Daniel sent us this one — he's asking how hackers manage to stand up command and control servers without getting booted by their hosting providers. Seems like the kind of thing where if you're doing something obviously criminal, a reputable host would notice and pull the plug. So why doesn't that happen? There's a lot to unpack here.
Oh this is a fantastic question, and the short answer is that most of the time they're not using reputable hosts. But that's just the surface layer. The real story is a whole parallel infrastructure economy that's been evolving for decades.
A parallel economy. So we're talking about hosts that just don't care what you do with the server.
It's more nuanced than not caring. There's a whole category called bulletproof hosting. These are providers that explicitly market themselves as resistant to takedown requests. They operate in jurisdictions where law enforcement cooperation is minimal or nonexistent, and they structure their terms of service to essentially ignore abuse complaints.
Market themselves as resistant. That's brazen.
It really is. Some of them literally advertise phrases like "no logs policy" and "ignore DMCA" and "bulletproof against takedowns." There was a major operation a few years back — the FBI and Europol took down a bulletproof host called DoubleVPN, which had been openly advertising its services on Russian and English-language cybercrime forums since at least twenty fifteen.
So not just hosting, but a VPN layer on top of it.
Right, and that points to something important. The hosting is just one piece. Most sophisticated C2 infrastructure uses multiple layers of indirection. You've got the actual server sitting in some data center, but it's fronted by proxies, compromised routers, or consumer VPN endpoints that obscure the real IP.
Even if someone traces the traffic, they hit a proxy layer and the trail goes cold before reaching the actual host.
And by the time anyone files an abuse complaint, the infrastructure has often moved. Fast flux is a technique where the DNS records change every few minutes, rotating through hundreds or thousands of compromised IP addresses that act as proxies. The actual backend server stays hidden while the front-facing addresses are constantly shifting.
So you're chasing a moving target while the real server sits somewhere untouchable.
The somewhere is often a jurisdiction that's deliberately chosen. I was reading a threat intelligence report from Recorded Future a few months ago that mapped out where bulletproof hosting concentrates. Russia, certain former Soviet states, parts of Southeast Asia. Places where mutual legal assistance treaties either don't exist or move so slowly that by the time anyone responds, the campaign is over.
The geography is the defense mechanism. You pick a country that won't cooperate with Western law enforcement, and suddenly your host is effectively immune.
That's the first layer. But there's another one that's even more interesting. A lot of C2 infrastructure isn't hosted on servers that the attackers rent at all. They compromise legitimate infrastructure and use that instead.
You hijack someone else's server.
Or their WordPress site, or their home router, or their cloud instance. The Mirai botnet and its descendants have been compromising IoT devices for years. A compromised router in someone's living room becomes a C2 relay. No hosting provider to complain to, because the owner doesn't even know their device is being used.
You're not paying for it either.
And it's everywhere. If you've got a botnet of ten thousand compromised devices, you can designate a handful as C2 nodes and the rest as proxies or attack platforms. When one gets discovered and cleaned up, the botnet just designates another.
The attacker's overhead is essentially zero.
For certain types of campaigns, yes. But there's also the middle ground. Attackers will compromise a legitimate business's cloud account, spin up virtual machines using stolen credentials, and run C2 infrastructure on AWS or Azure or Google Cloud until the fraud is detected.
How long does that typically take?
It varies wildly. If they're careful about resource usage and don't trigger anomaly detection, they can run for weeks or months. Cloud providers have gotten much better at detecting cryptomining because of the resource patterns, but low-bandwidth C2 traffic can blend into normal operations pretty effectively.
We've got bulletproof hosts in non-cooperative jurisdictions, compromised consumer devices, and hijacked cloud accounts. That's three different approaches. Are there others?
The fourth one is increasingly popular, and it's the one that I think is hardest to counter. Attackers are using legitimate services as C2 channels. They'll use a Discord server, a GitHub repository, a Twitter account, or a Google Drive folder as their command infrastructure.
Using Discord as a C2 server. How does that even work?
You set up a Discord server, you've got a bot token, and your malware checks a specific channel for commands. It looks like normal API traffic. Discord's infrastructure is globally distributed, highly available, and nobody's going to block Discord at the network level because it's a legitimate service used by millions of people.
