Cyberbunker, Part 2

Spamhaus's decision to add Cyberbunker to its list of Spam sources led the Stophaus coalition to initiate a DDoS attack later dubbed “The attack that almost broke the Internet.” The fallout from this attack led to Cyberbunker relocating to a bunker in Germany - but it was the involvement of an Irish drug lord known as 'The Penguin' that led to the bullet-proof hosting company's downfall.

Hosted By

Ran Levi

Co-Founder @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Cyberbunker, Part 2

On March 18, 2013, StopHaus – a loose coalition of bulletproof hosting services and various dark web criminal kingpins – announced ‘Operation Stophaus’. The operation’s target was The Spamhaus Project: an international organization dedicated to protecting the public from email spam, web scams and similar threats. 

The impetus for the operation was Spamhaus’s decision to add Cyberbunker – a bulletproof web hosting outfit, operating from a nuclear-era subterranean bunker in the Netherlands – to its lists of spam sources. These lists are used by numerous ISPs, all over the world, to block such spam before even reaching their customers. 

Spamhaus has a well-deserved reputation for standing bravely against some of the most dangerous dregs of the Internet back alleys – but Cyberbunker was not your ordinary, run of the mill bulletproof hosting company, either. Most bulletproof hosters choose to establish their base of operation in countries where law enforcement is lax, such as Russia or African countries, as far away from the long arm of Western law agencies as possible. But not Cyberbunker. Its founders, Dutchmen Herman Johan Xennt and Sven Olaf Kamphuis, held deep anti-authretarian views – and in the mid 1990s decided to test the resolve of the Dutch authorities to the limit by operating a bulletproof web hosting datacenter outside of a peaceful Dutch town in the south of the country, inside an old NATO cold-war nuclear bunker. 

Unfortunately for them, a fire that broke out inside the bunker drew the authorities attention to their operation, and later decisions – such as their willingness to host the high-profile but also hotly disputed Pirate Bay bittorrent tracker – brought them even more to the public eye. Ultimately, Spamhaus decided to take action against the rogue hosting service, first cutting them off from their bandwidth providers – and then adding Cyberbunker itself to its blacklists. 

Operation Stophaus

Sven, Xennt and their friends in the underworld rallied against Spamhaus. The Stophaus coalition issued a public statement, calling The Spamhaus Project “an offshore criminal network of tax circumventing self declared internet terrorists, pretending to be ‘spam’ fighters”, and demanding that Spamhaus cease its blacklisting activity and –

“Compensate each and everyone ever listed, for damages, regarding the man hours and financial resources spent.”

The ever resourceful Brian Krebs got his hands on a series of Skype and IRC chats between Stophaus’s members – including Sven Kamphuis – whose content clearly shows them planning the attack, with most of the actual work delegated to a mysterious hacker who went by the name ‘Narko’. 

And indeed, a day later, on Match 19th, Spamhaus became the target of a large DDoS attack that knocked its website and mail servers offline. Kreb’s chat log recorded the celebrations at Stophaus, with Sven proudly announcing – 

“rokso [one of Spamhuas’s blacklists – RL] no longer exists haha”

And other members cheering: ‘hell yeah!’ and ‘hit them hard!’.

A few hours after the attack began, realizing that they cannot handle it by themselves, a Spamhaus admin contacted CloudFlare, a company specializing in DDoS mitigation, asking for help. CloudFlare agreed, and went into action. Matthew Prince, its founder and CEO, recalled the events in a blog post. 

“Spamhaus signed up for CloudFlare on Tuesday afternoon and we immediately mitigated the attack, making the site once again reachable. […] Once on our network, we also began recording data about the attack. At first, the attack was relatively modest (around 10Gbps). There was a brief spike around 16:30 UTC, likely a test, that lasted approximately 10 minutes. Then, around 21:30 UTC, the attackers let loose a very large wave.”

CloudFlare’s strategy to overcome the DDoS attack was called AnyCast. It duplicated Spamhaus’s data, and hosted it on 23 different datacenters, geographically spread all around the world. Since internet traffic usually takes the shortest physical path from source to destination, this meant that the torrent of data that flooded Spamhaus’s servers, emanating from various distributed sources – was now effectively divided between 23 different destinations. As Prince explained – 

“When there’s an attack, Anycast serves to effectively dilute it by spreading it across our facilities. Since every data center announced the same IP address for any CloudFlare customer, traffic cannot be concentrated in any one location. Instead of the attack being many-to-one, it becomes many-to-many with no single point on the network acting as a bottleneck.”

