What is bulletproof hosting in plain terms?

Bulletproof hosting describes hosting infrastructure that resists takedown requests from external parties: DMCA copyright notices, civil subpoenas, and informal pressure from rights holders. The bulletproof part refers to the provider not folding under that pressure. The term covers a wide range of operators from legitimate offshore providers to criminal infrastructure. Per Wikipedia, the formal definition centers on hosting that is resilient to complaints of illicit activities, often associated with cybercrime infrastructure.

Is bulletproof hosting illegal?

The hosting itself is legal in the jurisdictions where bulletproof providers operate. What is potentially illegal is specific content, and the legality of that content depends on the laws of the jurisdiction where the server sits, not the jurisdiction of the complainant. A US copyright complaint has no force in Moldova. A German court order against a Bulgarian datacenter depends on whether Bulgaria recognizes the German court for that specific matter. The legal structure is jurisdiction-specific, not blanket.

What is the difference between bulletproof hosting and offshore hosting?

Offshore hosting describes a geographic fact (servers in a country other than yours) without saying anything about takedown behavior. Bulletproof hosting describes an operational posture (will not take down content under pressure) without saying anything about location. The overlap is real, but the categories are not identical. Most bulletproof providers are offshore. Not all offshore providers are bulletproof.

How much does bulletproof hosting cost?

Pricing varies by tier and segment. Gray-market reseller bulletproof shared hosting runs $5 to $20 per month, often with reliability issues. Mid-tier offshore VPS in the Netherlands or Bulgaria runs $25 to $75 per month for properly operated infrastructure. Dedicated bulletproof servers run $99 to $500+ per month depending on hardware and DDoS protection level. Premium bulletproof providers in Iceland or Switzerland charge €150+ per month. Our SMTP services start at €69/month and dedicated servers at €99/month.

Which jurisdictions are used for bulletproof hosting?

Common jurisdictions include the Netherlands, Bulgaria, Romania, Moldova, Iceland, Russia (limited by sanctions in 2025-2026), Hong Kong, Panama, Belize, and the Seychelles. Each has different legal frameworks, but they share the property that US legal documents have no direct force locally. We operate in seven: Bulgaria, Romania, Moldova, Panama, Hong Kong, Singapore, and Ukraine.

Do bulletproof providers respond to court orders?

Legitimate providers respond to court orders from jurisdictions with legal force over their infrastructure. A Panama court order directed at our Panama legal entity is honored. A US court order against our Moldova infrastructure is evaluated on its merits and typically declined because the US court lacks jurisdiction. Criminal-tier bulletproof providers may resist court orders regardless.

What content do legitimate bulletproof providers refuse?

Legitimate providers refuse child sexual abuse material categorically, infrastructure for credential phishing and malware command-and-control, content that targets specific individuals with threats or defamation, and active fraud operations. They typically host content that is legal in their operating jurisdictions even when uncomfortable elsewhere: political speech, adult content where performers are adults, journalism, marketing email to opt-in recipients, and crypto-related services.

Why does ASH not call itself bulletproof?

Because the term has accumulated criminal associations we do not share. Wikipedia's definition explicitly ties bulletproof hosting to criminal infrastructure: botnets, phishing, malware. When most operators in our space advertise as bulletproof, they signal tolerance for that abuse. We do not host it. We are offshore, crypto-paid, no-KYC, and DMCA-resistant by jurisdiction, but we prefer to describe what we do without the loaded label.

Definition · Jurisdiction · Operations

Bulletproof Hosting
Definition, jurisdiction, and where legitimate offshore sits.

The term covers three distinct operator profiles that share marketing language but not operational reality. We separate them honestly, explain what we actually run, and walk through how to evaluate providers if you are looking for offshore infrastructure for legitimate use cases.

Quick answer

Bulletproof hosting is web hosting that resists takedown requests by operating in jurisdictions outside US legal reach, primarily the Netherlands, Bulgaria, Romania, Iceland, and similar locations. The term originated for legitimate offshore use but has drifted to imply criminal infrastructure. Legitimate operators in 2026 typically avoid the label while still operating with the same jurisdictional structure. Pricing ranges from $5/month for gray-market resellers to €150+/month for premium offshore. Major mailbox providers like Spamhaus blacklist most criminal bulletproof IP ranges, which is why legitimate offshore email infrastructure requires different sourcing.