The attacker is hiding in plain sight, using the same infrastructure that everyone else uses for completely legitimate purposes.
The abuse teams at these platforms are playing whack-a-mole. They'll take down one malicious server, and three more pop up. The attackers automate the creation process using stolen or throwaway accounts. There was a Mandiant report last year that documented an APT group using Notion pages as a C2 channel.
A productivity app.
A productivity app. They were storing commands in Notion pages and having their malware poll the Notion API. It's encrypted, it looks like normal HTTPS traffic, and blocking Notion is not an option for most organizations.
That's almost elegant in its simplicity. Why build your own infrastructure when the target's own trusted applications will do the work for you?
That's the asymmetry that makes defense so hard. The attacker just needs one creative idea. The defender has to block everything.
Let me pull us back to Daniel's specific question though. He asked about reputable hosts terminating service. So if I'm DigitalOcean or Linode or whoever, and someone reports a server running C2, what actually happens?
The reputable hosts absolutely do terminate. They have abuse departments, they respond to complaints, and they'll shut down malicious infrastructure. The turnaround can be hours to a few days depending on the severity and the quality of the evidence provided.
The system works, in theory.
It works against the amateurs. The script kiddies who are running off-the-shelf malware on a single VPS they paid for with their own credit card. Those get caught quickly. But the professional operators are operating at a completely different level.
What makes the difference?
A professional group isn't going to use their real identity to register a domain or rent a server. They're using stolen identities, prepaid cards purchased with cryptocurrency, or they're going through resellers who don't ask questions.
The resellers are a weak link.
Or a deliberate feature. There's a whole ecosystem of what are called traffic distribution systems, which are essentially middlemen who resell hosting and domain registration services specifically to the cybercrime market. They handle the payment laundering, they rotate through accounts, and they maintain relationships with multiple upstream providers so that when one gets burned, they've got backups.
It's a resilience play. Redundancy at every layer.
The term of art is resilient command and control. The idea is that no single takedown should disrupt operations. You've got multiple domains, multiple IPs, multiple hosting providers, multiple jurisdictions. If one gets taken down, the malware already has fallback mechanisms built in.
Domain generation algorithms.
DGA is the classic example. The malware generates thousands of potential domain names algorithmically, and the attacker only needs to register one of them to maintain control. The defender has to block all of them, or predict which ones will be used. It's math in the attacker's favor.
The cost to the attacker is registering one domain. The cost to the defender is blocking thousands.
That's the fundamental asymmetry of cyber defense. The attacker picks the time, the target, and the method. The defender has to cover everything.
I want to go back to something you mentioned earlier. Bulletproof hosting in Russia and former Soviet states. Is that still the primary hub, or has it shifted?
It's still heavily concentrated there, but it's also diversified. There's been a notable shift toward bulletproof hosting in parts of Southeast Asia over the last few years. And there's a newer trend that's emerged where hosting providers in countries with strong rule of law are being compromised or co-opted.
Co-opted how?
Through shell companies. An organized crime group will set up what looks like a legitimate technology company, complete with a website, LinkedIn profiles, and a business registration. They'll establish a relationship with a hosting provider as a normal customer. Then they'll resell that infrastructure to cybercrime actors.
The hosting provider genuinely doesn't know.
Or doesn't want to know. There's a spectrum from completely unwitting to willfully blind to actively complicit. The actively complicit ones are the bulletproof hosts. The willfully blind ones are the ones who don't ask too many questions as long as the payments clear.
The unwitting ones are the most interesting, because they're doing everything right and still getting used.
That's where the cloud account compromises come in. If I steal a valid AWS account from a small business that has weak credentials and no multi-factor authentication, I can spin up EC2 instances and run C2 infrastructure. AWS isn't going to notice immediately because the account has legitimate history.
Until the bill shows up.
Which might take a month. And by then the campaign is over and the infrastructure is gone.
The billing cycle is the window of opportunity.
For cloud compromises, absolutely. And attackers are sophisticated about this. They'll set usage limits to stay under thresholds that trigger alerts. They'll operate during the target organization's business hours when traffic patterns look normal. They understand the detection mechanisms and work around them.