Narko, the hacker who led the DDoS attack against Spamhaus, stepped up his efforts. On March 19, he blasted CloudFlare with 90 Gigabits of data per second – and three days later, 120 Gb/s. It was a huge DDoS attack, way above what CloudFlare was used to handling on a daily basis – but its grizzled engineers were already experienced with attacks of such scale, and CloudFlare – and Spamhaus – remained online. 

“I don’t understand this,”

Wrote Narko in the group chat, 

“How can cloudflare take 100gbps of UDP and latency is not even increased by 1ms? […] I took down Sprint, I took down Level3, I took down Cogent – but cloudflare nothing! Back in 2009 CloudFlare went down with 10gbps.”

Narko, then, decided to take things to the next level. He exploited a known weakness in some DNS servers to forge what’s known as a ‘DNS Amplification Attack.’ 

“The attack that almost broke the Internet”

Simply put, when a DNS server receives a request containing a domain name – such as, malicious.life, for example – it returns a response with the IP address of the requested URL. Narko made clever use of that fact: he spoofed the origin address of the requests he made to the DNS servers, directing the responses not the the real computers sending the requests – but to CloudFlare’s servers.

Crucially, a DNS response can be much, much larger than the request: a 36 bytes long request, for example, can generate a 3000 bytes long response, i.e. a response amplified by a factor of almost a 100. This meant that by generating a meager stream or requests of only 2.5 megabytes per second per DNS server – Narko was able to manipulate thousands of DNS servers to have them send 300 Gb/s of internet traffic to CloudFlare’s servers: the largest DDoS attack ever recorded up until then. 

This gargantuan stream of information finally overwhelmed CloudFlare’s servers, and it briefly went offline. However, it was not only CloudFlare itself that was affected by the attack – but also the companies from which it buys bandwidth from, companies known as ‘Tier 2’ Internet providers. But even they could not handle that much information, and so the problem began to spill over to their providers – the ‘Tier 1’ bandwidth providers. 

Tier 1 providers are the entities that form the actual backbone of the Internet: the fifteen or so organizations that join all the Tier 2 providers together and thus makes the internet a single global network. This also means that there isn’t anywhere else for the flood of information gushing through the cables to go to: when a Tier 1 provider gets swamped by a DDoS attack, it just fails, and internet connectivity fails with it. CloudFlare’s Matthew Prince called it – “The attack that almost broke the Internet.”

“Over the last few days, as these attacks have increased, we’ve seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.”

Later reports, such as an investigation by Gizmodo, claimed that the effects of the DDoS attack were not as severe as CloudFlare described, and that the Tier 1 providers were more than capable of handling that amount of data. It’s hard to know for sure: due to the Internet’s distributed nature, different networks can see very different traffic conditions. Nevertheless, the elated Sven took to Facebook to brag to his followers: 

“my 3850 facebook friends 😛 www.spamhaus.org still down, and that criminal bunch of self declared internet dictators will still remain down, until our demands are met 😛 over 48h already 😛 resolving your shit. end of the line buddy 😛 should have called and paid for the damages.”

It seems that these brazen boasts, on Sven’s own personal Facebook profile, impressed Narko, who wrote to Sven in their group chat – 

“You have very big balls. Writing DDoS threats on facebook? I would not even do that and I am the person doing th attacks 😛 lol.”

However, Narko became less impressed when a few hours later, Spamhaus managed to trace the attack back to his own personal network – and retaliated by blacklisting his IP addresses range. 

“Spamhaus [blacklisted] my site and my host will terminate me unless spamhaus tells them that it’s ok. Fucking internet police.”

Narko became even more worried when one of his buddies at Stophaus, wishing to brag about the successful attack, posted a screenshot of their chat on a public forum – with Narko’s Skype handle visible in it. 

“Who posted the screenshot on [the forum]? please remove it. It has written my skype name. […] FBI in USA already has a case on me ddosing before, they were going to people in america and asking them questions about me.”

Narko’s concern might be the reason why, after about a week of constant bombardment, Stophaus called off the DDoS attack on Spamhaus. 

Arrests

And Narko was right to be worried. Less than a month later, the UK’s National Crime Agency (NCA) was able to use that Skype handle to track down Narko’s real world location, and arrested him in his London home. Narko, it turns out, was a 16 years old kid named Sean Nolan McDonough. He was probably hired by the StopHaus coalition, and it was this unusual flow of money to the teenager’s bank account that initially drew the UK authorities attention. According to Brian Krebs, when police officers raided McDonough’s home they found his computer still logged on to various cybercrime forums. McDonough was later convicted, but avoided jail time due to his young age and his cooperation with the authorities. 

