‘Remove this infection from your network’ The small Russian company that ‘saved’ Parler has other, far more odious clients
In January 2021, a small website security company based in Russia called “DDoS-Guard” made its infrastructure available to the American social network Parler, after Amazon Web Services refused to host the service and both Apple and Google removed Parler from its app stores for failing to moderate and delete content that promotes violence. The catalyst for dropping the largely right-wing social network was the storming of the U.S. Capitol building on January 6, which resulted in five deaths and was allegedly coordinated, in part, using services like Parler. Even before it started doing business with Parler, DDoS-Guard had a reputation for hosting infamous groups like the Islamist movement Hamas and the conspiracy-theorist forum 8chan.
DDoS-Guard has long insisted that it will work with any clients who obey the law, but Meduza learned that the company is, in fact, suspected of hosting multiple Internet scammers responsible for stealing banking data, and one of the world’s largest online stores for illegal drugs operates using an infrastructure associated with DDoS-Guard. None of these allegations, meanwhile, has prevented the company from cooperating closely with Russia’s Defense Ministry and Central Bank.
Evgeny Marchenko and Dmitry Sabitov (both originally from Ukraine) first registered “DDoS-Guard” as a Russian company in Sevastopol in July 2014, just a few months after Moscow annexed Crimea. Two former employees told Meduza that a company with the same name, owned by the same two men, had previously operated in Ukraine since 2011, registered at the website ddos-guard.net. The firm’s spokespeople say its earlier incarnation was just a preliminary stage for software development, claiming that DDoS-Guard has always been based inside Russia, in the city of Rostov-on-Don (though that office didn’t open until 2015, Meduza discovered).
DDoS-Guard’s problems in Ukraine and its apparent reason for relocating to Russia predate the annexation of Crimea. As early as the spring of 2013, sources told Meduza, Ukrainian national security and cyber-police officers started investigating the company’s office in Sevastopol for allegedly hosting a platform called Verified — one of the Internet’s oldest and most notorious Russian-language forums for credit-card scammers. DDoS-Guard denies any awareness of this case, but the company also stresses that its responsibility is limited to protecting clients’ websites, not populating or moderating their content.
A former employee explained that DDoS-Guard embraced “Darknet” customers because more legitimate website security companies refuse to work with them, limiting the market’s supply and raising the fees hosting services can charge. Hacker forums like Verified also especially need website-security protection against competitors. A source claims that the U.S. intelligence community first notified Ukraine about DDoS-Guard’s alleged work with Verified, but Meduza was unable to confirm this information independently.
Verified’s IP history, however, strongly indicates that DDoS-Guard has provided services to the scammer forum. Records from ViewDNS show that the forum’s domain, verified.ms, resolved in April 2013 to the IP address “18.104.22.168,” which DDoS-Guard has owned since December 2012. According to the Internet registry for the Latin American and Caribbean regions (LACNIC), the IP address belongs to “DDoS-GUARD Ecuador,” and the listed company contact matches Evgeny Marchenko’s phone number. (Meduza called the number, but Marchenko declined to discuss his business.)
Philip Kulin, the former co-owner of the hosting provider “Diphost,” told Meduza that these digital breadcrumbs make it “almost 100-percent certain” that DDoS-Guard hosted Verified. It’s “virtually impossible,” Kulin says, that an online resource so big could have used someone’s IP address randomly without the owner knowing about it.
Relocating to Russia
In January 2014, before DDoS-Guard even registered as a legal entity in Russia, the company joined a partnership with REG.RU, one of Russia’s biggest domain name registrars, a former employee told Meduza. Before long, DDoS-Guard started working with high-profile clients from the Russian state. Two years after the deal with REG.RU, the firm agreed to protect Russia’s Defense Ministry against denial-of-service attacks. In 2018, DDoS-Guard helped test Russia’s deep packet inspection (DPI) systems (a form of computer network packet filtering with broad applications for Internet censorship), which the federal media regulator is developing in accordance with recent “Internet sovereignty” legislation.
Russia’s Central Bank also does business with DDoS-Guard, the CEO at a major I.T. company told Meduza. Records for the Central Bank’s autonomous system routing prefixes seem to confirm this information: one of the bank’s IPv4 providers is listed as DDoS-Guard.
