Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Cyberbunker Germany raided 26.09.2019 (Sven Olaf Kamphuis / Herman Xennt)
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Cyberbunker Germany raided 26.09.2019 (Sven Olaf Kamphuis / Herman Xennt)

    that_guythat_guy Member
    edited September 27 in General

    Seems that the german DC of world famous bulletproof hoster cyberbunker.com (plus at least one location in NL) has been raided yesterday by the LKA (State Office of Criminal Investigations) with help of the GSG9 (holy shit, WTF?!) after 5 years of investigations. Seven people have been arrested. Four dutch men (59, 49, 33, 24), one german (23), one bulgarian (age?) and one german woman (52). 200 servers have been confiscated.
    The DC was located in an ex-NATO bunker in Traben-Trarbach. There has been a press conference at 12:00, so I hope to get more details soon.

    Website is not down but empty. Archive.org link (very interresting read! All of it g):
    https://web.archive.org/web/20190427013220/http://cyberbunker.com/web/index.php

    Supposedly these sites (drug markets) have been hosted there:
    Cannabis Road
    Wall Street Market
    Fraudsters
    Flugsvamp 2.0
    orangechemicals
    acechemstore
    lifestylepharma

    ..And of course everything else that was typical for cyberbunker.

    Can't yet find any english sources (and I just noticed that deepdotweb.com has been seized long ago, lol), so try to translate these:

    English articles are popping up. Just search for "cyberbunker" in googles news tab.

    Official press release:
    https://www.presseportal.de/blaulicht/pm/29763/4386624

    News article (warning: bild.de is a tabloid like "the sun" in UK):
    https://www.bild.de/regional/frankfurt/frankfurt-aktuell/sieben-cyberkriminelle-festgenommen-was-geschah-im-nato-bunker-64982170.bild.html

    Old article about the plans to build a new DC in that location:
    https://www.volksfreund.de/region/mosel-wittlich-hunsrueck/erdwall-soll-vor-neugierigen-blicken-schuetzen_aid-6082178

    Does anyone have more info? Anything heard through the grapevine?
    Will they find a huge cannabis grow op MDMA lab again this time g ?
    @William ?

    Don't forget to like, subscribe, and comment below.
    "they just simply can't trace me down on internet because I'm using Linux." Mr_indescribable

    Comments

    • It is already more than sick enough that such a datacenter existed in "Germany". I've known Cyberbunker for a long time, I thought their datacenter was only in Holland. In any case, they have only specified servers in "Holland". That the actual datacenter was in Germany, I didn't know either.

      I don't understand how you can have the thoughts to host such sites on Germany. Everybody knows how Germany reacts to it. There cybercriminals are punished worse than rapists.

      Their data center looked relatively clean. Equipment didn't seem to be bad either. I always thought they had bad equipment as their website looked.

      I would recommend everyone not to host in Germany. Even if their servers are of high quality, there the servers are confiscated or taken offline with every small "hint". It can also be a fake hint that servers can be confiscated. Also copyright companies like GVU or others have accused for years of sites that actually had no connection with crime. Reminds me of the new Stasi in the modern age.

    • Leave a Comment

      You can use Markdown in your post.

    • jackbjackb Member, Provider

      5 years of investigations... Isn't that roughly when Sven left jail

      Thanked by 1uptime

      Afterburst - Awesome OpenVZ&KVM VPS in US+EU

    • that_guy said: Will they find a huge cannabis grow op again this time g ?

      Wasnt it a MDMA labor the last time? :smiley:

    • Vlado said: It is already more than sick enough that such a datacenter existed in "Germany". I've known Cyberbunker for a long time, I thought their datacenter was only in Holland. In any case, they have only specified servers in "Holland". That the actual datacenter was in Germany, I didn't know either.

      In their website they said it was in the Netherlands: https://web.archive.org/web/20190312133725/http://cyberbunker.com/web/location.php

    • HostSlickHostSlick Member, Provider
      edited September 27

      It says on their website that the DC is the Bunker in NL but that is incorrect (atleast what i heard and read). That Dutch bunker is owned by the Company "Bunker-Infra". Cyberbunker didnt own the Bunker anymore since ... 2010?