Key facts about bulletproof hosting

Origin year: The term entered industry use in the early 2000s, with the Russian Business Network (RBN) becoming the first widely-publicized example after VeriSign research in 2006 linked it to approximately $150 million in phishing scams.
McColo takedown: The November 2008 shutdown of McColo by upstream providers Global Crossing and Hurricane Electric reduced global spam volume by an estimated 65-75% in the following weeks (Wikipedia: McColo).
Common jurisdictions: Netherlands, Bulgaria, Romania, Moldova, Iceland, Panama, Hong Kong, Belize, Seychelles. Each has copyright frameworks distinct from US Section 512.
Pricing range: $5/mo (gray-market shared) to €500+/mo (premium dedicated with DDoS protection in Switzerland or Iceland).
Spamhaus blocklisting: Most known criminal bulletproof autonomous systems are listed on Spamhaus ASN-DROP and DROP lists, blocking 95%+ of mailbox providers from accepting their mail.
CISA guidance: November 2025 CISA guidance recommends ISPs implement KYC capabilities to raise barriers for criminal bulletproof providers leasing legitimate upstream infrastructure.
Wikipedia classification: The Wikipedia article on bulletproof hosting explicitly frames it as serving "criminal actors as a basic building block for streamlining various cyberattacks" (Wikipedia).
Notable takedowns: McColo (2008), Avalanche (2016), LolekHosted (2023), EnergyZX, several smaller operations through coordinated FBI/Europol action.

What "bulletproof hosting" originally meant

The phrase entered the industry vocabulary in the early 2000s. The use case it described was specific. A hosting provider operates in a jurisdiction outside the reach of US copyright enforcement. The provider refuses to honor DMCA takedown notices because they have no legal force in that jurisdiction. A site hosted there was, in the language of the era, bulletproof against the most common legal mechanism for getting content removed from the internet.

The term was originally neutral. It described an operational posture, not a moral one. A whistleblower publishing classified documents wanted bulletproof hosting. A pirated software warez site wanted bulletproof hosting. A small publisher wanting to host a controversial opinion column wanted bulletproof hosting. The infrastructure was the same. The use case varied.

Over the next two decades the term drifted. In trade press and security research, "bulletproof hosting" came to describe specifically the infrastructure used by criminal operations: phishing kits, malware command and control, credential theft, ransomware staging servers. Academic research papers on bulletproof hosting now reference malware ecosystem mapping rather than legitimate offshore use cases. The Wikipedia article defines it explicitly as criminal infrastructure: "technical infrastructure service provided by an internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cyberattacks."

This puts legitimate operators in a position. We serve a market that overlaps partially with the use cases the term originally covered: journalism, adult content where appropriate, political speech, cold email at scale, crypto services unwelcome at mainstream hosts. We do not serve the criminal use cases. Using the term "bulletproof" puts us in a marketing category we do not belong to. Not using the term means explaining at length what we actually do, which is what this page is.

Three operator profiles that share the bulletproof label

Look closely at the market and you find three distinct operator profiles all using or being described by the same term.

Profile 1: Legitimate offshore providers

Servers in the Netherlands, Bulgaria, Romania, Iceland, or similar jurisdictions where copyright is enforced through the local court system rather than ex parte takedown notices. The provider has a legal entity in its operating jurisdiction. It has lawyers. It honors court orders that have legal force locally. It does not honor takedown notices that have no local jurisdiction. This is the profile that includes operators like AbeloHost (Netherlands), FlokiNET (Iceland/Romania), Njal.la (Sweden), AlexHost (Moldova), Shinjiru (Malaysia/multiple), and many smaller operators including us.

Profile 2: Gray-market resellers

Servers leased from larger providers, sometimes through multiple layers of resale. No real legal entity in the advertised offshore jurisdiction. The provider markets aggressively on warez forums, Black Hat World, and adjacent communities. Customer relationship is transactional and disappears after payment. When pressure comes from upstream, the reseller folds, terminates the customer, and moves to another upstream. This profile is overrepresented in "Top 10 Bulletproof Hosts" listicles. We do not compete in this segment.

