Platforms in Everything: Analyzing Ground-Truth Data on the Anatomy and Economics of Bullet-Proof Hosting


Arman Noroozian, TU Delft; Jan Koenders and Eelco van Veldhuizen, Dutch National High-Tech Crime Unit; Carlos H. Ganan, TU Delft; Sumayah Alrwais, King Saud University and International Computer Science Institute; Damon McCoy, New York University; Michel van Eeten, TU Delft


This paper presents the first empirical study based on ground-truth data of a major Bullet-Proof Hosting (BPH) provider, a company called Maxided. BPH allows miscreants to host criminal activities in support of various cybercrime business models such as phishing, botnets, DDoS, spam, and counterfeit pharmaceutical websites. Maxided was legally taken down by law enforcement and its backend servers were seized. We analyze data extracted from its backend databases and connect it to various external data sources to characterize Maxided's business model, supply chain, customers and finances. We reason about what the ``inside'' view reveals about potential chokepoints for disrupting BPH providers. We demonstrate the BPH landscape to have further shifted from agile resellers towards marketplace platforms with an oversupply of resources originating from hundreds of legitimate upstream hosting providers. We find the BPH provider to have few choke points in the supply chain amendable to intervention, though profit margins are very slim, so even a marginal increase in operating costs might already have repercussions that render the business unsustainable. The other intervention option would be to take down the platform itself.

USENIX Security '19 Open Access Videos Sponsored by
King Abdullah University of Science and Technology (KAUST)

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {236290,
author = {Arman Noroozian and Jan Koenders and Eelco van Veldhuizen and Carlos H. Ganan and Sumayah Alrwais and Damon McCoy and Michel van Eeten},
title = {Platforms in Everything: Analyzing {Ground-Truth} Data on the Anatomy and Economics of {Bullet-Proof} Hosting},
booktitle = {28th USENIX Security Symposium (USENIX Security 19)},
year = {2019},
isbn = {978-1-939133-06-9},
address = {Santa Clara, CA},
pages = {1341--1356},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video