      Also look this:

      starting at 03:55 the Bunker and the actual owners.

      And at 14:30 they also mention Ecatel.
      15:40 - Ecatel employee get mad, funny part.

      -

      They didnt ran under the name Cyberbunker anymore but instead "Calibour GmbH"

      https://www.northdata.de/Calibour+GmbH,+Traben-Trarbach/Amtsgericht+Wittlich+HRB+42709

      https://bgp.he.net/AS29090

      https://www.spamhaus.org/sbl/listings/calibour.com ---> https://www.spamhaus.org/sbl/listings/zyztm.com

      zyztm.com // calibour.com

      Thanked by 2that_guy uptime
    • that_guythat_guy Member
      edited September 27

      @Tr33n said:
      Wasnt it a MDMA labor the last time? :smiley:

      Now that you mention it, I think yes. Maybe I just confused it with someone who suggested that growing weed in a DC would be perfect, because both usecases are so similar (the need for security, space, lots of electricity, ventilation/AC, no windows etc.)

      BTW: They definately had a DC in NL too. I just don't know if they lost it due to the old raid/arrest/confiscation or a fire (wasn't there a fire or am I confusing things again?) or if they are still operating that too. The one in DE was the new one they have been talking about for years. EDIT: see HostSlick above

      Don't forget to like, subscribe, and comment below.
      "they just simply can't trace me down on internet because I'm using Linux." Mr_indescribable

    • AS29090 and AS62454

      Thanked by 1pike
    • DC in Germany and bullet proof never added up to me. I'm pretty sure thepiratebay at one point said they were hosted at the bunker.

    • in my personal opinion, it's too late raid because they hosted all kinds of shit and i do support the authorities in that matter.

    • that_guythat_guy Member
      edited September 27
      Thanked by 2uptime Sofia_K

      Don't forget to like, subscribe, and comment below.
      "they just simply can't trace me down on internet because I'm using Linux." Mr_indescribable

    • JordJord Moderator

      I've always wanted a bunker for a DC

    • @Jord build our own bunkers?

    • JordJord Moderator

      @mohamed said:
      @Jord build our own bunkers?

      That would be a bit hard, I have no land. Plus it's so much easier if it's already built :D

      Thanked by 1mohamed
    • AlwaysSkintAlwaysSkint Member
      edited September 27

      nvm

      redacted

    • @that_guy thanks, keep us updated about press conference.

      Thanked by 1that_guy

      Have a great day! Recommended: Namecheap | Godaddy | Cloudflare | AWS | Google Cloud | Ramnode VPS | BuyVM | OVH | Hetzner lowendtalk.com godaddy namecheap bluehost cpanel hosting shared hosting vps hosting dedicated servers coupons coupon codes promo codes deals offers renewal coupon KVM VPS OpenVZ cloud VPS directadmin reseller hosting master reseller OVH hetzner email support phone contact ramnode serverhub cloudflare google cloud amazon aws domain name registration transfer renewal

    • I remember them from war with Spamhaus. Bunker owner is insane. Would be interesting to read AMA with him from jail.

      Wordpress Hosting - Home made!

    • Just found this video on youtube:

      Theoretically it should be an overview of the datacenter even if I don't recognize it, if someone recognizes it let us know.

      Thanked by 2uptime that_guy

      my recommendations: FranTech | Zare | SonicFast | ExtraVM | ReliableSite

    • Jord said: I've always wanted a bunker for a DC

      Sealand, lol.

    • pikepike Member
      edited September 27

      @that_guy said:
      Seems that the german DC of world famous bulletproof hoster cyberbunker.com (plus at least one location in NL) has been raided yesterday by the LKA (State Office of Criminal Investigations) with help of the GSG9 (holy shit, WTF?!)

      Well that's german efficiency. The dutchmen took how many tries to enter their cyberbunker? 3?

      Damn if I knew this earlier, at 2pm today one could go arround the location after the press conference :D
      In a Spiegel article from today they say the LKA hacked the datacenter before entering it, lol.

