Investigating Anonymous VPS services used by Ransomware Gangs

-

One of the challenges with investigating cybercrime is the infrastructure the adversaries leverage to conduct attacks. Cybercriminal infrastructure has evolved drastically over the last 25 years, which now involves hijacking web services, content distribution networks (CDNs), residential proxies, fast flux DNS, domain generation algorithms (DGAs), botnets of IoT devices, the Tor network, and all sorts of nested services.

This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service.

The year-on-year growing number of CobaltStrike C2 servers hosted on BitLaunch’s services could be an indicator of tacit collusion with cybercriminals through the facilitation of cheap and quick to procurement of VPSs that end up being used to launch ransomware attacks on all sorts of victims, including hospitals, schools, governments, companies, and charities.

The concept of aiding and abetting criminal activity in law is essentially when an individual or an organisation intentionally assists, facilitates, or encourages a crime. In this case, it would be aiding and abetting the creation of cybercriminal infrastructure. If a hosting provider ignores clear red flags (e.g., cryptocurrency payments from known illicit sources or use of servers for illegal activities), they might still be held criminally liable under wilful blindness under certain laws.

In the past, authorities have taken down bulletproof hosting (BPH) providers that knowingly support cybercrime, such as CyberBunker and LolekHost. In February 2025, the UK government also sanctioned a Russia-based BPH known as ZSERVERS (aka XHOST) for facilitating LockBit attacks.

A podcast version of the blog is available here.

Who is BitLaunch aka BL Networks aka BLNWX?

Active since at least 2017, BitLaunch (also known as BL Networks or BLNWX) is a virtual private server (VPS) reseller whose autonomous system number (ASN) is AS399629. Up to 48 IPv4 networks belong to BitLaunch which are used to "instantly launch a Linux or Windows VPS” where customers can “pay hourly with Bitcoin, Litecoin, and Ethereum, with no firm commitments." BitLaunch also supports their customers via a command-line (CLI) tool and a Python library. BitLaunch has another name, however, in their legal terms and conditions they go by Liber Systems and have their own separate website.

Why focus on BitLaunch?

BitLaunch is quite interesting as they present themselves as a UK-based company run by two local UK businessmen. Their “anonymous Bitcoin VPS” service is regularly abused for all sorts of cybercriminal activities. What triggered this research was the fact that their nickname “BLNWX” was regularly reappearing in cyber threat intelligence (CTI) vendor reports on ransomware and other cybercriminal campaigns. It is also worth highlighting that while BitLaunch own their own IP networks, they are a VPS reseller as well who works with DigitalOcean, Linode, and Vultr, as shown from their website below.

A screenshot of a computer AI-generated content may be incorrect.

One website that reviews so-called “offshore services” (offshore[.]cat) has listed BitLaunch as being a “verified” offshore hoster that accepts cryptocurrency, only requires email request confirmation to open an account, and is described as allowing anyone to “create VPSs in seconds, using crypto” making them an attractive hoster for cybercriminals. Their service paired with their CLI tools and Python libraries makes it super easy to stand up C2 servers rapidly.

Command and Control (C2) infrastructure on BLNWX

Significant numbers of CobaltStrike C2s among other hacking tools and malware families have been discovered on BitLaunch. I would like to thank the owner of the C2IntelFeedsBot (@drb_ra) account on X/Twitter who assisted with this research by providing their feed of C2 servers discovered on BitLaunch.

The image below shows a sampling of the known C2 servers hosted with BitLaunch between 2021 and 2025. The most notable part of this diagram is the number of CobaltStrike C2 servers in particular. Cobalt Strike is a well-known C2 framework used by organised cybercriminal groups to launch ransomware attacks. It is also favoured by state-sponsored threat groups as well.

Over the last few years, several dozen C2 servers have been identified by the C2IntelFeedsBot and each year, the number of C2s has continued to grow as more cybercriminals identify BitLaunch as a preferable service to support their ransomware campaigns.

The image below displays the totals calculated between “2021-06-26 12:33:41" and "2025-02-05 18:46:10." It is not a complete picture by any means, but this independently verifiable data gives a decent idea of the rate at which BitLaunch is being used by cybercriminals, with each year since 2022 has trended upwards.

One of the interesting things about CobaltStrike is that it is a commercial offensive security tool (OST). It is issued to legitimate customers through licenses, which have a unique watermark. While there have been several cracked versions of CobaltStrike over the years, it is possible to track certain groups through their usage of the same CobaltStrike versions.

