHost, Global Internet Solutions, RuHosting, FirstByte, and the BuyVM/Frantech pair. The most striking single number is M247, a sprawling host that abuse operators have long hidden inside: it produced roughly sixteen hundred of our blocks in the three weeks before May 19, and over the most recent thirteen days it produced three. Not three hundred. Three.

The cleanest signal in the whole set is DMZHOST, and it is clean precisely because it predates our instrumentation change. DMZHOST stopped appearing in our blocks on May 18 — the eve of the Operation Riptide takedown of the First VPN Service that twenty-five ransomware groups had been routing through — and it stopped while our old, consistent sensor was still running at full volume, recording fourteen thousand other block events that same day. A provider that goes from a steady presence to nothing, on a specific date, inside a measurement system that did not itself change, is the version of this signal you can actually lean on.

The Honest Caveat, Stated Plainly

Here is the part that keeps this an observation rather than a headline. The historical baseline for these providers comes from our previous blocking system — an IP-reputation engine that scored and blocked individual addresses. The recent thirteen-day window comes from our new edge firewall, which blocks by a different mechanism. When you change how you measure, the population you measure changes too, and some of a provider "disappearing" can be an artifact of the new sensor catching a different slice of traffic rather than the provider actually going away. We learned this lesson the hard way exactly once this month and we are not going to un-learn it for a better story. Absence from our edge blocks is not proof that a host was seized or shut down. It is proof that we are no longer rejecting traffic from it, which has several possible causes, only one of which is "it is gone."

What survives that caveat is the combination. DMZHOST's disappearance lands inside the consistent old sensor, on the takedown eve, which the measurement-change explanation does not touch. M247 collapsing by three orders of magnitude is a large enough move that a sampling difference is a strained explanation. And the timing of the broader cohort going quiet sits right on top of an international operation that physically seized thirty-three servers belonging to infrastructure that a couple dozen ransomware crews depended on. None of those is a court-grade attribution on its own. Together they are a coherent picture worth writing down and watching.

The Empty Slots Are Already Being Filled

The other half of the thirteen-day window is the more sobering half. While the old names went quiet, new ones moved straight into the top of our block list — providers like Bucklog SARL, which alone accounted for nearly fourteen hundred of our blocks, along with TECHOFF SRV LIMITED, UNMANAGED LTD, AYOSOFT LTD, and Advin Services LLC. Some of these are names that did not register meaningfully in our data a month ago. This is the part of the bulletproof economy that no takedown fixes: the demand for abuse-tolerant infrastructure does not evaporate when a provider is seized, it relocates. The crews that lost their shared VPN need a new place to stage from, and the market supplies one. A takedown is a real win — it imposes real cost, burns real infrastructure, and buys defenders real time — but it is a disruption, not a cure, and the new cabinets are already being wheeled into the empty slots.

What a Defender Should Take From This

The practical lesson is not "these specific hosts are safe now." It is that your highest-leverage threat-hunting surface is the abuse-tolerant infrastructure layer, because it is shared and finite, and watching it tells you about many adversaries at once. Maintain a living list of bulletproof and abuse-tolerant networks, weight your egress monitoring and your block decisions toward them, and — this is the part most teams skip — re-derive that list continuously, because it churns. The provider that was the dominant offender in your logs in April can be gone in June, and the provider that replaces it was a nobody until last week. We caught this churn only because we noticed our own sensor had gone dark and bothered to turn it back on; the discipline that produces the insight is not the fancy analysis, it is checking that the thing you rely on to see is actually still seeing. The named hosts will keep changing. The instinct to watch the infrastructure, and to verify your own instruments, is the part that lasts.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register