That's a level of professionalism that I think most people don't associate with cybercrime. They imagine someone in a dark basement.
The professional cybercrime groups operate like businesses. They have project managers, they have QA testing, they have customer support for their ransomware affiliates. The commoditization of cybercrime means that you don't need to be technically sophisticated to run a C2 server. You can rent one as a service.
C2 as a service.
It's a real thing. There are underground marketplaces where you can rent C2 infrastructure that's already set up, already hardened, already using fast flux and bulletproof hosting. You just upload your payload and go.
What does that cost?
It varies, but I've seen listings for basic C2 infrastructure starting at a few hundred dollars a month. The premium services with advanced evasion and multiple fallback mechanisms can run into the thousands. It's a competitive market.
The barrier to entry is basically a few hundred bucks and the willingness to commit crimes.
That's the uncomfortable reality. The tooling has been democratized. The same forces that made it easier to build legitimate software have made it easier to build malware infrastructure.
Let's talk about the takedown side for a moment. When law enforcement does go after C2 infrastructure, what does that actually look like?
It's a multi-step process that often takes months or years. First, someone has to detect the infrastructure and attribute it to a specific campaign or group. Then they need to gather enough evidence to convince a hosting provider or a domain registrar to take action, or to get a court order.
If the host is in a non-cooperative jurisdiction, the court order is meaningless.
It's a piece of paper. In those cases, law enforcement has to get creative. They'll work with the domain registrar instead of the hosting provider. They'll go after the payment infrastructure. They'll try to sinkhole the domains.
Sinkholing is when law enforcement or a security company takes control of a domain that was being used for C2. They register it themselves, or they get a court order to transfer control. Then instead of the malware connecting to the attacker's server, it connects to a server controlled by the good guys.
The malware is still running on infected machines, but now it's phoning home to the FBI.
That gives them visibility into how many infections there are, where they're located, and what the malware is capable of. It's one of the most effective disruption techniques we have.
The attackers know about sinkholing, presumably.
That's why they use DGAs and multiple fallback domains. If you sinkhole one domain, they've got nine more. It's an arms race.
Which brings us back to the asymmetry problem.
It always comes back to asymmetry. But I think there's something important to say about the direction this is heading. The use of legitimate services as C2 channels is getting more sophisticated, and that's making the traditional hosting-based detection model less effective.
Because you can't sinkhole Discord.
You can't sinkhole Discord. You can ask Discord to take down a specific server, and they will if you provide evidence. But that server might have been up for three weeks before anyone noticed, and the attacker has already moved to a Telegram channel or a GitHub repository.
The hosting provider question that Daniel asked is almost becoming outdated in real time.
It's not outdated, but it's becoming one piece of a much larger puzzle. The hosting layer still matters, especially for higher-bandwidth operations like data exfiltration or DDoS command infrastructure. But for the command and control signaling itself, the trend is toward blending into legitimate traffic.
What's an example of that blending?
HTTPS traffic to a legitimate cloud service. Let's say the malware makes an API call to a Google Sheet, reads a specific cell, and that cell contains an encoded command. To a network monitor, that looks like someone accessing Google Docs. It's encrypted. The destination IP is Google's. There's nothing to flag.
Google's not going to proactively scan every sheet for encoded commands.
Nor should they. That's not their role. And even if they did, the attacker can just encrypt or obfuscate the command so it looks like random data.
The defender's detection capability is increasingly limited to behavioral analysis. You're not looking at where the traffic is going, you're looking at patterns.
That's where the industry is moving. Network detection and response tools that look for anomalies in traffic patterns rather than trying to block known-bad destinations. But it's hard, and it generates a lot of false positives.
I want to ask about something you mentioned in passing. The payment layer. You said law enforcement sometimes goes after the payment infrastructure. How does that work when everything is cryptocurrency?
Cryptocurrency is pseudonymous, not anonymous. Every transaction is on a public ledger. If you can link a cryptocurrency address to a specific individual or group, you can follow the money.
Linking the address to a person is the hard part.
That's the hard part. Chain analysis companies have gotten very good at clustering addresses and identifying which exchanges are being used for cash-out. If a cybercrime group is cashing out through an exchange that requires identity verification, that's a choke point.