The image below shows the distribution of the CobaltStrike watermarks gathered from BitLaunch. Notably, “0” is the most common. This is often the case when analysing CobaltStrike watermarks as this signifies it is the cracked version.

OSINT collection and analysis of the CobaltStrike watermarks revealed potential connections to several well-known cybercriminal groups using BitLaunch who have a history of conducting ransomware attacks:

  1. "426352781” – This watermark is used by ShadowSyndicate, a ransomware affiliate group tracked by Group-IB which is connected to multiple Ransomware-as-a-Serivce (Raas) platforms. This watermark is also historically associated with CobaltStrike Beacons dropped by the Qakbot malware botnet.
  2. “206546002” – This watermark is also used by ShadowSyndicate as well as Blister Loader, PLAY ransomware, and FIN7-linked ransomware operators.
  3. “1580103824” – This watermark was linked to ShadowSyndicate as well, alongside the Cleo exploitation campaign attributed CL0P ransomware. A threat group tracked by CERT-UA as UAC-0056 has also been observed using this watermark too.
  4. ”987654321” – This watermark has been associated with the IcedID malware botnet and the Dagon Locker ransomware gang previously.
  5. ”1359593325” – This watermark has been used by CobaltStrike Beacons in campaigns attributed to the Russian Foreign Intelligence Service (SVR)
  6. “391144938” and “305419896” – These watermarks have been attributed to campaigns by multiple Chinese cyber-espionage campaigns tracked by SentinelOne, Recorded Future, Zscaler, and Cisco Talos.

C2s on BLNWX attributed to Ransomware Gangs by CTI vendors

There are a number of CTI reports over the last couple years that directly reference BitLaunch Networks (BLNWX) IP addresses as Indicators of Compromise (IOCs) as part of high-profile ransomware campaigns.

This includes attribution to the Yanluowang ransomware attack against Cisco, a C2 linked to the JavaScript more_eggs backdoor used by FIN6 (who is connected to ransomware campaigns), a dozen IPs attributed to Rhysida ransomware attacks, and a Rhysida and Interlock ransomware precursor campaign tracked as TAG-124, as well as the PaperCut exploitation campaign which involved both LockBit and CL0P.

The VirusTotal graph is available here.

Additional notable CTI alerts that called out BLNWX include a report on Latrodectus, a ransomware precursor campaign, by Proofpoint; Okta-themed phishing campaigns attributed to Scattered Spider, who has carried out ALPHV/BlackCat and RansomHub attacks, by Intel471; infrastructure used to enable the BlackBasta ransomware gang by QuadrantSec, as well as C2 servers of the IcedID malware botnet that has been used by ransomware gangs for initial access.

Assessment of BitLaunch

As of February 2025, BitLaunch's parent firm Liber Systems Limited is run by two UK-based directors according to UK Companies House. While they are profiting off this Anonymous VPS service they are not taking the appropriate steps to prevent their service from being used by ransomware and malware gangs. Organised cybercrime groups have evidently found and recognised this about BitLaunch and are leveraging the cheap, crypto-accepting service that doesn’t ask too many questions.

To be fair to BitLaunch, they appear to be responsive to takedowns and are noted on Offshore[.]cat as enforcing DMCA requests. The crux of the issue though is that the cybercriminals can use their service to rapidly spin up instances for C2 for a few hours and chuck it away again. This means there often no need to submit a takedown as the cybercriminals has already abandoned the C2 and can spin up another one. Therefore, the cybercriminals can continually leverage BitLaunch without interference.

As a security researcher, and not a police officer, I cannot comment on how cooperative BitLaunch have been with the police and it is probably not something BitLaunch would want to advertise to their customers anyway based on who some of their customers are.

For BitLaunch’s two directors, this works out nicely for them. They can take the cybercriminals money via cryptocurrency and also appear to be ethical and compliant by assisting with law enforcement takedown requests. Currently, they appear to be helping both the criminals and the police, and have been getting away with it for years.

On BitLaunch’s front page advertisement they highlight as the main focus as being able to pay hourly for the use VPS and that customers can pay in “anonymous cryptocurrency.” It is in my opinion, and that of other cybersecurity researchers I have spoken to about this (including red teamers and penetration testers), that this service is perfect for C2 servers and almost nothing else legitimate.