      Related: http://www.zyztm.com/

      Thanked by 1that_guy

      Recommended virtual servers: PHP-Friends vServer | Hetzner Cloud

    • @willie said:

      Jord said: I've always wanted a bunker for a DC

      Sealand, lol.

      Pfft, not a real 'bunker'. This is a bunker. http://www.infobunker.com/overview.shtml

    • @Zshen said:

      @willie said:

      Jord said: I've always wanted a bunker for a DC

      Sealand, lol.

      Pfft, not a real 'bunker'. This is a bunker. http://www.infobunker.com/overview.shtml

      Real bunkers are made from Krupp steel.

      Recommended virtual servers: PHP-Friends vServer | Hetzner Cloud

    • @mohamed said:
      @Jord build our own bunkers?

      Communism intensified

      Thanked by 3pike Amitz Janevski

      ^-^!

    • stefemanstefeman Member
      edited September 27

      Damn, there goes my IPTV :(

    • jsgjsg Member

      IMO the question with those guys never was "whether" but only "when" they'd be taken down.
      Their two big idiocies were (a) to have anything in Germany, and (b) to obviously be grey and probably a darker shade of grey - and to advertise that.

      "Years of investigation" highly likely simply means that diverse authorities looked closely at their traffic and collected evidence for a series of other cases (users of theirs).

    • dfroedfroe Member, Provider

      @Zshen said:
      Pfft, not a real 'bunker'. This is a bunker. http://www.infobunker.com/overview.shtml

      "The Most Secure & Reliable Data Center in Iowa"
      "Ultra-Secure Colocation"

      But failing to setup TLS on their website.

      Seems Legit

      IT-Service David Froehlich | Individual network and hosting solutions | RIPE LIR services (IPv4, IPv6, ASN)

    • jsgjsg Member
      edited September 27

      Cop in charge said:
      We had to overcome not only real, or analog, protections; we also cracked the digital protections of the data center

      (source: AP)

      Hahaha! That's very funny anyway. Probably he doesn't even know what he's talking about, but it's also possible that the "super-secure" bunker actually had rather yester-decade security.

      Thanked by 1uptime
    • @jsg said:
      Hahaha! That's very funny anyway. Probably he doesn't even know what he's talking about, but it's also possible that the "super-secure" bunker actually had rather yester-decade security.

      He's referring to the fact they hacked into the datacenter before even entering it physically.

      Recommended virtual servers: PHP-Friends vServer | Hetzner Cloud

    • jsgjsg Member

      @pike said:
      He's referring to the fact they hacked into the datacenter before even entering it physically.

      So?

      He he is either lying, probably due to lack of understanding, or the oh so great cyber bunker security was actually ridiculous. Just as I said.

    • jackbjackb Member, Provider
      edited September 27

      @jsg said:

      @pike said:
      He's referring to the fact they hacked into the datacenter before even entering it physically.

      So?

      He he is either lying, probably due to lack of understanding, or the oh so great cyber bunker security was actually ridiculous. Just as I said.

      German special forces were involved in the raid, wouldn't surprise me if the 'trusted external sources' that tells cert-bund about security vulnerabilities based on network traffic (read: BKA) was also involved.

      Bear in mind that even modern security practices are rarely a match for first world nation attackers. The only sure way to be certain against that sort of thing is to bury your computer after destroying it. First world nations are not a good choice for adversary in any security model unless you intend to lose.

      I'm not defending cyberbunker here - just stating it's not a slam dunk that they were using incorrect practices simply due to who they were up against - though if they were, it will just have been easier.

      Thanked by 1uptime

      Afterburst - Awesome OpenVZ&KVM VPS in US+EU

    • jsgjsg Member
      edited September 27

      @jackb

      Due to my work I happen to have a quite good idea what the german "cyber forces" incl. BKA are capable of and frankly, I'm not impressed.
      Two major factors that keep them relatively weak is salary levels in public service and bureaucracy (which is really overwhelming).

      Special forces (GSG9) sounds impressive but is irrelevant wrt IT security.

      The main issue I have with your statements is that one can defend against even first world nation forces - if one really knows ones trade and if one acts meticulously and diligently.

