Darknet hosting provider in underground NATO bunker busted

A large piece of the dark web’s spine has been broken: German investigators announced on Friday that they’ve excavated the CyberBunker.

The so-called bulletproof hosting provider, located five floors underground in a heavily fortified, Cold War-era, former NATO bunker in Germany is a data center with around 200 servers, dedicated to shielding illegal activity from the eyes of law enforcement.

Thirteen suspects connected to CyberBunker – seven arrested and the rest still at large – are being investigated in connection to the websites hosted by the data center, which involved arms trafficking, trafficking in child abuse imagery and drugs, selling fake documents, marketing stolen data, conducting large-scale cyber attacks, or, as described by a spokesman for the Rhineland-Palatinate State Office of Criminal Investigation (LKA):

Anything you can imagine on the Darknet.

Prosecutor Jürgen Brauer and regional criminal police chief Johannes Kunz said in a press conference on Friday that the countrywide, nearly five-year, complex investigation is the first time that German police have managed to break the operations of a bulletproof hosting provider.

The accused include 12 men and one woman, aged between 20 and 59. Police have arrested seven men and have issued warrants for the rest of the men and the one woman. Four of the suspects are Dutch, one is Bulgarian and two are German. As well, 18 search warrants have been issued.

Wall Street Market crumbles

So far, investigators have determined that the darknet marketplaces and forums hosted by CyberBunker servers included, for one, the Wall Street Market (WSM): the second-largest marketplace of its kind in the world. An e-commerce site, it was something like an eBay for drugs, police said. They say it handled 250,000 transactions for a total of more than 41 million euros (USD $44.66m, £36.28m).

WSM had been stinking of exit scam for a while. The admins switched the platform into maintenance mode on 23 April 2019, then began transferring customers’ funds to themselves. Customers and buyers responded by howling about the “Sorry guys we are currently redesigning WSM” message, which the admins posted on Friday 26 April, and which said that the “maintenance” would last a week.

WSM, along with the Valhalla Market (better known by its Finnish name, Silkkitie), were busted by an international police force in May 2019.

Other forums run on CyberBunker servers included:

  • Cannabis Road. Investigators said that 87 sellers of illegal drugs of all kinds were registered on this site. Several thousand retail sales of cannabis products were processed on this platform.
  • Fraudsters. Another underground forum for drug sales.
  • Flight Vamp 2.0. Investigators said that this is the largest Swedish darknet marketplace for drugs, with some 600 sellers and about 10,000 buyers.
  • Orangechemicals, acechemstore, lifestylepharma. Other platforms marketing synthetic drugs, distributed throughout Europe.

During the press conference, Brauer also said that one of the servers inside CyberBunker was at the heart of the Mirai distributed denial of service (DDoS) botnet attack on German telecommunications company Deutsche Telekom in late November 2016. That attack knocked out some 900,000 customers’ routers, affecting close to 1 in 20 users.

Busy cybercrime beehive

CyberBunker has even more history: it served as a host for the file-sharing site (and crypto-mining CPU plunderer) The Pirate Bay and as one of the many WikiLeaks mirrors.

It’s also suspected of hosting spammers, botnet command-and-control servers, malware and online scams and was part of the March 2013 DDoS attack launched against Spamhaus – an attack of unprecedented ferocity against an international nonprofit dedicated to fighting spam.

Barbed wire, surveillance cameras

Kunz said that police had to overcome both digital defenses as well as the physical security of the site: a 5,000-square meter, former military bunker located in the picturesque town of Traben-Trabach on the Mosel River in western Germany. To keep people outside of its perimeter, the area is surrounded by a fence topped with barbed wire, and video cameras monitor third-party activity.

According to local news outlets, the facility was acquired in 2013 from the Office for Geoinformation of the unified armed forces of Germany – the Bundeswehr – by a now 59-year-old Dutchman. He’s the main suspect and reportedly has ties to organized crime in the Netherlands.

The LKA said that several hundred emergency services were involved. According to the Mayor of Traben-Trarbach, Patrice Langer, that included a helicopter. The search of the buildings on the former military site turned up about 200 servers, written documents, mobile phones and a large sum of cash.

Business must have been going well. Police reportedly found empty racks, already mounted, waiting for new servers.