Profile 3: Criminal infrastructure operators

Servers in jurisdictions chosen specifically for law enforcement opacity, customer relationships maintained through encrypted channels, payments in privacy coins that the operator never converts to fiat. The customer base is malware authors, phishing operations, and ransomware groups. The operator knows what the customers do and charges premium prices for the tolerance. When these operators are taken down, it is usually through international coordination involving the FBI, Europol, and local law enforcement. Examples that made public news include McColo (2008), Avalanche (2016), LolekHosted (2023), and IP Volume (formerly Ecatel/Quasi Networks/Novogara), which was raided by Dutch FIOD in September 2020.

Comparison: legitimate offshore vs gray-market vs criminal BPH

The three profiles can be compared across operational properties. The differences determine whether you can run a sustainable operation on them.

Property	Legitimate Offshore	Gray-Market Reseller	Criminal BPH
Legal entity	Real entity in operating jurisdiction	Shell, often offshore mailbox	Layered shell companies
Hardware	Owned or colocated	Resold from larger providers	Mixed, often compromised
Pricing	€25-€500/mo	$5-$30/mo	$200-$2000+/mo
Customer base	Vetted, legitimate operators	Anonymous, mixed quality	Criminal actors
Response to court orders	Honors local orders	Folds under pressure	Resists all orders
Years operating	5-20+ years typical	1-3 years, high churn	Variable, often takedown
Spamhaus listing	Usually clean	Mixed, frequent listings	Almost always listed
Refunds/SLA	Real refund policy	No refunds, 7-30 day terms	No refunds

The Wikipedia definition vs operational reality

The Wikipedia entry describes bulletproof hosting in unambiguously criminal terms. It is worth quoting directly: "BPH providers allow online gambling, illegal pornography, botnet command and control servers, spam, copyrighted materials, hate speech and misinformation, despite takedown court orders and law enforcement subpoenas." This is the public encyclopedic definition. It is also the framing used in CloudSEK's knowledge base article, Censys' threat intelligence research, and most academic security papers.

The operational reality includes a meaningful category of legitimate offshore providers who are technically resistant to many takedown mechanisms but who do not serve the criminal customer base Wikipedia describes. We are in this category. So are several other providers we respect even when we compete with them. The semantic gap between the encyclopedic definition and the operational segment is real and worth being honest about.

The Censys threat intelligence team explicitly notes the difficulty of attribution in their February 2026 research: "abuse tolerance does not automatically imply malicious intent. Reseller ecosystems further blur the picture by allowing multiple, unrelated actors to appear indistinguishable at the network and infrastructure layers." This is the structural problem. The network-level signals that identify criminal BPH also catch legitimate offshore. The differentiation requires context that automated systems do not have.

Where ASH sits and how we got here

ASH started because we needed offshore infrastructure for our own email operations. The hosting providers we tried at the start of the operation, mainstream cloud and the small specialty offshore market, were either unwilling to host email at our volume or unable to provide the deliverability practices we needed. We started running our own infrastructure to solve our own problem.

When we opened to customers it was a deliberate decision about what business we were in. We could have positioned as bulletproof and competed in the gray market. The economics would have been straightforward: lower customer acquisition cost, easier marketing in forums where the gray market lives. The downsides would have been the customer base we ended up with and the operational consequences of supporting it. The gray market churns through abuse complaints, IP blacklisting, and continuous fire-fighting at the deliverability layer. We did not want that operational profile.

The market we serve instead is operators who need offshore properties but not criminal tolerance:

Cold outreach agencies running multi-domain campaigns where mainstream ESPs are reluctant
B2C newsletter publishers serving audiences across jurisdictions with different content rules
Privacy-grade businesses that want minimal data exposure on signup
Crypto services that have been kicked off mainstream hosting for nothing they did wrong
Adult industry operators serving legitimately permitted content under their jurisdiction
Journalists publishing under hostile governments
Activists and NGOs in countries with weak press freedoms

These operators do not need bulletproof in the criminal sense. They need offshore in the legal sense. They need crypto payment because their banking relationships are fragile. They need no-KYC because their threat model includes leakage of identity into government databases. They need deliverability work because their business depends on email delivery, not just connectivity. We built for that profile.