While working with Russia’s Central Bank, DDoS-Guard continued to host multiple online forums for scammers and hackers. ViewDNS records between 2015 and 2020 show that DDoS-Guard’s IP addresses supported websites like darkode.su, hacker-pro.net, crimeprint.com, and validcc.name. Even when Verified moved to a new domain (verified.vc), the forum still relied temporarily on DDoS-Guard’s IP addresses.
Leonid Evdokimov, a technical consultant for the digital rights civic group “Roskomsvoboda,” reviewed the data tying DDoS-Guard to various hacker communities and found no evidence that refutes the connection. Theoretically, he acknowledges, the company could have subletted its IP addresses, removing DDoS-Guard as the websites’ host, but there’s nothing to suggest that is what happened. Evdokimov also told Meduza that it’s unlikely anyone secretly hijacked DDoS-Guard’s IP addresses, given the unique digital signatures the company uses to establish secure connections between clients and its server.
When hundreds of thousands of protesters in Hong Kong started demonstrating against the mainland Chinese government in 2019, DDoS-Guard began hosting websites connected to a doxxing campaign called “HKLeaks,” which published activists’ names, home addresses, phone numbers, and social media accounts, as well as descriptions of their alleged crimes at demonstrations. The individuals named and shamed on HKLeaks websites were subsequently harassed and threatened. For example, after she was listed online, Hong Kong pro-democracy activist Carol Ng says she got menacing messages from strangers calling her a “cockroach.”
In 2019, Hong Kong’s privacy commissioner, Stephen Wong, ordered the local police to shut down these resources, but they’re still active today. During the protests, powerful groups in China affiliated with the Communist Party actively promoted websites linked to HKLeaks.
A source based in Southeast Asia who works at a multinational I.T. company told Meduza that DDoS-Guard agreed to host hkleaks.ru, hkleaks.pk, hkleaks.pw, hkleaks.cc, hkleaks.kg, and hkleaks.kz. IP history records for these websites corroborate this information: the websites are, in fact, hosted at IP addresses owned by DDoS-Guard.
In October 2019, DDoS-Guard even acknowledged its business with the doxxing campaign, referring to HKLeaks as “our customer.”
Meduza’s source in the region says DDoS-Guard’s claim to political neutrality is absurd, given the direct links between HKLeaks and the Chinese authorities. “If [the company] had instead hosted protesters’ content, the situation would be analogous and, in China, they’d simply have been accused of violating the ban on propagating separatism. So if DDoS-Guard was really apolitical, the best strategy would have been not to get involved in the conflict on either side,” explained Meduza’s source.
Parler the Persecuted
DDoS-Guard made some waves with its work in China in 2019, but the company gained global notoriety in January 2021 when it signed a contract with Parler after Amazon Web Services dropped the right-wing American social network and both Apple and Google removed it from their app stores in the wake of the storming of the U.S. Capitol building on January 6. The tech companies say Parler failed to moderate and remove incitements to violence posted by its users, while Parler CEO John Matze accuses Silicon Valley of a coordinated attack on free speech and an attempt to suppress competition in the industry.
DDoS-Guard has not formally disclosed what services it provides to Parler, citing a confidentiality agreement (and perhaps hoping to avoid being dragged into Parler’s many troubles), but the Russian company has nevertheless encountered problems in the United States, where its U.S. partner, a company called “Coresite,” blocked DDoS-Guard’s access to its own data center last November, after learning that it was hosting the Islamist movement Hamas.
In October 2020, the American cyber-crime journalist Brian Krebs reported that DDoS-Guard was responsible for “hosting the official site for the terrorist group Hamas” and sustaining “a web of sites connected to conspiracy-theory movements QAnon and 8chan [later rebranded as 8kun].”
For its part, DDoS-Guard has tried to distance itself from some of these groups. Earlier this month, co-founder and CEO Evgeny Marchenko told The Guardian that the company cut all ties to Hamas and 8chan after news reports alerted the firm to the nature of the content on these websites. “We don’t support any illegal activity,” Marchenko insisted, reiterating DDoS-Guard supposed political neutrality.
The company’s official “acceptable use policy” requires clients to “use [its] services only for lawful purposes, in compliance with all applicable laws,” and explicitly prohibits activities like drug dealing, intellectual piracy, hacking, gambling, “stalking,” “threatening bodily harm or damage to individuals or groups,” and more.