The weakness isn't the cryptocurrency itself, it's the conversion to spendable currency.
Always has been. You can accumulate millions in Bitcoin, but at some point you want to buy a car or a house, and that requires going through the traditional financial system. That's where law enforcement focuses.
The bulletproof hosting providers, how are they getting paid?
Cryptocurrency, often Monero which is designed to be more private than Bitcoin. Some of them have been operating for years and have built up enough reputation that they can charge premium rates. It's a business.
A business that's explicitly facilitating crime.
That's the ethical layer that I think is worth sitting with for a moment. The reason bulletproof hosting exists is because there's demand for it. The demand comes from cybercrime, but also from spam operations, phishing campaigns, and in some cases from groups that would argue they're engaged in legitimate political dissent and need hosting that resists government takedowns.
That's a tricky line. The same infrastructure that protects a dissident protects a ransomware operator.
The bulletproof hosts don't distinguish. They're not in the business of making ethical judgments. They're in the business of providing infrastructure that resists takedowns, full stop.
Which means that any solution that tries to shut down bulletproof hosting at the infrastructure level is going to run into those edge cases.
Into jurisdictional issues. One country's criminal is another country's protected actor. Russia isn't going to extradite a ransomware operator who only targets Western organizations and doesn't touch Russian ones.
There's a geopolitical dimension to this that makes it even harder to solve.
That's the part that I don't think gets enough attention in the technical coverage. The technical mechanisms are interesting, but the reason they persist is geopolitical. As long as there are safe havens, there will be bulletproof hosting.
The safe havens aren't going away.
Not in the current geopolitical environment, no.
Let me pivot slightly. You mentioned earlier that professional cybercrime groups operate like businesses. What does the organizational structure actually look like?
The most sophisticated groups have specialized roles. You've got the initial access brokers who specialize in getting into networks. You've got the malware developers who build and maintain the tooling. You've got the infrastructure team that manages the C2 servers and domains. And you've got the operators who actually run the campaigns.
It's not one person doing everything.
Not at the professional level. It's a supply chain. The person running the ransomware campaign might not know how to write malware. They're just operating the tools that someone else built, using infrastructure that a third party maintains.
Which makes attribution even harder, because you're dealing with multiple actors who may be in different countries and may not even know each other's real identities.
The infrastructure team might be servicing multiple different crime groups simultaneously. They're essentially an infrastructure-as-a-service provider for the criminal underground.
If you take down one ransomware group, the infrastructure team just finds new clients.
That's why the most effective law enforcement operations target the infrastructure layer itself. When the FBI took down the Hive ransomware group's infrastructure a few years ago, they didn't just seize servers. They infiltrated the network, captured decryption keys, and distributed them to victims. That's the kind of operation that has lasting impact.
That requires infiltration, which is resource-intensive and risky.
It requires international cooperation, which is increasingly difficult. The Hive operation involved law enforcement from multiple countries working together. That level of coordination is the exception, not the rule.
The attacker's advantage isn't just technical, it's structural. The internet was built for openness and interoperability, and the mechanisms for enforcing norms across borders are weak by design.
That's the fundamental tension. The same properties that make the internet valuable for legitimate commerce and communication make it valuable for crime. There's no easy way to have one without the other.
Unless you want to rebuild the internet with identity verification at every layer.
Which has its own massive problems. Privacy, censorship resistance, the ability to communicate anonymously. Those aren't just features for criminals, they're features for everyone.
We're stuck with the asymmetry.
We're stuck with managing it rather than solving it. The goal isn't to eliminate C2 infrastructure entirely, because that's probably impossible. The goal is to raise the cost and complexity for attackers, to reduce the dwell time, and to make the infrastructure less reliable.
Dwell time being how long the C2 operates before detection.
And that number has been coming down for the less sophisticated groups. The amateurs get caught in hours or days. The professionals can still operate for months, but even that's getting harder as detection tools improve.
What's driving the improvement?
Partly better threat intelligence sharing. There are industry groups now where security teams share indicators of compromise in near real-time. Partly machine learning systems that can spot anomalous traffic patterns. And partly just the accumulated experience of incident responders who have seen these tactics before.
The attackers are also learning and adapting.