      Cyber bunker IMO wasn't f_cked because one can't defend against BKA, FBI, etc. They were f_cked because (a) they did not properly do ITsec, and frankly not even OPsec, and (b) because they "bragged" and invited to much attention.

      That said I don't think that all of them will end up in jail. I think that that operations real and main goal was to get at and take down some of their clients. "beating up" cyber bunker along the way was just a practical necessity. It seems highly likely to me that good lawyers will keep most of CB's crew out of jail, unless of course they themselves were involved/closely linked to some clients' illegal operations. And their bragging won't be helpful there but risks to turn against them.

    • jackbjackb Member, Provider
      edited September 27

      @jsg said:
      Special forces (GSG9) sounds impressive but is irrelevant wrt IT security.

      Sure, but it's a good indicator of how much resource the government was willing to chuck at the investigation. You don't get GSG9 (or any special forces for that matter) without someone high up pulling strings. If they pulled those strings, they'll have pulled other, more relevant strings.

      The main issue I have with your statements is that one can defend against even first world nation forces - if one really knows ones trade and if one acts meticulously and diligently.

      One can be diligent, knowledgeable and meticulous and still get caught out. As we both know, security at that level is a cat and mouse game. If someone has that sort of attention (and maintains it) in their own jurisdiction and aren't legit, their days are numbered no matter how competent or incompetent.

      (b) because they "bragged" and invited to much attention.

      This is the big one. If they'd kept a lower profile, chances are the people running cb3rob would have gotten away with it and if not would have had a better shot at plausible deniability when they get their day in court.

      Thanked by 1uptime

      Afterburst - Awesome OpenVZ&KVM VPS in US+EU

    • vimalwarevimalware Member
      edited September 28

      GSG9 for a bunch of buttery males?
      I don't buy it.

      The real goal has to be something really interesting. 🍿

      Thanked by 1jsg

      My pick for reliable 2GB SSD-KVM(10+50GB) : ultravps[dot]eu in AMS/LON/DAL/LAX/Moldova/Düsseldorf
      starting @ €33.6/yr SSD-Special-2 (Limited Stock) <-- bonus discount (upto €3.0 off in 1st year for new clients.)

    • |||| $8? 🥔🥔 Markdown on Potatoes.

    • Interesting. Perhaps this explains why bitcoin took a 20% tumble last week. I wonder how much was confiscated in the raid?

    • that_guythat_guy Member
      edited September 29

      Sorry for splitting this into multiple posts! But cloudflare was trying to show me a captcha and failed miserably repeatedly. And this was a way to get around this.

      The press conference didn't reveal much. But I sifted through a dozen news articles, and found some more details and background infos.
      I feel like a proper modern day "journalist" - no own research, just internet copy & paste :-p
      Please forgive my germanized english. I was getting tired because it took much longer than expected.
      So I had to flush my perfectionism down the toilet. Also, translating other peoples texts gives you much less freedom, I noticed.
      The real juicy parts will probably show up much later, after the trials are over, I guess.
      Here's the summary:

      The defendants and accusations

      On request of the LZC (DE: Landeszentralstelle Cybercrime ENG: state cybercrime unit) the district
      court Koblenz issued detention orders against 7 main suspects because of "danger of absconding" and "suppression of evidence". They were found during the raid and put into investigative custody.

      1 NL, male, 59 main main suspect
      2 NL, male, 49
      3 NL, male, 33
      4 NL, male, 24
      5 BG, male, ??
      6 DE, male, 23
      7 DE, female, 52

      There are 6 more suspects, but there is no info about them in the news. I guess there are detention orders for them too, but the cops couldn't arrest them yet.

      The main suspect is oficially residing in Singapur, but investigation showed that he actually lived close to the bunker an also in the bunker since 2013, or at least lately. He "had connections to organized crime".