Sven Kamphuis, meanwhile, was also on the run. His involvement in the attack was undeniable, mainly due to his very public posts, such as this one on Facebook:

“Yo anons, we could use a little help in shutting down illegal slander and blackmail censorship project ‘spamhaus.org,’ which thinks it can dictate its views on what should and should not be on the Internet.”

It’s possible that Sven truly believed that his status as a self-proclaimed official representative of the “Republic of Cyberbunker” will really provide him with diplomatic immunity. If not, it’s difficult to explain why, when he rented an apartment in a small Spanish village outside of Barcelona, he had his true name written on the mailbox, and parked his van – packed full with electronic equipment and bristling with suspicious looking antennae – right outside the said house. Even the Spanish police officer who arrested him was baffled by Sven’s behavior. 

“”He claimed he had diplomatic status. He said he was the telecommunications minister and foreign minister of a place called the Cyberbunker Republic. He didn’t seem to be joking.”

Sven was extradited to The Netherlands, where he stood trial for his role in the DDoS attack against Spamhaus. Amazingly, he was sentenced to only 240 days in prison – and even that puny sentence was suspended, so that Sven never spent even a day in a Dutch prison. 

Cyberbunker relocates to Germany

As expected, the huge DDoS attack and the subsequent arrests brought with it a renewed surge of media attention towards Cyberbunker. Reporters rushed to the Kloetinge bunker, hoping to learn more about the mysterious company. 

But when they got to the bunker, they were surprised to learn that…Cyberbunker was no longer there. In fact, it wasn’t there for quite a while – a few years, at minimum. It turns out that in spite of Johan Xennt’s bravado and tales of humiliated firemen and SWAT teams – Kloetinge’s city council’s efforts to banish the bulletproof host from the town were in fact successful, and Cyberbunker decided to relocate its servers to a different location. This meant that, somewhat unsurprisingly, for a few years at least Cyberbunker was scamming its own clients, telling them that their information was stored in an ultra-secure bunker, when in reality it was kept in a standard office space in Amsterdam.

Perhaps because of the unflattering media attention, Xennt decided in 2013 to buy yet another bunker for his hosting company – this time in a German town called Traben-Trarbach. That bunker, built by the West German military in 1970’s, originally housed a meteorological institute that employed some 400 people, half of whom lived in the small adjacent town. When the German military decided to relocate the institute to somewhere else in 2012, Traben-Trarbach suffered a major financial blow. This is why, when the eccentric Dutchman showed up and promised the city’s council that his company would bring a hundred – maybe even two hundred new jobs to Traben-Trarbach, the city’s officials approved of the purchase, even though they were well aware of Xennt’s troubled past. 

And so Cyberbunker once again started hosting all sorts of dubious websites and services, such as Dark Web marketplaces and forums for selling drugs, counterfeit money and fake identifications. The company employed several programmers and technicians to keep the servers running, unpaid interns who wished to gain practical experience, and janitors who did the cleaning and gardening. 

But unbeknownst to Xennt, one of the janitors was actually an undercover agent. 

The Penguin

Having a bonafide Cold-War nuclear bunker might have been great in terms of PR – but unfortunately for Xennt, it was also extremely expensive to maintain. Apart from the cost of buying the place and maintaining its numerous rooms and halls, there were also the costs associated with running the datacenter itself: the electricity bill alone, for example, was about 15K dollars a month. CyberBunker wasn’t making enough money to cover all those expenses, and so Xennt started looking for other profitable lines of business. 

He came up with an interesting idea: a high-security communication app, that would allow its users to send stealthy encrypted messages to each other, and also included a panic button that allowed them to quickly erase their data in the event of an emergency. Obviously, Xennt’s intended customers were the same shady characters who rented his bulletproof hosting services. 

But creating the app required a substantial initial investment which Xennt was unable or unwilling to make, and so he turned to a long time acquaintance of his – a 60 years old Irishman who went by the name of ‘The Penguin.’ His real name was George Mitchell, and he acquired his nickname while working in a chocolate factory that made “Penguin” candy bars. 

But don’t be confused by the adorable moniker: Mitchell was a drug lord, listed by Europol as one of the top-20 drug traffickers in Europe. He was known to be involved in smuggling heroin, cocaine and weapons into Europe, and the Irish newspapers often referred to him as the ‘Godfather’ of organized crime in Ireland. 

Xennt and Mitchell entered a business partnership, and the Irish drug lord became a regular visitor to the Traben-Trarbach bunker. Although he called himself ‘Mr. Green’, his true identity quickly became known to Cyberbunker’s employees, some of whom were understandably scared by him. 