How takedown pressure actually works in practice

The honest description requires distinguishing between several types of requests we receive and how we handle each.

DMCA notices from US copyright holders

These arrive regularly. They have no force in our operating jurisdictions. We archive them for internal records and do not act on them. The complainant has the option to pursue their claim through the local court of the jurisdiction where the server sits, which they almost never do because the cost of bringing a Panama copyright case to defend a US movie studio is multiples of the value of doing so. Section 512 of the DMCA is a US federal procedure (17 U.S.C. § 512) that simply does not apply to non-US providers.

Subpoenas from US courts

Evaluated carefully. We do not have a US legal entity for our hosting services. Our billing front-end has limited US exposure. Subpoenas that arrive at US payment processors we have used in the past produce information about transactions through that processor. They do not produce server logs, which live in jurisdictions outside US reach. The structure is deliberate.

Court orders from local jurisdictions

Honored. A Panama court order directed at our Panama legal entity is something we comply with. A Romanian court order against our Romanian datacenter operator is something we comply with through that datacenter operator. We do not evade local law. We operate within it. The selection of jurisdictions is such that local law tolerates more than mainstream Western law, but local law still applies.

Informal pressure from rights holders

Not honored. A polite email asking us to take down a customer's content because the requester is annoyed by it does not produce a takedown. A registered complaint without legal force does not produce a takedown. This is the part that distinguishes us from mainstream hosting, which routinely complies with informal pressure because it is cheaper than litigating each request.

Law enforcement requests for prohibited content

A request from any law enforcement agency, anywhere, regarding CSAM or active malware operations gets immediate cooperation. This is not a gray area for us. We do not host that content, and we actively assist its removal. The fact that we resist most takedown pressure does not extend to resisting law enforcement on these specific categories.

How to evaluate a bulletproof or offshore hosting provider

An operator looking at the segment should evaluate providers on several axes that are not typically covered in the comparison content available online. Most "Top 10 Bulletproof Hosts" articles rank providers by criteria that do not match operational reality. The actual evaluation is more specific.

1. Legal entity location

Where is the company that will receive your money actually incorporated? A provider advertising Netherlands hosting but billing through a US LLC is not actually DMCA-ignored at the payment layer. The first US subpoena will produce your customer information. A provider with a Bulgarian legal entity billing through a Bulgarian payment processor is structurally different even if the marketing says the same thing.

2. Server location and ownership

Where do the servers physically sit? Some "offshore" providers are reselling from US-based suppliers, which means the underlying datacenter operator can be compelled to act on US legal process regardless of what the reseller's marketing says. A provider with their own hardware in a colocated facility in their advertised jurisdiction is in a stronger position than a provider reselling slots on Hetzner.

3. Years of operation

The bulletproof segment has high churn. Many providers operate for a year or two, collect customers, and then either disappear or shift their model when pressure becomes uncomfortable. A provider that has been operating for five or more years through changing legal climates has demonstrated that their model is structurally sustainable. A provider that opened last year may not be operating in a year.

4. Acceptable use policy clarity

A provider that claims to host "anything" is either lying or operating criminal infrastructure. Both are bad signals. A provider with a clearly articulated acceptable use policy that explicitly excludes specific categories (CSAM, malware, fraud) is doing the work of distinguishing themselves from the criminal segment. This is the segment you want to work with if you are a legitimate operator.

5. Payment options without surprise compliance

Real Bitcoin acceptance should be through self-hosted BTCPay Server, not through a third-party processor. Real Monero acceptance should be through a self-hosted XMR node. Providers using third-party processors introduce KYC at the processor layer even when their own marketing says no-KYC. Ask specifically how they handle crypto payment infrastructure.

6. Network reputation

Check the provider's IP ranges against Spamhaus (Spamhaus IP lookup) and similar reputation databases. A provider whose IPs are heavily blacklisted will not work for email infrastructure. The blacklist status tells you what kind of customer base the provider actually has, regardless of what their marketing says.

Typical use cases for legitimate offshore hosting

When we look at what actually gets hosted on the legitimate offshore segment, the use cases cluster into five recognizable categories.