      The accusations:

      suspicion of membership in a criminal organisation
      Aiding in serious drug delicts
      Aiding in counterfeit money delicts
      Aiding in dealing with stolen data
      Aiding in spreading malware
      Aiding in in spreading childporn
      Aiding in counterfeit document delicts
      Aiding in cyber attacs
      in a total of 100000s of cases

      And also hosting at least one of the C&C servers of a Mirai botnet that disabled ~1.2 million routers of customers of Deutsche Telekom on november 27th 2016.
      Interesting sidenote:
      The disabled routers were just unintended collateral damage. The perpetrator, a 29 year old Brit, was a mercenary in a conflict between two Liberian mobile providers.
      He wanted to use the routers for his botnet, but the infection went wrong and disabled (or bricked) them. He was known as „Spiderman“ and „Peter Parker“, and was sentenced to 20 months probation by the district court of Cologne.

      Don't forget to like, subscribe, and comment below.
      "they just simply can't trace me down on internet because I'm using Linux." Mr_indescribable

    • that_guythat_guy Member
      edited September 29

      The areal, bunker and DC

      The areal is located on a small mountain called "Mont Royal" close to the tiny city "Traben-Trarbach" in the state of Rhineland-Palatinate (Rheinland-Pfalz).
      It was used by the german army from 1975 to 2012 for meteorological studies and related things. It housed the "Bundeswehr Amt Fuer Wehrgeophysik", which collected and analysed weather data from around the world for the army. To process the huge amounts of data, the army ran a big data center there.

      Street: Gewerbegebiet Mont-Royal
      Ort: Traben-Trarbach
      Post code: 56841
      State: Rheinland-Pfalz

      maps: https://www.google.de/maps/place/Mont+Royal/@49.9645443,7.1197652,673m/data=!3m1!1e3!4m5!3m4!1s0x47be3ad493376f13:0x8d2e9bcd881113ab!8m2!3d49.9672222!4d7.1108333
      https://imgur.com/Adblbl4 (thats the office buildings. the bunker is like 200-300m further north)

      Size of the areal: 13000 square meters or 13 hectare depending on the (illiterate) source
      (I guess its 13 hectare = 130000 sqm. because 13000 sqm. would only be e.g. 100m x 130m).

      Size of the bunker: 5000 sqm., 5 floors

      The buildings on the surface offer ~500 rooms.

      The bunker was built in 1955.

      After the site was closed in 2012, it was bought in 2013 by a dutch foundation.
      Article about the planed handover to the new owners of the bunker in 2012:
      https://www.peter-bleser.de/neuigkeit/folgenutzung-des-amtes-fuer-geo-informationswesen-in-traben-trarbach-eroertert

      Funfact: Mr. Langer, the mayor of Traben-Trarbach, worked on the areal as a technician of the "Bundeswehr Amt Fuer Wehrgeophysik" back in the day.

      Don't forget to like, subscribe, and comment below.
      "they just simply can't trace me down on internet because I'm using Linux." Mr_indescribable

    • that_guythat_guy Member
      edited September 29

      The investigation and raid

      The first tip-off came from the local association of municipalities ("Verbandsgemeinde Traben-Trabach"). When they told the LKA Rheinland-Pfalz (State Office of Criminal Investigations) in 2013 WHO bought the areal, the LKAs alarm bells rang, because the main suspect already had a reputation in NL to host criminal websites in a bunker DC.

      There were also rumours in town, because the investor was almost never seen. The mayor of Traben-Trabach visited the areal 3 times. Everything looked fine. Just lots of computers, and some free roaming dogs. But "I had a disquieting gut feeling: you never know whats on those computers... Now we know." he said.

      Investigations officially started in 2015, and was described as very time consuming and work-intensive. Besides the LKA Rheinland-Pfalz, investigators from Hessia, Bavaria, and the Netherlands were helping. (So I guess the officers from Lower Saxony, Luxembourg and Poland (and Sweden?) weren't involved in the investigations, but now need to help with local search warrants and arrests.)

      The President of the LKA Rheinland-Pfalz said that lately his whole special unit for cybercrime
      (LZA, "Landeszentralstelle Cybercrime"), which was extended to over 20 people, worked almost day and night on this case, until they had enough info on the 13 suspects behind cyberbunker.

      The seizure of Wallstreet Market (which was hosted by cyberbunker) in April 2019 might also have yielded some helpful intel on Cyberbunker. Maybe someone spilled some beans, maybe the cops found some unencrypted e-mails, SSH keys, invoices, Realnames etc.? Other drug market busts might have helped too. Thats just my personal guess! This wasn't mentioned anywhere!