The Broader Issue with Anonymous VPSs

In BitLaunch’s blogs, they say they believe the internet should be "open, free, and devoid of interference by any single government or authority" adding that accept cryptocurrency because "citizens of some countries do not have bank accounts and can use Bitcoin instead" because the local banks have control over who their citizens can send money to. Their blogs also state that they believe internet users should be allowed to run their own virtual private networks (VPNs) for anti-surveillance and privacy reasons. They also provide lots of guides on how to configure private VPNs for this purpose. While this is a legitimate service that is useful for some people in specific situations, having it be abused by ransomware gangs is a situation that needs to be changed.

This issue of selling anonymous VPSs is not specific to this one company. BitLaunch is obviously a small company and proactively combating cybercriminals from registering VPSs on their service is an expensive and multi-pronged challenge for any hoster, which includes preventing abuse while preserving the privacy of their customers.

Hosters such as BitLaunch could use services such as Shodan, Abuse.ch, GreyNoise, OTX Alienvault, and AbuseIPDB to check if their IP addresses are being abused. One interesting example of a hoster trying to tackle this issue is how PQ Hosting (aka Stark Industries Solutions) announced publicly on their blog that they have partnered with Team Cymru, a netflow security intelligence firm. Alternatively, hosters could use a blockchain analytics platform like Chainalysis, TRM Labs, or Arkham Intelligence, to trace cryptocurrency payments from known illicit wallet clusters.

There will, however, always be some threats that slip through the net. It is undoubtedly a difficult challenge for small hosters who do not have funds to sacrifice on network observability tools or CTI platforms. Even some of the world’s largest hosters, such as Cloudflare struggle with this as well and end up having their services abused for cybercrime operations.

The anonymous VPS problem could be compared to issues in other industries such as stolen funds being used to buy gift cards or game keys that are then resold for money laundering. Another platform often abused for a variety of scams and phishing campaigns is Gmail. Is Google being wilfully negligent to cybercrime happening on their platform? That’s a question I shall leave for readers to decide on their own.

Overall, this type of issue is analogous to a hotel offering rooms for the night and organized criminals renting them to commit various types of crimes inside them. Ultimately, the criminals are the ones breaking the law, not the hotel, but if the hotel is being constantly made aware of these activities by bystanders and law enforcement, it is their duty to shut that activity down, to the best of their abilities.

What the UK Could Do About It

In this scenario around BitLaunch, there are three potential ways the UK could help stop these small hosters being taken advantage of by cybercriminal operations.

Firstly, the cybersecurity and hosting industry could launch an initiative through institutions, such as the British Computer Society (BCS) or something, that would work to convince hosting providers that the hassle being investigated by law enforcement agencies, sanctions, or the chance of being arrested is not worth the funds generated from selling C2 servers to cybercriminals.

Secondly, as BitLaunch (or Liber Systems) is registered here, the UK Government Department for Science, Innovation, and Technology (DSIT) could work with them and other small hosters to regulate the industry and provide support to these businesses to warn them of the dangers of offering unregulated VPS services and inform them how they contribute to the damage that ransomware attacks are having on the UK and elsewhere.

Third, providing free network observability services to hosters could also help them proactively shutdown C2 servers before they are weaponised against victims. All UK hosters can sign-up to the free UK government-provided service called MyNCSC, offered by the UK NCSC, which is part of GCHQ. Hosters will then get alerts when MyNCSC detects which IPs are flagged for hosting C2 servers (such as CobaltStrike).

As the UK government’s mandate is to “make the UK the safest place in the world to live and work online” then tackling the issue with these UK-based hosters supporting ransomware should also be one of those priorities.

Indicators of Compromise

Historic Malicious BLNWX IP addresses are available below:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-sprea...
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on ...
Read more

The Russian APT Tool Matrix

-
Image
Introduction Based on feedback I have received from fellow CTI researchers, incident responders, and managed detection and response teams around my Ransomware Tool Matrix project, I decided to make another Tool Matrix focused on one hostile state in particular: Russia. Again, as defenders, we should exploit the fact the tools used by these Russian APT groups are often reused and through proactive defensive work, we can frustrate and even eliminate the ability of certain adversaries to launch intrusions. Using the Russian APT Tool Matrix comes with its own challenges. While it is undoubtedly useful to have a list of tools commonly used by Russian APTs to hunt, detect, and block, there are some risks, as noted in the repository. The new repository also contains multiple types of Russian threat groups, this includes adversaries part of the GRU, SVR, and FSB. The alias of each Russian threat group has been chosen by what the author of this repo believes it is most well-known as. ...
Read more