Journalism and political speech

Reporters covering powerful subjects, especially in countries with weak press freedoms, need infrastructure that does not fold under informal pressure. The category includes whistleblower publication, opposition political content, and investigative reporting on organized crime or government corruption. DMCA notices are sometimes used as a tool against journalism, where a powerful subject obtains spurious copyright claims to silence reporting.

Adult content under legal jurisdictions

The legal status of adult content varies widely across jurisdictions. The Netherlands, Czech Republic, Hungary, and several others have well-established legal frameworks for adult content production and distribution. The United States is more restrictive in some ways and more permissive in others. A US-targeted DMCA notice against a Netherlands-hosted adult site is typically commercial pressure rather than genuine copyright enforcement.

Software, cryptocurrency, and security research

Open-source projects that include reverse-engineered components. Security research tools that vendors consider infringing. Cryptocurrency-related infrastructure that payment processors and US-based hosts have been pressured to remove. The legitimacy of the underlying content is usually defensible, but the legal cost of defending it from a US position is prohibitive.

Email infrastructure for legitimate senders

Cold outreach agencies, newsletter publishers, transactional senders, ESP resellers. These operators need infrastructure that supports volume email sending. Most bulletproof providers do not offer this because their IP ranges are too damaged. Legitimate offshore providers can offer it with proper IP hygiene and deliverability practice. This is our primary focus.

Privacy-grade general operations

Businesses that operate with privacy as a default rather than a response to a specific threat. They use Tor by default, use end-to-end encrypted messaging by default, and prefer offshore infrastructure for the same reasons they use other privacy tools. This category overlaps with crypto-paying customers significantly.

The email infrastructure angle most BPH providers cannot serve

Most bulletproof and DMCA-ignored providers do not run email-grade infrastructure. They run web hosting. Their IP ranges are typically not suitable for sending email at scale: bad reverse DNS, blocked port 25 outbound, lack of dedicated IP options, no FBL setup, no deliverability practice. The reasons are operational and historical.

IP reputation is a property that accumulates over years. Spamhaus and similar reputation services maintain memory of past abuse. A provider whose IPs were used for spam in 2018 still has reputation damage in 2026 even if the actual abuse stopped years ago. Most criminal bulletproof providers have heavily damaged IP ranges because the actual abuse on their networks shows up in the reputation systems.

Email-grade infrastructure requires clean IP space, properly maintained network reputation, custom rDNS per customer, port 25 open outbound, FBL relationships with major mailbox providers, and the operational practice to keep all of this working. Per Spamhaus, the major mailbox providers consume their reputation data, which means providers whose IPs are listed effectively cannot deliver mail to Gmail, Microsoft, Yahoo, and similar.

Our IP acquisition process is deliberate. When we add new IPv4 space to our infrastructure, we audit the history through Spamhaus' MAPS database and similar tools to identify any past abuse. We delay activation of an IP for the abuse window to clear if needed, sometimes 60-90 days. We do not assign IPs with recent damage to customers until we have rehabilitated the reputation through controlled use.

What we tell customers who specifically ask about bulletproof

When a customer specifically asks whether we are bulletproof, the conversation goes a specific direction. We explain that the term has accumulated criminal associations and ask what they need it for. The answer tells us whether we can help.

The customer who answers "I need to send a lot of email and SendGrid terminated my account" is a customer we can serve. They do not need bulletproof. They need offshore email infrastructure with proper deliverability practice, which is what we do.

The customer who answers "I need to host content that the US government is upset about" is a customer we can potentially serve, depending on what the content is. Journalism naming public figures: yes. Political speech under any government: yes. Whistleblower documents: yes, with operational care because the threat model is non-trivial.

The customer who answers "I need to run a phishing operation" or "I need to host stolen credit cards" or "I need a place where I can host malware C2" gets declined. We do not host that. We do not have a fallback host to recommend.

The customer who answers "I just want privacy and crypto payment" is a customer we can serve without the bulletproof framing at all. They want no-KYC. They want crypto. They want minimal data exposure. We do all of this without any bulletproof marketing because the framing is unnecessary for what they actually need.