      The raid itself has been in preparation for several weeks (another article said since May).

      The investigating judge issued a total of 18 search warrants in Germany, Luxembourg, the Netherlands and Poland. One article mentioned the swedish law enforcement is somehow involved too (but no report of activities in SE yet).

      The raid started at 8 in the morning. At 6 in the evening, the 7 main suspects were arrested at the same time. Six of them in a restaurant in Traben-Trarbach, where undercover LKA officers waited for them. The other person was arrested in Schwalbach, about 130km away, near Frankfurt am Main (which is germanys hosting hotspot and home of the DE-CIX).
      At the time of the raid, no one was in the bunker.

      At the same time the search warrants in other countries were carried out. But no info about them yet.

      As a whole there were ~650 police officers (of all kinds, e.g. local normal police, LKA, GSG9, maybe BKA? etc.) and one helicopter involved in this case. 440 of them were at the bunker. So I guess the others were from Frankfurt/Schwalbach and the other countries, and investigators who didn't take part in the raid itself?

      About 200 servers, written documents, lots of storage media, mobile phones and a big amount of cash were seized. The total number of servers was estimated at ~2000.

      The technical and tactical challenges were enormous. The area was guarded and fenced-in.
      Cracking the security system was complicated (they had to "crack digital signatures").

      And then there is the legal aspect: running a DC that hosts illegal websites, is not illegal by itself. It needs to be proven that the people who run the DC knew about the illegal conduct of their customers and encouraged it.

      The analysis of the confiscated data will take months or years, due to the huge amount. It is expected that lots of further investigations will come out of that.

      Don't forget to like, subscribe, and comment below.
      "they just simply can't trace me down on internet because I'm using Linux." Mr_indescribable

    • that_guythat_guy Member
      edited September 29
      Thanked by 1maverickp

      Don't forget to like, subscribe, and comment below.
      "they just simply can't trace me down on internet because I'm using Linux." Mr_indescribable

    • that_guy said: a mercenary in a conflict between two Liberian mobile providers

      yeah ... I can only imagine how strange a reflection that would be to see staring back at me from the mirror, blurred through however many rails of fine fine superfine cocainum

      "hi mom!"

      Leave a Comment

      You can use Markdown in your post.

    • |||| $8? 🥔🥔 Markdown on Potatoes.

    • jsgjsg Member

      One problem I suspect to come up is that afaik in most european countries it's very, very difficult if not impossible to sue the state to reimburse for dammage done by its agencies.

      And that's one of the major outcomes I expect. From what I see chances are that one or maybe a couple of the arrested people will be put in court and jailed but others, possibly almost all, will go free. One major reason for that is the way proper courts work; "we know" is not enough, police must be able to prove it and to attribute it (which is very hard in that field).

      Their data center however is belly up now and it will be extremely hard if not impossible to rebuild any colo/hosting business there.

      I expect vengeance acts, and frankly, a part of them will be justified

    • The bottom of the cyberbunker site has "RSS" crossed out as if it's somehow part of the many surveillance programs (facebook, google, twitter, etc). Are there security and privacy implications in RSS I'm unaware of? I thought RSS was just another way of reading your favorite blogs?

    • HostSlickHostSlick Member, Provider
      edited October 6

      Cyberbunker will be back soon. They hijacked their domain Zyztm.com back From the German. Government.

      https://tarnkappe.info/cyberbunker-kommt-zurueck-domain-gekapert/

      Thanked by 1that_guy
    • Please keep us updated. This is some seriously interesting story going on.

      Wordpress Hosting - Home made!

    • RhysRhys Member, Provider
      edited October 6

      @HostSlick said:
      Cyberbunker will be back soon. They hijacked their domain Zyztm.com back From the German. Government.

      https://tarnkappe.info/cyberbunker-kommt-zurueck-domain-gekapert/

      Looks like it's being transited by ex-devcapsule ex-aulerion @florianb too. A day after the raid the zyztm ASN was added to his AS-SET and then transiting of the /22 as /24's and /23's started yesterday.

      Thanked by 1bjo
    Sign In or Register to comment.