Every time we publish a detection technique, the attackers read it and adapt. The cycle time is getting shorter.
Which brings us back to the legitimate services angle. If the trend is toward abusing platforms like Discord and GitHub and Notion, what does defense look like in that world?
It gets much harder, because you can't block those services. The defense shifts toward endpoint detection, toward understanding what processes are running on your machines and what they're doing. If your accounting software is making API calls to Discord, something is wrong.
It's less about network monitoring and more about endpoint behavior.
That's the direction. And it's a much harder problem because you need visibility into every device, and you need to understand what normal behavior looks like for each one.
Which requires a level of maturity that most organizations don't have.
Most small and medium businesses certainly don't. They're running antivirus and hoping for the best.
Daniel's question about hosting providers is really a question about a specific layer of a much deeper problem. The hosting layer matters, but it's not the whole story, and it's becoming less central over time.
I think that's the key insight. The hosting provider question assumes a model where attackers rent servers from companies that have terms of service and abuse departments. That model is real, and it's still used, but the most sophisticated actors have moved beyond it.
They've moved to compromised infrastructure, bulletproof hosts, and legitimate service abuse.
They've built resilience into every layer. Redundant domains, fast flux, multiple hosting providers, multiple jurisdictions. Taking down one piece doesn't stop the operation.
If I'm a defender, and I find a C2 server, what's my best move?
It depends on the context. If it's a sophisticated actor, taking down one server might just cause them to shift to a fallback that you haven't identified yet. Sometimes it's better to monitor the C2 traffic to understand the scope of the compromise before you tip your hand.
You leave it running deliberately.
In some cases, yes. Law enforcement does this all the time. They'll monitor C2 infrastructure for months to identify victims, understand the attacker's methods, and build a case. The takedown is the last step, not the first.
That requires patience and resources that most private sector security teams don't have.
Which is why most companies just block the indicators and move on. They're not in the business of running counterintelligence operations.
Alright, let me try to synthesize what we've covered. Hackers stand up C2 servers through a combination of bulletproof hosting in non-cooperative jurisdictions, compromised legitimate infrastructure, hijacked cloud accounts, and abuse of legitimate platforms. They use techniques like fast flux and domain generation algorithms to build resilience. The reputable hosts do terminate when they detect abuse, but the professionals avoid detection or use hosts that don't care. And the whole thing is sustained by a professionalized underground economy with specialized roles and service-based pricing.
That's a solid summary. The only thing I'd add is that the trend line is toward blending into legitimate traffic, which makes the hosting layer less relevant and the endpoint detection layer more critical.
Which is a harder problem to solve at scale.
And it's going to keep security teams busy for the foreseeable future.
One last question. If you were going to give Daniel a practical takeaway from all of this, what would it be?
I'd say the hosting provider question is the right instinct, but it's asking about one piece of a much more complex system. If you're trying to understand whether a particular piece of infrastructure is malicious, don't just look at who's hosting it. Look at the registration patterns, the DNS behavior, the TLS certificate details, and whether the infrastructure is using techniques like fast flux. No single indicator is reliable, but the pattern across multiple layers usually tells the story.
If you're trying to defend your own network, assume that blocking known-bad IPs and domains is necessary but not sufficient. The attacker is probably using something you haven't seen yet.
Assume compromise, monitor behavior, and have a plan for when, not if, something gets through. That's the modern security posture.
Now: Hilbert's daily fun fact.
Hilbert: The mantis shrimp possesses the most complex eyes in the animal kingdom, with sixteen types of photoreceptor cones compared to humans' three. The term "stomatopod," the scientific order to which mantis shrimp belong, derives from Greek "stoma" meaning mouth and "pous" meaning foot — a reference to the creature's mouthparts being modified legs. The order was first comprehensively described by William Thomas Calman, a Scottish zoologist who published his definitive taxonomy while working at the Newfoundland Fishery Research Laboratory in the years following the First World War.
That's unsettling.
Sixteen photoreceptors and they went with mouth foot.
This has been My Weird Prompts. Thank you to our producer Hilbert Flumingtop, and thank you for listening. If you want more episodes, you can find them at myweirdprompts.com or wherever you get your podcasts.
Until next time.