Meduza has confirmed, however, that the website hkleaks.pk still operates using DDoS-Guard’s IP addresses, despite its purpose as a doxxing initiative against protesters in Hong Kong. Additionally, the company’s Scotland-based subsidiary, “Cognitive Cloud,” still hosts the notorious d****anonstore.to illegal narcotics store at the IP address 22.214.171.124.
“Thank you for informing us about this domain,” spokespeople for DDoS-Guard told Meduza when questioned about the company’s business with the Darknet vendor, vowing an inquiry and repeating that illegal activity violates its acceptable use policy.
But DDoS-Guard would likely be forced to ditch much of its clientele if it audited more closely for criminal activity. Earlier this month, journalist Brian Krebs warned that “a review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online.”
Bad clients, good business
DDoS-Guard is hardly unique for providing hosting and security services to online resources with illegal or objectionable content. A decade ago, the American company “CloudFlare” — one of the biggest firms in the industry — defended “LulzSec” from DDoS attacks after the hacker group compromised several high-profile accounts at Sony Pictures and allegedly knocked out the CIA’s website briefly. After CloudFlare’s involvement was reported, CEO Matthew Prince defended the company, arguing, “[I]f we had removed LulzSecurity.com or any other website from CloudFlare, it would not have removed the content from the Internet.” Prince continued:
“CloudFlare is firm in our belief that our role is not that of Internet censor. [...] While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published. That is a slippery slope down which we will not tread.”
Admittedly, the company’s position has shifted somewhat in recent years. In 2019, for instance, CloudFlare publicly parted ways with the imageboard 8chan, calling it “a cesspool of hate.”
CloudFlare does plenty of business with questionable clients, says Karen Kazaryan, the CEO of the Internet Research Institute, and many in the industry make little effort to find out if customers are breaking the law or violating the terms of service. CloudFlare prefers to address these problems post factum, waiting to act until enough complaints pour in or until law enforcement gets involved, Kazaryan says.
Every infrastructure provider determines its own “philosophy” on censoring questionable activity by clients, he says. Companies like CloudFlare and DDoS-Guard decline to track customers’ content, leaving the job to the police. Other providers in Europe and the U.S., meanwhile, have built their reputations on refusing to host anyone who trafficks illegal or contentious content. In fact, because many providers won’t work with these shadier resources, less conscientious companies can charge extra. The additional costs involved in hosting more controversial websites also raises fees.
“Each Internet user can automatically connect to our services. Our goal is to protect clients’ resources,” spokespeople for DDoS-Guard told Meduza in response to questions about the company’s business with known scammers and illegal narcotics vendors. “We are not responsible for what people and organizations distribute on their websites, just as an Internet service provider bears no responsibility for the content that its clients view after an Internet connection is made, or for users’ actions once they are online.”
Former “Diphost” co-owner Philip Kulin says hosting providers shouldn’t be saddled with the functions of law enforcement agencies because there are no clear criteria for customers’ good faith. “For example,” he says, “what if a website has somewhat controversial but not outright illegal content? How do you decide if you’re allowed to host it? It’s unclear.”
At the same time, Kulin says DDoS-Guard and its CEO, Evgeny Marchenko, are being disingenuous when they pretend the company doesn’t work with resources that feature illegal content. Kulin explains that hosting clients like Verified or d****anonstore.to would require additional security measures and attract the attention of concerned citizens and law enforcement. “When we hosted a similar resource, people even came to our physical office and said, ‘Remove this infection from your network. We know you’re hosting it.’” It would be impossible to host something as toxic as major portals for scammers and hackers without encountering “concrete problems,” explains Kulin. DDoS-Guard must also be charging higher fees to meet these extra demands, he says.
Karen Kazaryan guesses that Parler, with its 15 million registered users as of January 2021 (including 2.3 million active users), was probably paying Amazon Web Services roughly $1 million annually for hosting and other services. He suspects that the American company hired DDoS-Guard for a similar, possibly higher fee after Internet infrastructure providers in the U.S. blacklisted the social network.
Philip Kulin says customers that struggle to find hosting due to legal or political controversy sometimes pay hosting rates that are five or even 50 times higher than normal. “Between 2009 and 2014, one client in a similar category paid me 1,000 rubles [now $13] a month for hosting and DDoS protection instead of the standard 250 rubles [$3.25]. Another client paid 10,000 rubles [$130]. And with Verified and others like them, the stakes for toxicity and DDoS attacks are something else altogether.”
Abridged translation by Kevin Rothrock