It appears that in 2015, one of the hosting company’s young interns approached an Irish tabloid, The Sunday World, and offered it candid photos of the crime lord. Apparently, this was the first time in twenty years that someone was able to take a picture of The Penguin. A few weeks later, the tabloid released an extensive front-page expose about Mitchell’s new technological aspirations: 

The Raid

It is conceivable that, had Xennt not partnered with Mitchell – Cyberbunker would have managed to fly under the radar of the German law authorities. But as it happens, someone in Germany read the Sunday World expose and became alarmed by the presence of an Irish mafia boss on their home turf. 

The German police sprung into action. The prosecutors had a tough challenge to crack: hosting shady websites isn’t, by itself, considered a crime in Germany: they would have to prove that there was actual illegal activity, such as drug trafficking, taking place in Cyberbunker’s servers – and that Xennt was aware of it. 

The investigators got a warrant to investigate the company, and Cyberbunker’s employees were placed under surveillance: their phones were bugged and GPS trackers were placed on their cars. The data cable going into the bunker was also tapped, gathering incriminating evidence about the illegal markets and forums hosted on the servers. The Penguin’s phone was bugged as well. According to a report by The New Yorker, the German investigators also bought thousands of dollars worth of Bitcoins, and used them to host their own fake scammy website on Cyberbunker’s servers. Finally, an undercover agent infiltrated the organization, posing as janitor – a position that allowed them free access to most of the bunker’s rooms, including Xennt’s own personal office. 

In September, 2019, the case’s prosecutor decided that he has enough evidence to warrant a raid on Cyberbunker. There was, however, one major problem: it was obvious that breaking into the fortified bunker will take a long time – time which will allow Xennt to erase all the incriminating information stored on the servers. 

So the German police hatched a clever plan. The undercover agent lured all of the company’s employees – including Xennt – out of the bunker, pretending to throw a lavish dinner party at a local restaurant. The bunker was left empty. As evening fell on Traben-Trarbach, Xennt and his merry band were feasting on delicious trouts and splendid wine – but unbeknownst to them, most of the restaurant’s other patrons were actually plainclothes police officers. 

Shortly after 6 pm, the sign was given. Police forces stormed the restaurant and arrested the dinner’s attendants, while a long line of black vans carrying no less than six hundred and fifty law enforcement officers approached the bunker and surrounded it. According to a regional police chief – 

“…We were able at all to get police forces into the bunker complex, which is still secured at the highest military level. We had to overcome not only real, or analog, protections; we also cracked the digital protections of the data center.”

Johan Xennt and six of his people – including two of his sons – were taken into custody, and the German police seized about 200 servers, as well 41 million dollar’s worth of funds allegedly tied to the various dark web markets hosted on Cyberbunkers servers. 

The investigators were surprised to learn just how badly Cyberbunker’s clients’ data was protected. Hard drives carrying incriminating data, that were supposed to be destroyed – were piled up inside the bunker, and the police even found an unencrypted Excel spreadsheet with all the passwords on it. The whole operation, commented one investigator, turned out to be wholly amateurish – quite the opposite of the tough, hardcore no-nonsense security image that Cyberbunker was projecting on its website. A police prosecutor told the German newspaper Der Spiegel that when they scoured the two petabytes of data stored on the seized hard drives, the investigators were “unable to find even a single legal site”…

The information on the disks allowed the police to link Xennt and some of his employees to various criminal websites, and even to a Denial of Service attack on Deutsche Telekom, the German telecommunication company, that impacted about 1 million of its customers. In December 2021, Johan Xennt was sentenced to five years and nine months in a German prison. 

Geroge Mitchell, the Irish drug lord – was never arrested. According to the investigators, even though he was under constant surveillance, The Penguin never slipped up and exposed any incriminating evidence against him. 

Epilogue

Thus ended the bizarre and somewhat comical story of Cyberbunker. It’s possible that Xennt’s long prison sentence might convince him to leave the world of bulletproof web hosting behind – but it seems Sven Kamphuis hasn’t learned his lesson: he still occasionally gives media interviews, taking the role of an unofficial spokesperson of the dark underworld of Internet crime. I have a feeling we’ll hear more from him in the future. 

In a way, Cyberbunker was a kind of an experiment. The question it tried to answer was – can turning a strong, almost impenetrable nuclear bunker into a datacenter, enable a bulletproof hosting service catering to the needs of cyber criminals, to operate freely in a lawful Western country? 

I think an Ars Technica commenter summed up the answer in pretty marvelous way:

“Also, a hearty laugh at someone hosting “secure from law enforcement actions and operational regardless of legal demands” in the most economically powerful nation of the European fucking Union.” Hubris and arrogance does not even begin to describe that mindset. You want to truly weather the storm? Go setup shop in some barely-functional state in Africa or out in the middle of the Siberian tundra.”